Bug in R 2.7 for over long lines (crasher+proposed fix!) (PR#11281)

> =EF=BB=BFOn Fri, 2008-04-25 at 08:48 +0200, Soeren Sonnenburg wrote:
>  
>> While trying to fix swig & R2.7 I actually discovered that there is a
>> bug in R 2.7 causing a crash (so R & swig might actually work):
>> =20
>> the bug is in ./src/main/gram.c  line 3038:
>> =20
>>             } else { /* over-long line */
>> fixthis --> char *LongLine =3D (char *) malloc(nc);
>>             if(!LongLine)
>>                 error(_("unable to allocate space for source line %
>>    
> d"), xxlineno);
>  
>>             strncpy(LongLine, (char *)p0, nc);
>>  bug -->    LongLine[nc] =3D '\0';
>>             SET_STRING_ELT(source, lines++,
>>                        mkChar2((char *)LongLine));
>>             free(LongLine);
>> =20
>> note that LongLine is only nc chars long, so the LongLine[nc]=3D'\0'
>>    
> might
>  
>> be an out of bounds write. the fix would be to do
>> =20
>> =EF=BB=BF            char *LongLine =3D (char *) malloc(nc+1);
>> =20
>> in line 3034
>> =20
>> Please fix and thanks to dirk for the debian r-base-dbg package!
>>    
>
> Looking at the code again there seems to be another bug above this for
> the MAXLINESIZE test too:
>
>         if (*p =3D=3D '\n' || p =3D=3D end - 1) {
>             nc =3D p - p0;
>             if (*p !=3D '\n')
>             nc++;
>             if (nc <=3D MAXLINESIZE) {
>             strncpy((char *)SourceLine, (char *)p0, nc);
> bug2 -->    SourceLine[nc] =3D '\0';
>             SET_STRING_ELT(source, lines++,
>                        mkChar2((char *)SourceLine));
>             } else { /* over-long line */
>             char *LongLine =3D (char *) malloc(nc+1);
>             if(!LongLine)
>                 error(_("unable to allocate space for source line %d"),
> xxlineno);
> bug1 -->    strncpy(LongLine, (char *)p0, nc);
>             LongLine[nc] =3D '\0';
>             SET_STRING_ELT(source, lines++,
>                        mkChar2((char *)LongLine));
>             free(LongLine);
>             }
>             p0 =3D p + 1;
>         }
>
>
> So I guess the test would be for nc < MAXLINESIZE above or to change
> SourceLine to have MAXLINESIZE+1 size.
>
> Alternatively as the strncpy manpage suggests do this for all
> occurrences of strncpy
>
>            strncpy(buf, str, n);
>            if (n > 0)
>                buf[n - 1]=3D =E2=80=99\0=E2=80=99;
>
> this could even be made a makro / helper function ...
>
> And another update: This does fix the R+swig crasher for me (tested)!
>
> Soeren
>
> ______________________________________________
> R-devel@... mailing list
> https://stat.ethz.ch/mailman/listinfo/r-devel
>  

> > =EF=BB=BFOn Fri, 2008-04-25 at 08:48 +0200, Soeren Sonnenburg wrote:
> >  
> >> While trying to fix swig & R2.7 I actually discovered that there is a
> >> bug in R 2.7 causing a crash (so R & swig might actually work):
> >> =20
> >> the bug is in ./src/main/gram.c  line 3038:
> >> =20
> >>             } else { /* over-long line */
> >> fixthis --> char *LongLine =3D (char *) malloc(nc);
> >>             if(!LongLine)
> >>                 error(_("unable to allocate space for source line %
> >>    
> > d"), xxlineno);
> >  
> >>             strncpy(LongLine, (char *)p0, nc);
> >>  bug -->    LongLine[nc] =3D '\0';
> >>             SET_STRING_ELT(source, lines++,
> >>                        mkChar2((char *)LongLine));
> >>             free(LongLine);
> >> =20
> >> note that LongLine is only nc chars long, so the LongLine[nc]=3D'\0'
> >>    
> > might
> >  
> >> be an out of bounds write. the fix would be to do
> >> =20
> >> =EF=BB=BF            char *LongLine =3D (char *) malloc(nc+1);
> >> =20
> >> in line 3034
> >> =20
> >> Please fix and thanks to dirk for the debian r-base-dbg package!
> >>    
> >
> > Looking at the code again there seems to be another bug above this for
> > the MAXLINESIZE test too:
> >
> >         if (*p =3D=3D '\n' || p =3D=3D end - 1) {
> >             nc =3D p - p0;
> >             if (*p !=3D '\n')
> >             nc++;
> >             if (nc <=3D MAXLINESIZE) {
> >             strncpy((char *)SourceLine, (char *)p0, nc);
> > bug2 -->    SourceLine[nc] =3D '\0';
> >             SET_STRING_ELT(source, lines++,
> >                        mkChar2((char *)SourceLine));
> >             } else { /* over-long line */
> >             char *LongLine =3D (char *) malloc(nc+1);
> >             if(!LongLine)
> >                 error(_("unable to allocate space for source line %d"),
> > xxlineno);
> > bug1 -->    strncpy(LongLine, (char *)p0, nc);
> >             LongLine[nc] =3D '\0';
> >             SET_STRING_ELT(source, lines++,
> >                        mkChar2((char *)LongLine));
> >             free(LongLine);
> >             }
> >             p0 =3D p + 1;
> >         }
> >
> >
> > So I guess the test would be for nc < MAXLINESIZE above or to change
> > SourceLine to have MAXLINESIZE+1 size.
> >
> > Alternatively as the strncpy manpage suggests do this for all
> > occurrences of strncpy
> >
> >            strncpy(buf, str, n);
> >            if (n > 0)
> >                buf[n - 1]=3D =E2=80=99\0=E2=80=99;
> >
> > this could even be made a makro / helper function ...
> >
> > And another update: This does fix the R+swig crasher for me (tested)!
> >
> > Soeren