different segfault with lastest master

Linus Torvalds torvalds at linux-foundation.org
Mon Jul 13 11:46:28 PDT 2015


On Sat, Jul 11, 2015 at 4:39 PM, Linus Torvalds
<torvalds at linux-foundation.org> wrote:
>
> which is just the taxonomy.category writes. Looks like it writes past
> the end of the allocation.

Ok, looking at this, the problem seems to be pretty clear.

When the code does the taxonomy lookup in
ReverseGeoLookupThread::run(), it keeps on just adding data to the
taxonomy field.

IOW, the code that overflows the allocation is this, which just keeps doing:

                                if (ds->taxonomy.category == NULL)
                                        ds->taxonomy.category =
alloc_taxonomy();

ds->taxonomy.category[ds->taxonomy.nr].category = TC_OCEAN;

ds->taxonomy.category[ds->taxonomy.nr].origin = taxonomy::GEOCODED;

ds->taxonomy.category[ds->taxonomy.nr].value =
copy_string(qPrintable(oceanName["name"].toString()));
                                ds->taxonomy.nr++;

and eventually "ds->taxonomy.nr" will grow past TC_NR_CATEGORIES and
we corrupt memory.

I don't know exactly how it happens, though.  Normally I would expect that the

                                ds->taxonomy.nr = ri;

that happens a bit earlier would reset the taxonomy number to 0 or 1,
but that is all inside that

                        if (geoNames.count() > 0) {

conditional, so maybe there is some situation where that doesn't
happen, and then the later code ends up adding too many entries
because it keeps adding things on top of older data.

I don't know the code. It looks like both Tomaz started it and Dirk
has been changing code in this area, soo..

               Linus


More information about the subsurface mailing list