Bug in R 2.7 for over long lines (crasher+proposed fix!) (PR#11284)

OK, I am just sending it here too as it looks like r-devel at r-project.or=
g
is not the right place:
 =20
I think it was seen there too, just that noone got around to reply. In=20
R-bugs, there's a filing system so that it won't be completely forgotten.=
=2E.

However, your mail seems to have gotten encoded in quoted-printable, you =

might want to follow up with a cleaned version. (Just keep the =20
(PR#11281) in the header).
=3DEF=3DBB=3DBFOn Fri, 2008-04-25 at 08:48 +0200, Soeren Sonnenburg wro=
te:
 =20
While trying to fix swig & R2.7 I actually discovered that there is a
bug in R 2.7 causing a crash (so R & swig might actually work):
=3D20
the bug is in ./src/main/gram.c  line 3038:
=3D20
            } else { /* over-long line */
fixthis --> char *LongLine =3D3D (char *) malloc(nc);
            if(!LongLine)
                error(_("unable to allocate space for source line %
   =20
d"), xxlineno);
 =20
            strncpy(LongLine, (char *)p0, nc);
 bug -->    LongLine[nc] =3D3D '\0';
            SET_STRING_ELT(source, lines++,
                       mkChar2((char *)LongLine));
            free(LongLine);
=3D20
note that LongLine is only nc chars long, so the LongLine[nc]=3D3D'\0'=
   =20
might
 =20
be an out of bounds write. the fix would be to do
=3D20
=3DEF=3DBB=3DBF            char *LongLine =3D3D (char *) malloc(nc+1);=
=3D20
in line 3034
=3D20
Please fix and thanks to dirk for the debian r-base-dbg package!
   =20
Looking at the code again there seems to be another bug above this for
the MAXLINESIZE test too:

        if (*p =3D3D=3D3D '\n' || p =3D3D=3D3D end - 1) {
            nc =3D3D p - p0;
            if (*p !=3D3D '\n')
            nc++;
            if (nc <=3D3D MAXLINESIZE) {
            strncpy((char *)SourceLine, (char *)p0, nc);
bug2 -->    SourceLine[nc] =3D3D '\0';
            SET_STRING_ELT(source, lines++,
                       mkChar2((char *)SourceLine));
            } else { /* over-long line */
            char *LongLine =3D3D (char *) malloc(nc+1);
            if(!LongLine)
                error(_("unable to allocate space for source line %d"),=
xxlineno);
bug1 -->    strncpy(LongLine, (char *)p0, nc);
            LongLine[nc] =3D3D '\0';
            SET_STRING_ELT(source, lines++,
                       mkChar2((char *)LongLine));
            free(LongLine);
            }
            p0 =3D3D p + 1;
        }

So I guess the test would be for nc < MAXLINESIZE above or to change
SourceLine to have MAXLINESIZE+1 size.

Alternatively as the strncpy manpage suggests do this for all
occurrences of strncpy

           strncpy(buf, str, n);
           if (n > 0)
               buf[n - 1]=3D3D =3DE2=3D80=3D99\0=3DE2=3D80=3D99;

this could even be made a makro / helper function ...

And another update: This does fix the R+swig crasher for me (tested)!

Soeren

______________________________________________
R-devel at r-project.org mailing list
https://stat.ethz.ch/mailman/listinfo/r-devel
 =20
--=20
   O__  ---- Peter Dalgaard             =D8ster Farimagsgade 5, Entr.B
  c/ /'_ --- Dept. of Biostatistics     PO Box 2099, 1014 Cph. K
 (*) \(*) -- University of Copenhagen   Denmark      Ph:  (+45) 35327918
~~~~~~~~~~ - (p.dalgaard at biostat.ku.dk)              FAX: (+45) 35327907