[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[RP] [PATCH] Don't crash when frestoring a truncated fdump string
From: |
Repolho |
Subject: |
[RP] [PATCH] Don't crash when frestoring a truncated fdump string |
Date: |
Fri, 9 Aug 2013 12:52:35 -0300 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
If actions.c:frestore() is passed a truncated fdump string which is
missing the value in the last of its key-value pairs, it forwards the
token in question to frame.c:frame_read(), which then calls the macro
frame.c:read_slot() on that key-value pair that is missing the value,
and then, finally, strtol() gets called on a NULL pointer, resulting in
the following crash (from gdb, edited for brevity):
Program received signal SIGSEGV, Segmentation fault.
0x00007f4defc20f26 in ____strtoll_l_internal () from /usr/lib/libc.so.6
#0 0x00007f4defc20f26 in ____strtoll_l_internal () from
/usr/lib/libc.so.6
#1 0x0000000000418d38 in frame_read (str=0x9ab450 "(frame :number 0 :x",
screen=0x9796a0) at frame.c:229
#2 0x00000000004100fd in frestore (data=0x9b48a0 "(frame :number 0 :x",
s=0x9796a0) at actions.c:4943
#3 0x00000000004104de in cmd_frestore (interactively=0, args=0x9ab470) at
actions.c:5016
To reproduce, run:
$ ratpoison -c 'frestore (frame :number 0 :x'
or just using any fdump string after removing the last value.
Since frestore() handles truncated fdump strings that are missing one or
more key-value pairs by using default values instead, the attached patch
also fixes the issue by returning a default value of zero when only the
key is present but its value is missing. It was generated over the
latest git, v1.4.6-56-gdf842f3.
frame_read_crash.patch
Description: Text Data
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [RP] [PATCH] Don't crash when frestoring a truncated fdump string,
Repolho <=