Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Message-ID: <3E137A39.9050204@ece.gatech.edu>
Date: Wed, 01 Jan 2003 18:31:05 -0500
From: Charles Wilson <cwilson AT ece DOT gatech DOT edu>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Robert Collins <rbcollins AT cygwin DOT com>
CC: cygwin AT cygwin DOT com
Subject: Re: Heads up: *possible* bug in cygwin
References: <E18PoeB-0000fC-00 AT quimby DOT gnus DOT org>	<3E05BD05 DOT 5090408 AT ece DOT gatech DOT edu> <3E0DDE19 DOT 1060903 AT ece DOT gatech DOT edu>	<3E10A7AE DOT 20405 AT ece DOT gatech DOT edu> <3E10C29B DOT 2010709 AT ece DOT gatech DOT edu>	<3E111AAF DOT 3090008 AT ece DOT gatech DOT edu> <20021231043913 DOT GA26944 AT redhat DOT com>	<3E11AD26 DOT 8050506 AT ece DOT gatech DOT edu> <20021231175349 DOT GC6542 AT redhat DOT com> 	<3E123A28 DOT 8030705 AT ece DOT gatech DOT edu> <1041383123 DOT 6526 DOT 13 DOT camel AT lifelesswks>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit



Robert Collins wrote:
> On Wed, 2003-01-01 at 11:45, Charles Wilson wrote:
> 
> 
> 
>>[...but I can't reproduce the fault on linux.  Even if I link in 
>>dlmalloc.  Bleah.  ElectricFence on linux couldn't find anything 
>>suspicious either.]
> 
> 
> You might try valgrind. valgrind is *good*.

Oh dear.  What're all you guys doing on the list today? It's a holiday 
gosh darn it.  Anyway, I see a lot of replies in this thread which I 
haven't yet read, but here's what I've learned on my own...

1) valgrind hasn't been ported to cygwin AFAIK.  But it was fairly easy 
to compile efence, given that helpful folks had previously posted 
patches to the list.  I've updated them to Bruce's 2.2.2 release, and 
will publish them soon.  (However, I don't want to take on yet another 
package, so...)

2) There's a very good reason why the bug shows up on cygwin, but not 
linux.  The actual fault occurs in newlib, in the
   vsprintf -> vfprintf -> _vfprintf_r -> cvt [vfprintf.c line 1181]
callstack.  But it's basically a straightforward buffer overrun in 
g_strdup_vprintf():

First, create a buffer of the appropriate length:
buffer = g_new (gchar, g_printf_string_upper_bound (format, args1));

And then format the data into that buffer.
vsprintf (buffer, format, args2);

But the buffer isn't long enough, so the actual problem is *probably* 
somewhere in the g_printf_string_upper_bound() routine, that computes 
the appropriate length.

I really think that "vsnprintf" should be used here, just on general 
principle -- and it IS available on cygwin.  But still, glib's 
*string_upper_bound function *ought* to be able to accurately compute 
the buffer size, and obviously is not.

I haven't stepped thru or investigated in detail, but I will...

--Chuck


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/