Buffer overflow crash.

[GoogleCodeExporter]

Comments below.  With Ypsilon r402:

[d@eep:~/zone/scheme/xitomatl]-> ypsilon programs/irregex-tool.sps -s fooo .
*** buffer overflow detected ***: ypsilon terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7e286d8]
/lib/tls/i686/cmov/libc.so.6[0xb7e26800]
ypsilon[0x8067370]
======= Memory map: ========
08048000-081c7000 r-xp 00000000 08:05 1267436    /home/d/bin/ypsilon
081c7000-081c8000 r--p 0017e000 08:05 1267436    /home/d/bin/ypsilon
081c8000-081c9000 rw-p 0017f000 08:05 1267436    /home/d/bin/ypsilon
0920d000-09247000 rw-p 0920d000 00:00 0          [heap]
b4d29000-b4d2a000 ---p b4d29000 00:00 0 
b4d2a000-b752b000 rw-p b4d2a000 00:00 0 
b752b000-b752c000 ---p b752b000 00:00 0 
b752c000-b7d2e000 rw-p b752c000 00:00 0 
b7d2e000-b7e86000 r-xp 00000000 08:07 122037    
/lib/tls/i686/cmov/libc-2.8.90.so
b7e86000-b7e88000 r--p 00158000 08:07 122037    
/lib/tls/i686/cmov/libc-2.8.90.so
b7e88000-b7e89000 rw-p 0015a000 08:07 122037    
/lib/tls/i686/cmov/libc-2.8.90.so
b7e89000-b7e8c000 rw-p b7e89000 00:00 0 
b7e8c000-b7e99000 r-xp 00000000 08:07 47619      /lib/libgcc_s.so.1
b7e99000-b7e9a000 r--p 0000c000 08:07 47619      /lib/libgcc_s.so.1
b7e9a000-b7e9b000 rw-p 0000d000 08:07 47619      /lib/libgcc_s.so.1
b7e9b000-b7ebf000 r-xp 00000000 08:07 128680    
/lib/tls/i686/cmov/libm-2.8.90.so
b7ebf000-b7ec0000 r--p 00023000 08:07 128680    
/lib/tls/i686/cmov/libm-2.8.90.so
b7ec0000-b7ec1000 rw-p 00024000 08:07 128680    
/lib/tls/i686/cmov/libm-2.8.90.so
b7ec1000-b7fa4000 r-xp 00000000 08:07 86468      /usr/lib/libstdc++.so.6.0.10
b7fa4000-b7fa8000 r--p 000e3000 08:07 86468      /usr/lib/libstdc++.so.6.0.10
b7fa8000-b7fa9000 rw-p 000e7000 08:07 86468      /usr/lib/libstdc++.so.6.0.10
b7fa9000-b7fb0000 rw-p b7fa9000 00:00 0 
b7fb0000-b7fb2000 r-xp 00000000 08:07 128678    
/lib/tls/i686/cmov/libdl-2.8.90.so
b7fb2000-b7fb3000 r--p 00001000 08:07 128678    
/lib/tls/i686/cmov/libdl-2.8.90.so
b7fb3000-b7fb4000 rw-p 00002000 08:07 128678    
/lib/tls/i686/cmov/libdl-2.8.90.so
b7fb4000-b7fc9000 r-xp 00000000 08:07 129883    
/lib/tls/i686/cmov/libpthread-2.8.90.so
b7fc9000-b7fca000 r--p 00014000 08:07 129883    
/lib/tls/i686/cmov/libpthread-2.8.90.so
b7fca000-b7fcb000 rw-p 00015000 08:07 129883    
/lib/tls/i686/cmov/libpthread-2.8.90.so
b7fcb000-b7fcd000 rw-p b7fcb000 00:00 0 
b7fe1000-b7fe3000 rw-p b7fe1000 00:00 0 
b7fe3000-b7ffd000 r-xp 00000000 08:07 408454     /lib/ld-2.8.90.so
b7ffd000-b7ffe000 r-xp b7ffd000 00:00 0          [vdso]
b7ffe000-b7fff000 r--p 0001a000 08:07 408454     /lib/ld-2.8.90.so
b7fff000-b8000000 rw-p 0001b000 08:07 408454     /lib/ld-2.8.90.so
bf8ea000-bf8ff000 rw-p bffeb000 00:00 0          [stack]
Aborted
[d@eep:~/zone/scheme/xitomatl]-> uname -a
Linux eep 2.6.27-11-generic #1 SMP Thu Jan 29 19:24:39 UTC 2009 i686 GNU/Linux
[d@eep:~/zone/scheme/xitomatl]-> 

Running irregex-tool.sps on Ypsilon requires the latest revision of my
Xitomatl collection and probably also my SRFIs collection (because of
cond-expand features).

I'm using Ubuntu 8.10, standard basic installation.  I think its GCC is
setup to automatically do buffer overflow detection.  I'm not sure how to
narrow it down or help more.  Hopefully you can find it in a debugger.

Original issue reported on code.google.com by derick.e...@gmail.com on 6 Mar 2009 at 8:46

[GoogleCodeExporter]

Unfortunetry, I could not reproduce the problem on my machine. :(
Would you try followings and let me know results?

$ gdb --args ypsilon irregex-tool.sps -s fooo .
...
(gdb) run
...
(gdb) bt

Thank you!
-- fujita

Original comment by y.fujita...@gmail.com on 7 Mar 2009 at 3:39

• Changed state: Started

[GoogleCodeExporter]

[d@eep:~/zone/scheme/xitomatl]-> gdb --args ypsilon programs/irregex-tool.sps 
-s fooo .
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(gdb) run
Starting program: /home/d/bin/ypsilon programs/irregex-tool.sps -s fooo .
[Thread debugging using libthread_db enabled]
[New Thread 0xb7d5b6c0 (LWP 13323)]
[New Thread 0xb7d5ab90 (LWP 13329)]
[New Thread 0xb5558b90 (LWP 13330)]
*** buffer overflow detected ***: /home/d/bin/ypsilon terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7e576d8]
/lib/tls/i686/cmov/libc.so.6[0xb7e55800]
/home/d/bin/ypsilon[0x80673a0]
======= Memory map: ========
08048000-081c8000 r-xp 00000000 08:05 1267402    /home/d/bin/ypsilon
081c8000-081c9000 r--p 0017f000 08:05 1267402    /home/d/bin/ypsilon
081c9000-081ca000 rw-p 00180000 08:05 1267402    /home/d/bin/ypsilon
08ebd000-08ef7000 rw-p 08ebd000 00:00 0          [heap]
b4d58000-b4d59000 ---p b4d58000 00:00 0 
b4d59000-b755a000 rw-p b4d59000 00:00 0 
b755a000-b755b000 ---p b755a000 00:00 0 
b755b000-b7d5d000 rw-p b755b000 00:00 0 
b7d5d000-b7eb5000 r-xp 00000000 08:07 122037     
/lib/tls/i686/cmov/libc-2.8.90.so
b7eb5000-b7eb7000 r--p 00158000 08:07 122037     
/lib/tls/i686/cmov/libc-2.8.90.so
b7eb7000-b7eb8000 rw-p 0015a000 08:07 122037     
/lib/tls/i686/cmov/libc-2.8.90.so
b7eb8000-b7ebb000 rw-p b7eb8000 00:00 0 
b7ebb000-b7ec8000 r-xp 00000000 08:07 47619      /lib/libgcc_s.so.1
b7ec8000-b7ec9000 r--p 0000c000 08:07 47619      /lib/libgcc_s.so.1
b7ec9000-b7eca000 rw-p 0000d000 08:07 47619      /lib/libgcc_s.so.1
b7eca000-b7eee000 r-xp 00000000 08:07 128680     
/lib/tls/i686/cmov/libm-2.8.90.so
b7eee000-b7eef000 r--p 00023000 08:07 128680     
/lib/tls/i686/cmov/libm-2.8.90.so
b7eef000-b7ef0000 rw-p 00024000 08:07 128680     
/lib/tls/i686/cmov/libm-2.8.90.so
b7ef0000-b7fd3000 r-xp 00000000 08:07 86468      /usr/lib/libstdc++.so.6.0.10
b7fd3000-b7fd7000 r--p 000e3000 08:07 86468      /usr/lib/libstdc++.so.6.0.10
b7fd7000-b7fd8000 rw-p 000e7000 08:07 86468      /usr/lib/libstdc++.so.6.0.10
b7fd8000-b7fdf000 rw-p b7fd8000 00:00 0 
b7fdf000-b7fe1000 r-xp 00000000 08:07 128678     
/lib/tls/i686/cmov/libdl-2.8.90.so
b7fe1000-b7fe2000 r--p 00001000 08:07 128678     
/lib/tls/i686/cmov/libdl-2.8.90.so
b7fe2000-b7fe3000 rw-p 00002000 08:07 128678     
/lib/tls/i686/cmov/libdl-2.8.90.so
b7fe3000-b7ff8000 r-xp 00000000 08:07 129883     
/lib/tls/i686/cmov/libpthread-2.8.90.so
b7ff8000-b7ff9000 r--p 00014000 08:07 129883     
/lib/tls/i686/cmov/libpthread-2.8.90.so
b7ff9000-b7ffa000 rw-p 00015000 08:07 129883     
/lib/tls/i686/cmov/libpthread-2.8.90.so
b7ffa000-b7ffc000 rw-p b7ffa000 00:00 0 
b8010000-b8012000 rw-p b8010000 00:00 0 
b8012000-b802c000 r-xp 00000000 08:07 408454     /lib/ld-2.8.90.so
b802c000-b802d000 r-xp b802c000 00:00 0          [vdso]
b802d000-b802e000 r--p 0001a000 08:07 408454     /lib/ld-2.8.90.so
b802e000-b802f000 rw-p 0001b000 08:07 408454     /lib/ld-2.8.90.so
bf81a000-bf82f000 rw-p bffeb000 00:00 0          [stack]

Program received signal SIGABRT, Aborted.
[Switching to Thread 0xb7d5b6c0 (LWP 13323)]
0xb802c430 in __kernel_vsyscall ()
(gdb) bt
#0  0xb802c430 in __kernel_vsyscall ()
#1  0xb7d888a0 in raise () from /lib/tls/i686/cmov/libc.so.6
#2  0xb7d8a268 in abort () from /lib/tls/i686/cmov/libc.so.6
#3  0xb7dc616d in ?? () from /lib/tls/i686/cmov/libc.so.6
#4  0xb7e576d8 in __fortify_fail () from /lib/tls/i686/cmov/libc.so.6
#5  0xb7e55800 in __chk_fail () from /lib/tls/i686/cmov/libc.so.6
#6  0x080673a0 in port_lookahead_utf8 ()
#7  0x08067748 in port_get_char ()
#8  0x08093e9c in subr_get_string_n ()
#9  0x08055aa4 in VM::run ()
#10 0x0804d94a in VM::standalone ()
#11 0x0804b912 in main ()
(gdb) 

Original comment by derick.e...@gmail.com on 7 Mar 2009 at 6:11

[GoogleCodeExporter]

Thank you for input!

I found the bug that the following code causes crash. ;-)
(lookahead-char (open-bytevector-input-port #vu8(#xfc #x80 #x80 #x80 #x80 #x80)
(native-transcoder)))

I have fixed the bug and trunk directory is updated to revision 404.
Please try. Thank you!
-- fujita

Original comment by y.fujita...@gmail.com on 7 Mar 2009 at 1:45

[GoogleCodeExporter]

It's fixed.

Original comment by derick.e...@gmail.com on 7 Mar 2009 at 5:53

[GoogleCodeExporter]

Thank you for your reply. I close this issue. :)
-- fujita

Original comment by y.fujita...@gmail.com on 8 Mar 2009 at 3:56

• Changed state: Fixed