Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!apollo!vinoski
From: vinoski@apollo.hp.com (Stephen Vinoski)
Newsgroups: comp.lang.perl
Subject: Re: NeXT 2.1: make test passes, h2ph reloc.h SEGV's [real Perl bug]
Message-ID: <1991Jun18.213856.6316@apollo.hp.com>
Date: 18 Jun 91 21:38:56 GMT
References: <1991Jun17.102103.17445@uvaarpa.Virginia.EDU>
Sender: netnews@apollo.hp.com (USENET posting account)
Organization: Hewlett-Packard Company, Apollo Division - Chelmsford, MA
Lines: 52
Nntp-Posting-Host: zep.ch.apollo.hp.com

In article <1991Jun17.102103.17445@uvaarpa.Virginia.EDU> eichin@athena.mit.edu writes:
>I've gone further on this bug... with one fix to gcc2, it actually
>built as well as it had with gcc-1.40, and crashed in exactly the same
>place (but *with* valid gdb information...) So I hauled out an old
>version of GNU malloc that I had hacked to do bounds checking at
>malloc and free time, linked it in[*] and discovered that a string was
>overrunning the end of the block it was in. I then discovered that the
>VAX/BSD version does the same thing, but it only shows up under a
>scribble-checking malloc -- but it makes this a perl bug, not a
>compiler bug :-)
>
>   [...lengthy traceback deleted...]
>  
>	Note in particular that str->str_cur == 63 but str->str_len ==
>55. The botch "*ap++ == MAGIC1" indicates that free did not find the
>expected "magic cookie" value at the end of the allocated block, which
>according to the header was malloc'd at 55 bytes.

I have found a fix for this bug, but I'm not sure of it's completeness.  Perl
builds and passes all of its tests with the fix, but maybe everyone should
wait for Larry to bless the included patch before applying it.

The problem lies in str_gets() in str.c.  The allocated space is checked to see
if it can hold the string to be fetched, but the check doesn't always work when
the string is being appended to.

Could someone a little more familiar with the (hairy) code in str_gets()
validate this patch and let the rest of us know if it's OK?  Thanks.

*** str.c.orig	Mon Jun 10 13:26:13 1991
--- str.c	Tue Jun 18 16:56:14 1991
***************
*** 742,748 ****
      cnt = fp->_cnt;			/* get count into register */
      str->str_nok = 0;			/* invalidate number */
      str->str_pok = 1;			/* validate pointer */
!     if (str->str_len <= cnt + 1) {	/* make sure we have the room */
  	if (cnt > 80 && str->str_len > append) {
  	    shortbuffered = cnt - str->str_len + append + 1;
  	    cnt -= shortbuffered;
--- 742,748 ----
      cnt = fp->_cnt;			/* get count into register */
      str->str_nok = 0;			/* invalidate number */
      str->str_pok = 1;			/* validate pointer */
!     if (str->str_len - str->str_cur <= cnt + 1) {	/* make sure we have the room */
  	if (cnt > 80 && str->str_len > append) {
  	    shortbuffered = cnt - str->str_len + append + 1;
  	    cnt -= shortbuffered;



-steve