UDDF crash

Dirk Hohndel dirk at hohndel.org
Mon Nov 2 18:19:06 PST 2015 

On Mon, Nov 02, 2015 at 06:03:01PM -0800, Linus Torvalds wrote:
> On Mon, Nov 2, 2015 at 4:27 PM, Lubomir I. Ivanov <neolit123 at gmail.com> wrote:
> >
> > here is a zip of the user file:
> > https://dl.dropboxusercontent.com/u/1627980/subsurface/DiveOrganizer_2015-11-02T10.40.23.uddf.zip
> 
> So valgrind does catch something. This looks fairly interesting:
> 
> ==19647== Invalid write of size 8
> ==19647==    at 0x6BE4F9: utf8_string (parse-xml.c:554)
> ==19647==    by 0x6BD7C9: match (parse-xml.c:111)
> ==19647==    by 0x6C1A2B: try_to_fill_dive (parse-xml.c:1405)
> ==19647==    by 0x6C2C3B: entry (parse-xml.c:1792)
> ==19647==    by 0x6C2E3E: visit_one_node (parse-xml.c:1853)
> ==19647==    by 0x6C2EB0: visit (parse-xml.c:1871)
> ==19647==    by 0x6C308B: traverse (parse-xml.c:1962)
> ==19647==    by 0x6C2E6E: traverse_properties (parse-xml.c:1864)
> ==19647==    by 0x6C2EC0: visit (parse-xml.c:1871)
> ==19647==    by 0x6C308B: traverse (parse-xml.c:1962)
> ==19647==    by 0x6C2ED4: visit (parse-xml.c:1871)
> ==19647==    by 0x6C308B: traverse (parse-xml.c:1962)
> ==19647==  Address 0x946f9530 is 16 bytes after a block of size 912 alloc'd
> ==19647==    at 0x4C28C50: malloc (in
> /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
> ==19647==    by 0x6A3F66: alloc_dive (dive.c:371)
> ==19647==    by 0x6C24FC: dive_start (parse-xml.c:1582)
> ==19647==    by 0x6C32CD: parse_xml_buffer (parse-xml.c:2026)
> ==19647==    by 0x6B06D9: parse_file_buffer (file.c:428)
> ==19647==    by 0x6B09AB: parse_file (file.c:490)
> ==19647==    by 0x51A6D1: MainWindow::loadFiles(QStringList)
> (mainwindow.cpp:1605)
> ==19647==    by 0x4EBBE1: main (main.cpp:80)
> 
> and that parse-xml.c:1405 is:
> 
>         if (MATCH("description.cylinder", utf8_string,
> &dive->cylinder[cur_cylinder_index].type.description))
>                 return;
> 
> so what I *think* happens is that "cur_cylinder_index" has overflowed.

Yep, reasonable explanation.

> So something like the attached might be the right thing.  Not tested.

Testing right now. It looks rather obviously correct - regardless of
whether it fixes the bug or not. May I make up a commit message and add
your SOB?

Oh, and after some patience (and allowing Subsurface to grow to nearly 3GB
in memory) it successfully opened the uddf file...

Thanks

/D

More information about the subsurface mailing list