bug-bash
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bash-2.05b: segfault at mbutil.c:234

From: Jim Meyering
Subject: bash-2.05b: segfault at mbutil.c:234
Date: Wed, 18 Sep 2002 16:44:28 +0200
User-agent: Gnus/5.090008 (Oort Gnus v0.08) Emacs/21.3.50 (i686-pc-linux-gnu) 
Configuration Information [Automatically generated, do not change]:
Machine: i386
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS:  -DPROGRAM='bash' -DCONF_HOSTTYPE='i386' 
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='i386-pc-linux-gnu' 
-DCONF_VENDOR='pc' -DSHELL -DHAVE_CONFIG_H  -I.  
-I/home/packages/bash/bash-2.05b -I/home/packages/bash/bash-2.05b/include 
-I/home/packages/bash/bash-2.05b/lib  -g -O2
uname output: Linux xxxxx 2.4.18 #7 SMP Mon May 27 15:33:40 CEST 2002 i686 
unknown unknown GNU/Linux
Machine Type: i386-pc-linux-gnu

Bash Version: 2.05b
Patch Level: 0
Release Status: release

Description:

        NULL pointer dereference in mbutil.c causes segfault

Repeat-By:

  xxxxx$ LC_ALL=fr_FR bash
  xxxxx$ touch /tmp/oupée
  xxxxx$ exit
  xxxxx$ LC_ALL=C bash
  xxxxx$ m /tmp/oup          <== hit TAB here, to get this...
  xxxxx$ m /tmp/oupée        <== leave cursor here

Then move (I use viper mode) the cursor back to the `p'
and remove the `p' (via the `x' command).  This is what I see:

  xxxxx$ m /tmp/ouSegmentation fault
  [Exit 139 (SIGSEGV)]

Here's the backtrace I see in gdb:

(gdb) bt
#0  _rl_get_char_len (src=0x817a026 "ée ", ps=0x0) at mbutil.c:215
#1  0x080becc3 in _rl_compare_chars (buf1=0x817a026 "ée ", pos1=0, ps1=0x0,
    buf2=0x817a825 "ée ", pos2=0, ps2=0x0) at mbutil.c:234
#2  0x080b4104 in update_line (
    old=0x817a008 "\e[35;1mxxxxx$\e[0;0m m /tmp/oupée ",
    new=0x817a808 "\e[35;1mxxxxx$\e[0;0m m /tmp/ouée ", current_line=0,
    omax=33, nmax=32, inv_botlin=0) at display.c:1210
#3  0x080b337f in rl_redisplay () at display.c:799
#4  0x080a6981 in readline_internal_char () at readline.c:465
#5  0x080a69e5 in readline_internal_charloop () at readline.c:489
#6  0x080a6a00 in readline_internal () at readline.c:503
#7  0x080a6604 in readline (
    prompt=0x80f2208 "\001\e[35;1m\002xxxxx$\001\e[0;0m\002 ") at readline.c:299
#8  0x0804f6c0 in yy_readline_get ()
    at /usr/homes/chet/src/bash/src/parse.y:1108
#9  0x0804f611 in yy_getc () at /usr/homes/chet/src/bash/src/parse.y:1042
#10 0x080500c8 in shell_getc (remove_quoted_newline=1)
    at /usr/homes/chet/src/bash/src/parse.y:1803
#11 0x08050d30 in read_token (command=0)
    at /usr/homes/chet/src/bash/src/parse.y:2414
#12 0x0805070c in yylex () at /usr/homes/chet/src/bash/src/parse.y:2084
#13 0x0804d7f1 in yyparse () at /usr/local/share/bison/bison.simple:573
#14 0x0804d48a in parse_command () at eval.c:217
#15 0x0804d54e in read_command () at eval.c:261
#16 0x0804d2dd in reader_loop () at eval.c:128
#17 0x0804b551 in main (argc=1, argv=0xbffff354, env=0xbffff35c) at shell.c:680

The problem seems to be that mbutils.c is dereferencing `ps',
which is passed in as NULL from the call in display.c.

Here are the lines in question:

(gdb) dow
#0  _rl_get_char_len (src=0x817a026 "ée ", ps=0x0) at mbutil.c:215
215           memset (ps, 0, sizeof(mbstate_t));
(gdb) up
#1  0x080becc3 in _rl_compare_chars (buf1=0x817a026 "ée ", pos1=0, ps1=0x0,
    buf2=0x817a825 "ée ", pos2=0, ps2=0x0) at mbutil.c:234
234       if ((w1 = _rl_get_char_len (&buf1[pos1], ps1)) <= 0 ||
(gdb)
#2  0x080b4104 in update_line (
    old=0x817a008 "\e[35;1mpixie$\e[0;0m m /tmp/oupée ",
    new=0x817a808 "\e[35;1mpixie$\e[0;0m m /tmp/ouée ", current_line=0,
    omax=33, nmax=32, inv_botlin=0) at display.c:1210
1210      else if (_rl_compare_chars (ols, 0, NULL, nls, 0, NULL) == 0)
(gdb)
reply via email to
[Prev in Thread] Current Thread [Next in Thread]