read.table() causes segfault with incorrect data (PR#11627)

Full_Name: Juho Vuori
Version: 2.7.0 (2008-04-22)
OS: Linux poseidon.fimr.fi 2.6.23.17-88.fc7PAE #1 SMP Thu May 15 00:22:53 EDT 2008 i686 i686 i386 GNU/Linux
Submission from: (NULL) (193.166.188.194)


Calling read.table() twice the following way causes a segmentation fault in R.
Run R and type the following commands:

read.table(stdin())

0: 1 2 3
1: 3
2:
Error in scan(file, what, nmax, sep, dec, quote, skip, nlines, na.strings,  :
  line 2 did not have 3 elements

read.table(stdin())

 *** caught segfault ***
address 0x64616572, cause 'memory not mapped'

valgrind shows that con->nPushBack>0 but con->PushBack
has already been freed by do_clearpushback:

    > read.table(stdin())
    0: 1 2 3
    1: 3
    2:
    Error in scan(file, what, nmax, sep, dec, quote, skip, nlines, na.strings,  :
      line 2 did not have 3 elements
    > read.table(stdin())
    ==11631== Invalid read of size 4
    ==11631==    at 0x80B3281: ConsoleGetcharWithPushBack (scan.c:130)
    ==11631==    by 0x80B348E: scanchar (scan.c:214)
    ==11631==    by 0x80B7E24: do_readtablehead (scan.c:1568)
    ==11631==    by 0x80653E0: do_internal (names.c:1129)
    ...
    ==11631==  Address 0x443E638 is 0 bytes inside a block of size 20 free'd
    ==11631==    at 0x40052A3: free (vg_replace_malloc.c:233)
    ==11631==    by 0x8128A41: do_clearpushback (connections.c:3671)
    ==11631==    by 0x80653E0: do_internal (names.c:1129)
    ==11631==    by 0x815EA27: Rf_eval (eval.c:461)
    ==11631==    by 0x812B133: R_run_onexits (context.c:147)

    0x080b3281 in ConsoleGetcharWithPushBack (con=0x4067c50) at scan.c:130
    130             curLine = con->PushBack[con->nPushBack-1];
    (gdb) print con
    $1 = 0x4067c50
    (gdb) print con->PushBack
    $2 = (char **) 0x443e638

The following change to connections.c:do_clearpushback() seems to fix it.

Index: connections.c
===================================================================
--- connections.c       (revision 45893)
+++ connections.c       (working copy)
@@ -3669,6 +3669,7 @@
     if(con->nPushBack > 0) {
        for(j = 0; j < con->nPushBack; j++) free(con->PushBack[j]);
        free(con->PushBack);
+        con->nPushBack = 0 ;
     }
     return R_NilValue;
 }

----------------------------------------------------------------------------
Bill Dunlap
Insightful Corporation
bill at insightful dot com

 "All statements in this message represent the opinions of the author and do
 not necessarily reflect Insightful Corporation policy or position."