Re: segfault in info from CVS when pressing h

[Andreas Schwab]

address@hidden (Karl Berry) writes:

>     #2 0x000000000040ac84 in text_buffer_vprintf
>      (address@hidden, format=0x423098 "%s\n",
>      address@hidden) at info-utils.c:
>
> $ echo h >/tmp/h
> $ info --restore=/tmp/h 
> also crashes here for me, on x86_64-linux (but not i386-linux).
> It is not immediately obvious to me where the problem is :(.

It's the classic bug of using a va_list after being destroyed.

Andreas.

2012-07-14  Andreas Schwab  <address@hidden>

        * info/info-utils.c (text_buffer_vprintf): Create a copy of AP in
        the loop.
---
 info/info-utils.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/info/info-utils.c b/info/info-utils.c
index 39343d9..ade4a14 100644
--- a/info/info-utils.c
+++ b/info/info-utils.c
@@ -1,7 +1,7 @@
 /* info-utils.c -- miscellanous.
    $Id: info-utils.c,v 1.18 2012/04/12 10:38:28 gray Exp $
 
-   Copyright (C) 1993, 1998, 2003, 2004, 2007, 2008, 2009, 2011
+   Copyright (C) 1993, 1998, 2003, 2004, 2007, 2008, 2009, 2011, 2012
    Free Software Foundation, Inc.
 
    This program is free software: you can redistribute it and/or modify
@@ -782,7 +782,8 @@ size_t
 text_buffer_vprintf (struct text_buffer *buf, const char *format, va_list ap)
 {
   ssize_t n;
-  
+  va_list ap_copy;
+
   if (!buf->base)
     {
       if (buf->size == 0)
@@ -793,8 +794,10 @@ text_buffer_vprintf (struct text_buffer *buf, const char 
*format, va_list ap)
   
   for (;;)
     {
+      va_copy (ap_copy, ap);
       n = vsnprintf (buf->base + buf->off, buf->size - buf->off,
-                    format, ap);
+                    format, ap_copy);
+      va_end (ap_copy);
       if (n < 0 || buf->off + n >= buf->size ||
          !memchr (buf->base + buf->off, '\0', buf->size - buf->off + 1))
        {
-- 
1.7.11.2

-- 
Andreas Schwab, address@hidden
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."