[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug-libunistring] SIGSEGV on malloc() failure
From: |
Tim Rühsen |
Subject: |
[bug-libunistring] SIGSEGV on malloc() failure |
Date: |
Sat, 26 Jan 2019 18:26:16 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 |
Hi,
I just tested random malloc() failures and stumbled upon a SIGSEGV
(details below).
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7dd1f61 in __gconv_close (cd=0x0) at gconv_close.c:34
34 gconv_close.c: Datei oder Verzeichnis nicht gefunden.
(gdb) bt
#0 0x00007ffff7dd1f61 in __gconv_close (cd=0x0) at gconv_close.c:34
#1 0x00007ffff7dd185f in iconv_close (cd=<optimized out>) at
iconv_close.c:35
#2 0x00007ffff7c3ddc3 in libunistring_iconveh_open () from
/usr/lib/x86_64-linux-gnu/libunistring.so.2
#3 0x00007ffff7c3dfcd in libunistring_mem_iconveh () from
/usr/lib/x86_64-linux-gnu/libunistring.so.2
#4 0x00007ffff7c3e2af in ?? () from
/usr/lib/x86_64-linux-gnu/libunistring.so.2
#5 0x00007ffff7c3e6fb in libunistring_mem_iconveha () from
/usr/lib/x86_64-linux-gnu/libunistring.so.2
#6 0x00007ffff7c46064 in u8_conv_from_encoding () from
/usr/lib/x86_64-linux-gnu/libunistring.so.2
#7 0x00007ffff7c46318 in u8_strconv_from_encoding () from
/usr/lib/x86_64-linux-gnu/libunistring.so.2
#8 0x00007ffff7f71413 in idn2_lookup_ul () from
/usr/lib/x86_64-linux-gnu/libidn2.so.0
#9 0x0000555555555387 in main ()
$ ldd a.out
linux-vdso.so.1 (0x00007fffe8b35000)
libidn2.so.0 => /usr/lib/x86_64-linux-gnu/libidn2.so.0
(0x00007f0fc30f4000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f0fc2f33000)
libunistring.so.2 => /usr/lib/x86_64-linux-gnu/libunistring.so.2
(0x00007f0fc2daf000)
/lib64/ld-linux-x86-64.so.2 (0x00007f0fc315b000)
This is on Debian unstable with latest libunistring
ii libunistring-dev:amd64 0.9.10-1 amd64
ii libunistring2:amd64 0.9.10-1 amd64
ii libc6:amd64 2.28-5 amd64
ii libidn2-0:amd64 2.0.5-1 amd64
A reproducer written in C is attached.
Compile with 'gcc crash.c -lidn2', run with ./a.out.
It sometimes doesn't crash, but very often does.
Libidn2 doesn't really matter, but it creates a certain sequence of
malloc() calls. Any other versions of libraries might need different
input and the reproducer might not work then.
I know this report is a bit obscure (generating random malloc()
failures), just wanted to let you know about it. I couldn't find the
issue by looking at the source code (gnulib/libunistring) in the time I
had. gconv_close() crashes if given a NULL pointer, but I could not see
how that is done in iconv_close().
Ah yes, valgrind doesn't show any issue - I guess since it uses it's own
malloc() functionality.
Regards, Tim
crash.c
Description: Text Data
signature.asc
Description: OpenPGP digital signature
- [bug-libunistring] SIGSEGV on malloc() failure,
Tim Rühsen <=