different segfault with lastest master

Dirk Hohndel dirk at hohndel.org
Mon Jul 13 13:10:32 PDT 2015 

On Mon, Jul 13, 2015 at 11:46:28AM -0700, Linus Torvalds wrote:
> On Sat, Jul 11, 2015 at 4:39 PM, Linus Torvalds
> <torvalds at linux-foundation.org> wrote:
> >
> > which is just the taxonomy.category writes. Looks like it writes past
> > the end of the allocation.
> 
> Ok, looking at this, the problem seems to be pretty clear.
> 
> When the code does the taxonomy lookup in
> ReverseGeoLookupThread::run(), it keeps on just adding data to the
> taxonomy field.
> 
> IOW, the code that overflows the allocation is this, which just keeps doing:
> 
>                                 if (ds->taxonomy.category == NULL)
>                                         ds->taxonomy.category =
> alloc_taxonomy();
> 
> ds->taxonomy.category[ds->taxonomy.nr].category = TC_OCEAN;
> 
> ds->taxonomy.category[ds->taxonomy.nr].origin = taxonomy::GEOCODED;
> 
> ds->taxonomy.category[ds->taxonomy.nr].value =
> copy_string(qPrintable(oceanName["name"].toString()));
>                                 ds->taxonomy.nr++;
> 
> and eventually "ds->taxonomy.nr" will grow past TC_NR_CATEGORIES and
> we corrupt memory.
> 
> I don't know exactly how it happens, though.  Normally I would expect that the
> 
>                                 ds->taxonomy.nr = ri;
> 
> that happens a bit earlier would reset the taxonomy number to 0 or 1,
> but that is all inside that
> 
>                         if (geoNames.count() > 0) {
> 
> conditional, so maybe there is some situation where that doesn't
> happen, and then the later code ends up adding too many entries
> because it keeps adding things on top of older data.
> 
> I don't know the code. It looks like both Tomaz started it and Dirk
> has been changing code in this area, soo..

It's all my doing. Tomaz is innocent.
I need to re-read the code (I'm completely distracted by getting the
Android app working... sorry) - when I designed it there was no way we
could ever fill the array... I actually thought that I had one too many
elements in the array...
we reset ri to 0
we loop over the known categories except for the first two (NONE and
OCEAN)
so ri can't be bigger than TC_NR_CATEGORIES - 2
then we try to add the adminName3 thingy (but only if it's not there
already)
then we try to add the ocean

So we should still have one unused slot...

I still don't see how this can overflow. If you put a printf or qDebug()
or something at this line 

	ds->taxonomy.nr = ri;

do you ever see a value that indicates we stored too many? If yes, how did
you get there :-)

/D

More information about the subsurface mailing list