From rfg@monkeys.com Tue Nov 26 01:20:28 2002 Return-Path: Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B0FFE37B401 for ; Tue, 26 Nov 2002 01:20:28 -0800 (PST) Received: from segfault.monkeys.com (segfault.monkeys.com [66.60.157.246]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3A68A43E4A for ; Tue, 26 Nov 2002 01:20:28 -0800 (PST) (envelope-from rfg@monkeys.com) Received: by segfault.monkeys.com (Postfix, from userid 1237) id 384EE42260; Tue, 26 Nov 2002 01:20:24 -0800 (PST) Message-Id: <20021126092024.384EE42260@segfault.monkeys.com> Date: Tue, 26 Nov 2002 01:20:24 -0800 (PST) From: Ronald F.Guilmette Reply-To: Ronald F.Guilmette To: FreeBSD-gnats-submit@freebsd.org Cc: Subject: /usr/bin/makeinfo sometimes segfaults X-Send-Pr-Version: 3.113 X-GNATS-Notify: >Number: 45744 >Category: gnu >Synopsis: /usr/bin/makeinfo sometimes segfaults >Confidential: no >Severity: serious >Priority: medium >Responsible: ru >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Nov 26 01:30:01 PST 2002 >Closed-Date: Sat Jul 19 14:40:17 PDT 2003 >Last-Modified: Sat Jul 19 14:40:17 PDT 2003 >Originator: Ronald F. Guilmette >Release: FreeBSD 4.7-RELEASE i386 >Organization: Infinite Monkeys & Co. >Environment: System: FreeBSD segfault.monkeys.com 4.7-RELEASE FreeBSD 4.7-RELEASE #0: Fri Nov 22 02:19:43 PST 2002 root@:/usr/src/sys/compile/rfg20021102 i386 >Description: (NOTE: This bug has also/already been reported to the GNU Project's maintainer of the GNU texinfo package.) I have been experiencing segmentation faults in makeinfo for quite a long time now... over a year. Please see: http://www.freebsd.org/cgi/query-pr.cgi?pr=45598 for more info. Anyway, I finally got off my ass and tracked down the root cause of these crashes. Quite simply, there are cases where the code on line 337 of the makinfo index.c file, i.e.: undefindex (name_index_alist[i]->name); gets executed when name_index_alist[i] has a NULL value. And dereferencing a NULL is a very Bad Idea. (Doing so causes segfaults. Oh yea.) You can tell that the code fully _expects_ that name_index_alist[i] will have a NULL value, in some cases, at this point in the code, just by looking at the next following code line, which reads: if (name_index_alist[i]) Obviously, it *is* possible for name_index_alist[i] to have a NULL value, right around this point in the code, and indeed, that condition is even expected. The problem is that we are dereferencing that value (on line 337) before we have checked to see if the value is NULL or not. (If it is NULL, then we definitely DO NOT want to perform the deference.) A suitable (and trivial, and obvious) patch for this error is provided below. All that is needed is to move the dereferencing statement to a point _after_ we have checked if the value of if name_index_alist[i] is NULL or not. (The patch below should be suitable for use against both the current GNU version of the texinfo package, i.e. 4.3, and also the 4.2 version, as was used in the FreeBSD 4.7-RELEASE distribution.) >How-To-Repeat: Please see: http://www.freebsd.org/cgi/query-pr.cgi?pr=45598 This bug can be trivially reproduced by simply attempting to build /usr/ports/devel/autoconf213 and/or /usr/ports/mail/nmh, which it turn triggers a build of /usr/ports/devel/autoconf213. >Fix: diff -rc2 src/4.3/makeinfo/index.c build/4.3/makeinfo/index.c *** src/4.3/makeinfo/index.c Thu Nov 7 14:16:20 2002 --- build/4.3/makeinfo/index.c Tue Nov 26 00:53:39 2002 *************** *** 335,339 **** for (i = 0; i < defined_indices; i++) { - undefindex (name_index_alist[i]->name); if (name_index_alist[i]) { /* Suppose we're called with two input files, and the first --- 335,338 ---- *************** *** 343,346 **** --- 342,346 ---- here; otherwise, when we try to define the pg index again just below, it will still point to cp. */ + undefindex (name_index_alist[i]->name); free (name_index_alist[i]->name); free (name_index_alist[i]); >Release-Note: >Audit-Trail: From: "Ronald F. Guilmette" To: FreeBSD-gnats-submit@FreeBSD.org, freebsd-bugs@FreeBSD.org Cc: Subject: Re: gnu/45744: /usr/bin/makeinfo sometimes segfaults Date: Tue, 26 Nov 2002 15:57:32 -0800 It would appear that the GNU Project's maintainer of the GNU texinfo package (which includes the `makeinfo' utility) concurs with my opinion that `makeinfo' contained a bug that could cause segfaults. It would also appear that he concurs with the patch for `makeinfo' that I sent him. ------- Forwarded Message Return-Path: karl@freefriends.org Delivery-Date: Tue Nov 26 15:16:30 2002 Return-Path: Delivered-To: rfg@monkeys.com Received: from f7.net (consort.superb.net [209.61.216.22]) by segfault.monkeys.com (Postfix) with ESMTP id AB1B24225E for ; Tue, 26 Nov 2002 15:16:28 -0800 (PST) Received: (from karl@localhost) by f7.net (8.11.6/8.11.6) id gAQNGRb05480; Tue, 26 Nov 2002 18:16:27 -0500 Date: Tue, 26 Nov 2002 18:16:27 -0500 Message-Id: <200211262316.gAQNGRb05480@f7.net> From: karl@freefriends.org (Karl Berry) To: rfg@monkeys.com Cc: bug-texinfo@gnu.org Subject: Re: Segfault in makeinfo in GNU texinfo-4.3 package (fix included) I have been experiencing segmentation faults in makeinfo for quite a long time now... over a year. Please see: http://www.freebsd.org/cgi/query-pr.cgi?pr=45598 Ah. Sorry, I wasn't aware of this. Obviously, it *is* possible for name_index_alist[i] to have a NULL value, Indeed. I moved the undefindex call after the conditional just as you suggested. Thanks much for the report and fix! ~karl ------- End of Forwarded Message Responsible-Changed-From-To: freebsd-bugs->ru Responsible-Changed-By: kris Responsible-Changed-When: Sat Jul 12 17:21:11 PDT 2003 Responsible-Changed-Why: Assign to texinfo maintainer http://www.freebsd.org/cgi/query-pr.cgi?pr=45744 State-Changed-From-To: open->closed State-Changed-By: ru State-Changed-When: Sat Jul 19 14:37:56 PDT 2003 State-Changed-Why: This has been fixed in GNU texinfo 4.6. http://www.freebsd.org/cgi/query-pr.cgi?pr=45744 >Unformatted: