search

rcls / crap

Cvs Remote Access Program
GNU General Public License v3.0
46 stars 12 forks source link

Segfault in fill_in_versions_and_parents() for version without '.' #15

Closed PerMildner closed 8 years ago

PerMildner commented 8 years ago

The code does

        size_t len = strrchr (i->version, '.') - i->version;

which is a bad idea if i->version is non-empty but does not contain a '.'.

In my case the following gdb session shows how memcpy is called with insane values because i->version contains the string "1".

#0  fill_in_versions_and_parents (file=0x6b4200, attic=false, file_tags=0x6ba520, file_tags_end=0x6ba7b0, tags=0x7fffffffb0f0) at log_parse.c:460
460         memcpy (vers, i->version, len);
(gdb) print *i
$8 = {tag = 0x6328a0, version = 0x6655b0 "1"}
(gdb) print *i->tag
$9 = {tag = 0x632880 "MT", tag_files = 0x6b8980, tag_files_end = 0x6b8a80, branch_versions = 0x6163e8 <dummy_pointer>, parents = 0x0, parents_end = 0x0, tags = 0x0, tags_end = 0x0, is_released = false, fixup = false, dummy = false, deleted = false, merge_source = false, rank = 0, parent = 0x0, changeset = {time = 862914216, type = ct_tag, unready_count = 0, ready_index = 18446744073709551615, mark = 0, versions = 0x0, versions_end = 0x0, children = 0x0, children_end = 0x0, merge = 0x0, merge_end = 0x0}, last = 0x0, fixups = 0x0, fixups_end = 0x0, fixups_curr = 0x0}
(gdb) print len
$10 = 18446744073702845008

(Unfortunately I have no idea how crap or CVS works, so I do not know what a suitable fix would be here.)

rcls commented 8 years ago

Thanks for the report.

Is there any chance I can have access to your repository?

It is easy enough to make that code more robust, but I would also like to have a look at your repo & see what is really going on.

(If the repo is private, then nearly as good would be a copy of the metadata from the ",v" file. The debugger can tell you exactly what file is was processing: file->path and file->rcs_path will have that info.)

Cheers, Ralph.

PerMildner commented 8 years ago

On 27 Jun 2016, at 20:14, rcls notifications@github.com wrote:

Thanks for the report.

Is there any chance I can have access to your repository?

It is easy enough to make that code more robust, but I would also like to have a look at your repo & see what is really going on.

(If the repo is private, then nearly as good would be a copy of the metadata from the ",v" file. The debugger can tell you exactly what file is was processing: file->path and file->rcs_path will have that info.)

The repo is private, unfortunately. I have attached the offending “,v” file (not only its meta data).

I have a debug build of crap-clone in GDB so I can look at variables for you. I can also test changes.

Cheers, Ralph.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

Per Mildner Per.Mildner@sics.se Swedish Institute of Computer Science (SICS Swedish ICT)

PerMildner commented 8 years ago

The email attachment seems to have been removed by github. Attaching here instead. crap-bug.tar.gz

rcls commented 8 years ago

Should be fixed now. Thanks for reporting this. Let me know if you have any more problems.

PerMildner commented 8 years ago

I can confirm that the fix seems to have solved the issue for our repository. Thanks!