search

Bluebugs / freebox-elixir

Automatically exported from code.google.com/p/freebox-elixir
0 stars 0 forks source link

Bug in elixir_id_compute() #20

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
I think there's a bug in elixir_id_compute() when compiled with zlib and the 
input script is too big to be compressed in a single chunk. The problem is that 
the zstream output buffer size is reset to 16K at each iteration of the first 
loop (at line #131), but the output buffer pointer isn't reset. That's not a 
problem if there's only one iteration (i.e., if the input script is small 
enough to be compressed in one chunk), but if there are more iterations, then 
the following call to the deflate() method corrupts the stack, and produces the 
following crash:
*** stack smashing detected ***: /usr/bin/elixir terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x50)[0x348390]
/lib/tls/i686/cmov/libc.so.6(+0xe233a)[0x34833a]
/usr/lib/libelixir.so.0(+0xf3f4)[0x13d3f4]
/usr/lib/libelixir.so.0(elixir_id_compute+0x426)[0x13ad7a]
/usr/lib/elixir//loaders/text/linux-gnu-i686/module.so(+0xcb0)[0xb96cb0]
/usr/lib/libelixir.so.0(elixir_loader_id+0x20)[0x1369d9]
/usr/lib/libelixir.so.0(elixir_id_push+0x5a)[0x13aebd]
/usr/lib/libelixir.so.0(elixir_script_file+0x85)[0x138f18]
/usr/lib/elixir//bindings/elixir/linux-gnu-i686/module.so(+0x1cb0)[0xd4ccb0]
/usr/lib/libsmjs.so(js_Interpret+0xd970)[0x1c95e4]
/usr/lib/libsmjs.so(js_Execute+0x270)[0x1d47e0]
/usr/lib/libsmjs.so(JS_ExecuteScript+0x6f)[0x17bcbf]
/usr/lib/libelixir.so.0(elixir_script_run+0x1e2)[0x139421]
/usr/bin/elixir[0x804a142]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0x27cbd6]
/usr/bin/elixir[0x8049491]

The attached patch file fixes the issue, but I wasn't able to test it with the 
trunk though.

Original issue reported on code.google.com by Poor.NewBie@gmail.com on 5 Jan 2011 at 12:19

Attachments:

GoogleCodeExporter commented 9 years ago 
There's also a problem in the same method when zlib is disabled, because the 
"update" variable isn't defined at line #151. I guess the "buffer" variable 
should be used instead (see attached patch).

Original comment by Poor.NewBie@gmail.com on 5 Jan 2011 at 10:58

Attachments:

GoogleCodeExporter commented 9 years ago 
Thanks a lot for this patch. They are in.

Original comment by moa.blue...@gmail.com on 18 Jan 2011 at 2:55