[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bash-2.05b: segfault at mbutil.c:234
From: |
Jim Meyering |
Subject: |
bash-2.05b: segfault at mbutil.c:234 |
Date: |
Wed, 18 Sep 2002 16:44:28 +0200 |
User-agent: |
Gnus/5.090008 (Oort Gnus v0.08) Emacs/21.3.50 (i686-pc-linux-gnu) |
Configuration Information [Automatically generated, do not change]:
Machine: i386
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -DPROGRAM='bash' -DCONF_HOSTTYPE='i386'
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='i386-pc-linux-gnu'
-DCONF_VENDOR='pc' -DSHELL -DHAVE_CONFIG_H -I.
-I/home/packages/bash/bash-2.05b -I/home/packages/bash/bash-2.05b/include
-I/home/packages/bash/bash-2.05b/lib -g -O2
uname output: Linux xxxxx 2.4.18 #7 SMP Mon May 27 15:33:40 CEST 2002 i686
unknown unknown GNU/Linux
Machine Type: i386-pc-linux-gnu
Bash Version: 2.05b
Patch Level: 0
Release Status: release
Description:
NULL pointer dereference in mbutil.c causes segfault
Repeat-By:
xxxxx$ LC_ALL=fr_FR bash
xxxxx$ touch /tmp/oupée
xxxxx$ exit
xxxxx$ LC_ALL=C bash
xxxxx$ m /tmp/oup <== hit TAB here, to get this...
xxxxx$ m /tmp/oupée <== leave cursor here
Then move (I use viper mode) the cursor back to the `p'
and remove the `p' (via the `x' command). This is what I see:
xxxxx$ m /tmp/ouSegmentation fault
[Exit 139 (SIGSEGV)]
Here's the backtrace I see in gdb:
(gdb) bt
#0 _rl_get_char_len (src=0x817a026 "ée ", ps=0x0) at mbutil.c:215
#1 0x080becc3 in _rl_compare_chars (buf1=0x817a026 "ée ", pos1=0, ps1=0x0,
buf2=0x817a825 "ée ", pos2=0, ps2=0x0) at mbutil.c:234
#2 0x080b4104 in update_line (
old=0x817a008 "\e[35;1mxxxxx$\e[0;0m m /tmp/oupée ",
new=0x817a808 "\e[35;1mxxxxx$\e[0;0m m /tmp/ouée ", current_line=0,
omax=33, nmax=32, inv_botlin=0) at display.c:1210
#3 0x080b337f in rl_redisplay () at display.c:799
#4 0x080a6981 in readline_internal_char () at readline.c:465
#5 0x080a69e5 in readline_internal_charloop () at readline.c:489
#6 0x080a6a00 in readline_internal () at readline.c:503
#7 0x080a6604 in readline (
prompt=0x80f2208 "\001\e[35;1m\002xxxxx$\001\e[0;0m\002 ") at readline.c:299
#8 0x0804f6c0 in yy_readline_get ()
at /usr/homes/chet/src/bash/src/parse.y:1108
#9 0x0804f611 in yy_getc () at /usr/homes/chet/src/bash/src/parse.y:1042
#10 0x080500c8 in shell_getc (remove_quoted_newline=1)
at /usr/homes/chet/src/bash/src/parse.y:1803
#11 0x08050d30 in read_token (command=0)
at /usr/homes/chet/src/bash/src/parse.y:2414
#12 0x0805070c in yylex () at /usr/homes/chet/src/bash/src/parse.y:2084
#13 0x0804d7f1 in yyparse () at /usr/local/share/bison/bison.simple:573
#14 0x0804d48a in parse_command () at eval.c:217
#15 0x0804d54e in read_command () at eval.c:261
#16 0x0804d2dd in reader_loop () at eval.c:128
#17 0x0804b551 in main (argc=1, argv=0xbffff354, env=0xbffff35c) at shell.c:680
The problem seems to be that mbutils.c is dereferencing `ps',
which is passed in as NULL from the call in display.c.
Here are the lines in question:
(gdb) dow
#0 _rl_get_char_len (src=0x817a026 "ée ", ps=0x0) at mbutil.c:215
215 memset (ps, 0, sizeof(mbstate_t));
(gdb) up
#1 0x080becc3 in _rl_compare_chars (buf1=0x817a026 "ée ", pos1=0, ps1=0x0,
buf2=0x817a825 "ée ", pos2=0, ps2=0x0) at mbutil.c:234
234 if ((w1 = _rl_get_char_len (&buf1[pos1], ps1)) <= 0 ||
(gdb)
#2 0x080b4104 in update_line (
old=0x817a008 "\e[35;1mpixie$\e[0;0m m /tmp/oupée ",
new=0x817a808 "\e[35;1mpixie$\e[0;0m m /tmp/ouée ", current_line=0,
omax=33, nmax=32, inv_botlin=0) at display.c:1210
1210 else if (_rl_compare_chars (ols, 0, NULL, nls, 0, NULL) == 0)
(gdb)
- bash-2.05b: segfault at mbutil.c:234,
Jim Meyering <=