[reportlab-users] Reproducible crash of reportlab 3.5.50 on x86_64 with current Python3

Hans-Peter Jansen hpj at urpla.net
Thu Sep 24 13:17:38 EDT 2020


Hi Robin,

many thanks for these kind words.

Some comments inlined below.

Cheers,
Pete

Am Donnerstag, 24. September 2020, 14:07:34 CEST schrieb Robin Becker:
> Hi Hans-Peter,
> 
> thanks very much for this report and the proposed fix.
> 
> According to quotations from C99 in
> 
> https://stackoverflow.com/questions/2132273/what-does-malloc0-return?lq=1
> 
> it seems that malloc(0) and presumably also realloc(malloc(0),..) are
> implementation defined.
> 
> Bah :(
> 
> I am amazed that this sort of error hasn't happened before. This code has
> likely been there since the first _rl_accel.c was created (at least it's
> present in October 2001) and is certainly my bad mea culpa mea maxima
> culpa.

Come on, you did all the hard work. Things break all the time for some corner 
cases. I'm glad for being able to track down this one.

> Is there any specific reason to allocate 32 bytes when only 1 is needed? 

I didn't analyzed the code that well. I just want to be sure, it has enough 
headroom.. My C brain is quite rusty at best..

> I assume if I allocate 1 then the minimum arena size or whatever will be
> used. That allows me to use
> 
> buf = malloc(aL*31+1);

Of course, this is much smarter., 

> which should be OK and allows 31 bytes per input argument and 1 byte for the
> terminating \0.
> 
> I just went through a leak hunt in the _renderPM.c code and know how
> difficult finding these problems can be thank you very much.

Please take this for my 0.2¢ share, and thank you for this great library. This 
is exactly, what Open Source is about, collaboration with benefit for all 
related parties..

> You get credit in every way :)

I'm glad that my contribution was helpful.

Enjoy now,
Pete

> On 23/09/2020 12:15, Hans-Peter Jansen wrote:
> > Am Dienstag, 22. September 2020, 20:38:36 CEST schrieb Hans-Peter Jansen:
> >> Hi,
> >> 
> >> while working on packaging the current version of reportlab on openSUSE,
> >> I
> 
> >> stumbled upon a reproducible crash in the tests:
> ...........
> 
> > Index: b/src/rl_addons/rl_accel/_rl_accel.c
> > ===================================================================
> > --- a/src/rl_addons/rl_accel/_rl_accel.c
> > +++ b/src/rl_addons/rl_accel/_rl_accel.c
> > @@ -368,7 +368,11 @@ PyObject *_fp_str(PyObject *module, PyOb
> > 
> >   			else PyErr_Clear();
> >   			Py_DECREF(retVal);
> >   			}
> > 
> > -		buf=malloc(31*aL);
> > +		/* supply some security margin for zero buffers */
> > +		if(aL==0)
> > +		    buf=malloc(32);
> > +		else
> > +		    buf=malloc(31*aL);
> > 
> >   		pB = buf;
> >   		for(i=0;i<aL;i++){
> >   		
> >   			retVal = PySequence_GetItem(args,i);
> > 
> > Pete
> > 
> > 
> > _______________________________________________
> > reportlab-users mailing list
> > reportlab-users at lists2.reportlab.com
> > https://pairlist2.pair.net/mailman/listinfo/reportlab-users






More information about the reportlab-users mailing list