Re: Fix a crash in stand-alone Info due to bad indexing of a string

bug-texinfo

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fix a crash in stand-alone Info due to bad indexing of a string

From:	Eli Zaretskii
Subject:	Re: Fix a crash in stand-alone Info due to bad indexing of a string
Date:	Thu, 21 Mar 2013 20:32:32 +0200

> Date: Thu, 21 Mar 2013 19:29:29 +0300
> From: Sergey Poznyakoff <address@hidden>
> Cc: <address@hidden>
> 
> Eli Zaretskii <address@hidden> ha escrit:
> 
> > The stand-alone Info reader crashed on me today when I did
> > index-search.  Debugging that, I found a faulty logic in indices.c,
> > which caused us to write outside of a string's bounds when we up-case
> > or down-case a partial match found by index-search.  The result was
> > that the following call to 'free' crashed.
> 
> Can you please give a recipe of how to reproduce this?

Assuming you have gdb.info on your system:

  info -f /usr/share/info/gdb.info
  i bini RET

If it crashes right there and then, you have your repro. ;-)  If not,
look at the echo area, which says:

  Found `.gdbinit' in Concept Index. (`,' tries to find next.)

It should have said

  Found `.gdBINIt' in Concept Index. (`,' tries to find next.)

like 'info' from 4.13 did.  In 5.1, the up-casing uses wrong indices
(see below), so it doesn't up-case the partial match, but instead
writes beyond the bounds of the 'match' array.

This code:

  if (index_partial)
    {
      /* When looking for substrings, take care not to return previous exact
         matches. */
      for (i = index_offset + dir; (i > -1) && (index_index[i]); i += dir)
        if (!index_entry_matches (index_index[i], index_search, search_len) &&
            string_in_line (index_search, index_index[i]->label) != -1)
          {
            partial = 1;
            break;
          }
    }

sets 'partial' to 1.  And then this code:

    if (partial && show_index_match)
      {
        int k, ls, start, upper;

        ls = strlen (index_search);
        start = partial - ls;
        upper = isupper (match[start]) ? 1 : 0;

        for (k = 0; k < ls; k++)
          if (upper)
            match[k + start] = info_tolower (match[k + start]);
          else
            match[k + start] = info_toupper (match[k + start]);
      }

indexes 'match' with values that start at 'partial - ls', which is a
negative value, since index_search, the search string, is generally
longer than 1 character.

[Prev in Thread]

Current Thread

[Next in Thread]

Fix a crash in stand-alone Info due to bad indexing of a string, Eli Zaretskii, 2013/03/20
- Re: Fix a crash in stand-alone Info due to bad indexing of a string, Karl Berry, 2013/03/20
  - Re: Fix a crash in stand-alone Info due to bad indexing of a string, Eli Zaretskii, 2013/03/20
    - Re: Fix a crash in stand-alone Info due to bad indexing of a string, Karl Berry, 2013/03/21
    - Re: Fix a crash in stand-alone Info due to bad indexing of a string, Sergey Poznyakoff, 2013/03/21
    - Re: Fix a crash in stand-alone Info due to bad indexing of a string, Eli Zaretskii, 2013/03/22
    - Re: Fix a crash in stand-alone Info due to bad indexing of a string, Karl Berry, 2013/03/22
- Re: Fix a crash in stand-alone Info due to bad indexing of a string, Sergey Poznyakoff, 2013/03/21
  - Re: Fix a crash in stand-alone Info due to bad indexing of a string, Eli Zaretskii <=

Prev by Date: Re: makeinfo swallows page breaks
Next by Date: Re: makeinfo swallows page breaks
Previous by thread: Re: Fix a crash in stand-alone Info due to bad indexing of a string
Next by thread: Bad use of EXEEXT in man/Makefile.am
Index(es):
- Date
- Thread