[reportlab-users] Reproducible crash of reportlab 3.5.50 on x86_64 with current Python3

Robin Becker robin at reportlab.com
Thu Sep 24 08:07:34 EDT 2020 

Hi Hans-Peter,

thanks very much for this report and the proposed fix.

According to quotations from C99 in

https://stackoverflow.com/questions/2132273/what-does-malloc0-return?lq=1

it seems that malloc(0) and presumably also realloc(malloc(0),..) are implementation defined.

Bah :(

I am amazed that this sort of error hasn't happened before. This code has likely been there since the first _rl_accel.c 
was created (at least it's present in October 2001) and is certainly my bad mea culpa mea maxima culpa.

Is there any specific reason to allocate 32 bytes when only 1 is needed? I assume if I allocate 1 then the minimum arena 
size or whatever will be used. That allows me to use

buf = malloc(aL*31+1);

which should be OK and allows 31 bytes per input argument and 1 byte for the terminating \0.

I just went through a leak hunt in the _renderPM.c code and know how difficult finding these problems can be thank you 
very much.

You get credit in every way :)


On 23/09/2020 12:15, Hans-Peter Jansen wrote:
> Am Dienstag, 22. September 2020, 20:38:36 CEST schrieb Hans-Peter Jansen:
>> Hi,
>>
>> while working on packaging the current version of reportlab on openSUSE, I
>> stumbled upon a reproducible crash in the tests:
>>
...........
> 
> Index: b/src/rl_addons/rl_accel/_rl_accel.c
> ===================================================================
> --- a/src/rl_addons/rl_accel/_rl_accel.c
> +++ b/src/rl_addons/rl_accel/_rl_accel.c
> @@ -368,7 +368,11 @@ PyObject *_fp_str(PyObject *module, PyOb
>   			else PyErr_Clear();
>   			Py_DECREF(retVal);
>   			}
> -		buf=malloc(31*aL);
> +		/* supply some security margin for zero buffers */
> +		if(aL==0)
> +		    buf=malloc(32);
> +		else
> +		    buf=malloc(31*aL);
>   		pB = buf;
>   		for(i=0;i<aL;i++){
>   			retVal = PySequence_GetItem(args,i);
> 
> Pete
> 
> 
> _______________________________________________
> reportlab-users mailing list
> reportlab-users at lists2.reportlab.com
> https://pairlist2.pair.net/mailman/listinfo/reportlab-users
> 


-- 
Robin Becker

More information about the reportlab-users mailing list