tamo commented 12 years ago

On OpenBSD -current i386, with ibus-skk-1.3.99.20111220, using user.dict and skkserv (without using a system jisyo file), pressing "Kan " crashes ibus-engine-skk.

Maybe I'm doing something wrong because I don't see anything broken in your code.

Anyways, here is a typescript:

Script started on Sat Dec 24 19:18:52 2011 ~ [0] 19:18$ gdb /usr/local/libexec/ibus-engine-skk ibus-engine-skk.core GNU gdb 6.3 Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-unknown-openbsd5.0"...(no debugging symbols found)

Core was generated by `ibus-engine-skk'. Program terminated with signal 11, Segmentation fault. Reading symbols from /usr/lib/libpthread.so.13.1...done. Loaded symbols for /usr/lib/libpthread.so.13.1 Reading symbols from /usr/local/lib/libibus-1.0.so.0.0...done. Loaded symbols for /usr/local/lib/libibus-1.0.so.0.0 Reading symbols from /usr/local/lib/libskk.so.0.0...done. Loaded symbols for /usr/local/lib/libskk.so.0.0 Reading symbols from /usr/local/lib/libjson-glib-1.0.so.4.0...done. Loaded symbols for /usr/local/lib/libjson-glib-1.0.so.4.0 Reading symbols from /usr/lib/libz.so.4.1...done. Loaded symbols for /usr/lib/libz.so.4.1 Reading symbols from /usr/local/lib/libgio-2.0.so.2992.0...done. Loaded symbols for /usr/local/lib/libgio-2.0.so.2992.0 Reading symbols from /usr/local/lib/libgmodule-2.0.so.2992.0...done. Loaded symbols for /usr/local/lib/libgmodule-2.0.so.2992.0 Reading symbols from /usr/local/lib/libgee.so.1.0...done. Loaded symbols for /usr/local/lib/libgee.so.1.0 Reading symbols from /usr/local/lib/libffi.so.0.0...done. Loaded symbols for /usr/local/lib/libffi.so.0.0 Reading symbols from /usr/local/lib/libpcre.so.2.5...done. Loaded symbols for /usr/local/lib/libpcre.so.2.5 Reading symbols from /usr/local/lib/libgobject-2.0.so.2992.0...done. Loaded symbols for /usr/local/lib/libgobject-2.0.so.2992.0 Reading symbols from /usr/local/lib/libgthread-2.0.so.2992.0...done. Loaded symbols for /usr/local/lib/libgthread-2.0.so.2992.0 Reading symbols from /usr/local/lib/libglib-2.0.so.2992.0...done. Loaded symbols for /usr/local/lib/libglib-2.0.so.2992.0 Reading symbols from /usr/local/lib/libintl.so.5.0...done. Loaded symbols for /usr/local/lib/libintl.so.5.0 Reading symbols from /usr/local/lib/libiconv.so.6.0...done. Loaded symbols for /usr/local/lib/libiconv.so.6.0 Symbols already loaded for /usr/lib/libpthread.so.13.1 Reading symbols from /usr/lib/libc.so.61.0...done. Loaded symbols for /usr/lib/libc.so.61.0 Reading symbols from /usr/libexec/ld.so...done. Loaded symbols for /usr/libexec/ld.so Reading symbols from /usr/local/lib/gio/modules/libgiofam.so...done. Loaded symbols for /usr/local/lib/gio/modules/libgiofam.so Reading symbols from /usr/local/lib/libfam.so.1.0...done. Loaded symbols for /usr/local/lib/libfam.so.1.0

0 0x02efbe21 in strlen () from /usr/lib/libc.so.61.0

(gdb) bt

0 0x02efbe21 in strlen () from /usr/lib/libc.so.61.0

1 0x01734985 in g_string_insert_len () from /usr/local/lib/libglib-2.0.so.2992.0

2 0x01734c61 in g_string_append () from /usr/local/lib/libglib-2.0.so.2992.0

3 0x00d0afb0 in skk_skk_serv_read_response (self=0x80ac1000, error=0xcfbea8ac) at skkserv.c:482

4 0x00d0b601 in skk_skk_serv_real_lookup (base=0x80ac1000, midasi=0x88b22e80 "?\201\213?\202\223", okuri=0, result_length1=0xcfbea990)

at skkserv.c:683

5 0x00cffbcc in skk_dict_lookup (self=0x80ac1000, midasi=0x88b22e80 "?\201\213?\202\223", okuri=0, result_length1=0xcfbea990) at dict.c:462

6 0x00d18abf in skk_state_lookup (self=0x7cd0d070, midasi=0x88b22360 "?\201\213?\202\223", okuri=0) at state.c:1625

7 0x00d1ff2a in skk_select_state_handler_real_process_key_event (base=0x809b7d40, state=0x7cd0d070, key=0xcfbeac94) at state.c:4925

8 0x00d1a19a in skk_state_handler_process_key_event (self=0x809b7d40, state=0x7cd0d070, key=0xcfbeac94) at state.c:2138

9 0x00d2270a in skk_context_process_key_event_internal (self=0x7ebd7938, key=0x8bc0d2a0) at context.c:1316

10 0x00d2259f in skk_context_process_key_event (self=0x7ebd7938, key=0x8bc0d2a0) at context.c:1268

11 0x1c00479c in ?? ()

12 0x7ebd7938 in ?? ()

13 0x8bc0d2a0 in ?? ()

14 0x00000000 in ?? ()

(gdb) f 3

3 0x00d0afb0 in skk_skk_serv_read_response (self=0x80ac1000, error=0xcfbea8ac) at skkserv.c:482

482 g_string_append (tmp16, (const gchar_) tmp17); (gdb) list 477 _buffer_length1 = _tmp15length1; 478 buffersize = _buffer_length1; 479 tmp16 = builder; 480 tmp17 = _buffer; 481 _tmp17__length1 = _buffer_length1; 482 g_string_append (tmp16, (const gchar_) tmp17); 483 _buffer = (g_free (_buffer), NULL); 484 } 485 } 486 } (gdb) p tmp15 $1 = ( guint8 ) 0x86917000 "1/??/??;????/??/??/??/??/??/??/??/??/??;??pipe/??;?鳏工???????/??/??/??/??/??;??-??/??;??-?司???/??;?乜?/??;?椎?/??;[????]/??/??/??;????/??;????/??;????/??;????/??;????/??;????/??/??;?站?/??;?执铡驻伟"... (gdb) p _tmp15__length1 $2 = 1971 (gdb) p tmp16 $3 = (GString ) 0x88f77ba0 (gdb) p tmp16 $4 = {str = 0x88b22000 "", len = 0, allocated_len = 4} (gdb) p tmp17 $5 = ( guint8 ) 0x86917000 "1/??/??;????/??/??/??/??/??/??/??/??/??;??pipe/??;?鳏工???????/??/??/??/??/??;??-??/??;??-?司???/??;?乜?/??;?椎?/??;[????]/??/??/??;????/??;????/??;????/??;????/??;????/??;????/??/??;?站?/??;?执铡驻伟"... (gdb) p _tmp17__length1 $6 = 1971 (gdb) quit ~ [0] 19:22$ exit ~ [0] 19:22$ ldd /usr/local/libexec/ibus-engine-skk /usr/local/libexec/ibus-engine-skk: Start End Type Open Ref GrpRef Name 1c000000 3c004000 exe 1 0 0 /usr/local/libexec/ibus-engine-skk 0ee46000 2ee5c000 rlib 0 1 0 /usr/local/lib/libibus-1.0.so.0.0 0a25c000 2a267000 rlib 0 1 0 /usr/local/lib/libskk.so.0.0 0f8a5000 2f8ac000 rlib 0 2 0 /usr/local/lib/libjson-glib-1.0.so.4.0 02540000 22547000 rlib 0 5 0 /usr/lib/libz.so.4.1 04514000 24541000 rlib 0 4 0 /usr/local/lib/libgio-2.0.so.2992.0 0f0a0000 2f0a4000 rlib 0 5 0 /usr/local/lib/libgmodule-2.0.so.2992.0 075fc000 27607000 rlib 0 2 0 /usr/local/lib/libgee.so.1.0 01f2e000 21f32000 rlib 0 7 0 /usr/local/lib/libffi.so.0.0 06f71000 26f85000 rlib 0 10 0 /usr/local/lib/libpcre.so.2.5 094e3000 294ef000 rlib 0 6 0 /usr/local/lib/libgobject-2.0.so.2992.0 0a896000 2a89a000 rlib 0 7 0 /usr/local/lib/libgthread-2.0.so.2992.0 0977b000 297cd000 rlib 0 9 0 /usr/local/lib/libglib-2.0.so.2992.0 02c52000 22c56000 rlib 0 10 0 /usr/local/lib/libintl.so.5.0 0598c000 25a6c000 rlib 0 10 0 /usr/local/lib/libiconv.so.6.0 0740e000 27417000 rlib 0 1 0 /usr/lib/libpthread.so.13.1 00f98000 20fc6000 rlib 0 1 0 /usr/lib/libc.so.61.0 0bb03000 0bb03000 rtld 0 1 0 /usr/libexec/ld.so ~ [0] 19:22$ exit

Script done on Sat Dec 24 19:22:43 2011

ueno commented 12 years ago

Thanks for the report. There was actually a buffer overrun on line 482, because the copied buffer may not terminate with '\0'. It should be fixed in d54734ab2b752c9f5a2e6748ed5ec7ece6707f31

tamo commented 12 years ago

Confirmed, thanks!

ueno / libskk

Very long output from a server can cause segfault on OpenBSD #2

0 0x02efbe21 in strlen () from /usr/lib/libc.so.61.0

0 0x02efbe21 in strlen () from /usr/lib/libc.so.61.0

1 0x01734985 in g_string_insert_len () from /usr/local/lib/libglib-2.0.so.2992.0

2 0x01734c61 in g_string_append () from /usr/local/lib/libglib-2.0.so.2992.0

3 0x00d0afb0 in skk_skk_serv_read_response (self=0x80ac1000, error=0xcfbea8ac) at skkserv.c:482

4 0x00d0b601 in skk_skk_serv_real_lookup (base=0x80ac1000, midasi=0x88b22e80 "?\201\213?\202\223", okuri=0, result_length1=0xcfbea990)

5 0x00cffbcc in skk_dict_lookup (self=0x80ac1000, midasi=0x88b22e80 "?\201\213?\202\223", okuri=0, result_length1=0xcfbea990) at dict.c:462

6 0x00d18abf in skk_state_lookup (self=0x7cd0d070, midasi=0x88b22360 "?\201\213?\202\223", okuri=0) at state.c:1625

7 0x00d1ff2a in skk_select_state_handler_real_process_key_event (base=0x809b7d40, state=0x7cd0d070, key=0xcfbeac94) at state.c:4925

8 0x00d1a19a in skk_state_handler_process_key_event (self=0x809b7d40, state=0x7cd0d070, key=0xcfbeac94) at state.c:2138

9 0x00d2270a in skk_context_process_key_event_internal (self=0x7ebd7938, key=0x8bc0d2a0) at context.c:1316

10 0x00d2259f in skk_context_process_key_event (self=0x7ebd7938, key=0x8bc0d2a0) at context.c:1268

11 0x1c00479c in ?? ()

12 0x7ebd7938 in ?? ()

13 0x8bc0d2a0 in ?? ()

14 0x00000000 in ?? ()

3 0x00d0afb0 in skk_skk_serv_read_response (self=0x80ac1000, error=0xcfbea8ac) at skkserv.c:482