Crash in de()

Peter Dalgaard · 2006-04-17T09:42:12Z

Peter Dalgaard writes: > Peter Dalgaard writes: > > > Juan Santiago Ramseyer writes: > > > > > SYSTEM: > > > ------ > > > CPU: AMD64 > > > MOTHERBOARD: ASUS > > > OS: FEDORA CORE 5 i64_86 > > > > > > R SESSION: > > > ---------- > > > > teste > > > teste > > > $a > > > [1] 1 2 3 4 > > > > > > $b > > > [1] 2 4 6 8 > > > > > > > de(teste) > > > *** buffer overflow detecte

Peter Dalgaard

Mon, Apr 17, 2006 2:42 AM

Peter Dalgaard <p.dalgaard at biostat.ku.dk> writes:

OK, got it. The printstring() function in dataentry.c had three
instances like

cnt=wcsrtombs(s,(const wchar_t **)&w_p,sizeof(wcs),NULL);

s has length BOOSTED_BUF_SIZE==201 and sizeof(wcs)==804; the third
argument is documented to limit the number of bytes copied _to the
destination_, so that's clearly not right. Apparently, the check is
preemptive since the actual strings involved are nowhere near the
buffer limits. Replacing the 3rd argument with BOOSTED_BUF_SIZE-1
seems to do the trick.

Will fix for tomorrows 2.3.0 RC (we're in code freeze, but I think
this counts as a critical as well as trivial fix).

O__  ---- Peter Dalgaard             ?ster Farimagsgade 5, Entr.B
  c/ /'_ --- Dept. of Biostatistics     PO Box 2099, 1014 Cph. K
 (*) \(*) -- University of Copenhagen   Denmark          Ph:  (+45) 35327918
~~~~~~~~~~ - (p.dalgaard at biostat.ku.dk)                  FAX: (+45) 35327907

Crash in de()

Thread (4 messages)