[reportlab-users] Reproducible crash of reportlab 3.5.50 on x86_64 with current Python3
Hans-Peter Jansen
hpj at urpla.net
Thu Sep 24 13:17:38 EDT 2020
Hi Robin,
many thanks for these kind words.
Some comments inlined below.
Cheers,
Pete
Am Donnerstag, 24. September 2020, 14:07:34 CEST schrieb Robin Becker:
> Hi Hans-Peter,
>
> thanks very much for this report and the proposed fix.
>
> According to quotations from C99 in
>
> https://stackoverflow.com/questions/2132273/what-does-malloc0-return?lq=1
>
> it seems that malloc(0) and presumably also realloc(malloc(0),..) are
> implementation defined.
>
> Bah :(
>
> I am amazed that this sort of error hasn't happened before. This code has
> likely been there since the first _rl_accel.c was created (at least it's
> present in October 2001) and is certainly my bad mea culpa mea maxima
> culpa.
Come on, you did all the hard work. Things break all the time for some corner
cases. I'm glad for being able to track down this one.
> Is there any specific reason to allocate 32 bytes when only 1 is needed?
I didn't analyzed the code that well. I just want to be sure, it has enough
headroom.. My C brain is quite rusty at best..
> I assume if I allocate 1 then the minimum arena size or whatever will be
> used. That allows me to use
>
> buf = malloc(aL*31+1);
Of course, this is much smarter.,
> which should be OK and allows 31 bytes per input argument and 1 byte for the
> terminating \0.
>
> I just went through a leak hunt in the _renderPM.c code and know how
> difficult finding these problems can be thank you very much.
Please take this for my 0.2¢ share, and thank you for this great library. This
is exactly, what Open Source is about, collaboration with benefit for all
related parties..
> You get credit in every way :)
I'm glad that my contribution was helpful.
Enjoy now,
Pete
> On 23/09/2020 12:15, Hans-Peter Jansen wrote:
> > Am Dienstag, 22. September 2020, 20:38:36 CEST schrieb Hans-Peter Jansen:
> >> Hi,
> >>
> >> while working on packaging the current version of reportlab on openSUSE,
> >> I
>
> >> stumbled upon a reproducible crash in the tests:
> ...........
>
> > Index: b/src/rl_addons/rl_accel/_rl_accel.c
> > ===================================================================
> > --- a/src/rl_addons/rl_accel/_rl_accel.c
> > +++ b/src/rl_addons/rl_accel/_rl_accel.c
> > @@ -368,7 +368,11 @@ PyObject *_fp_str(PyObject *module, PyOb
> >
> > else PyErr_Clear();
> > Py_DECREF(retVal);
> > }
> >
> > - buf=malloc(31*aL);
> > + /* supply some security margin for zero buffers */
> > + if(aL==0)
> > + buf=malloc(32);
> > + else
> > + buf=malloc(31*aL);
> >
> > pB = buf;
> > for(i=0;i<aL;i++){
> >
> > retVal = PySequence_GetItem(args,i);
> >
> > Pete
> >
> >
> > _______________________________________________
> > reportlab-users mailing list
> > reportlab-users at lists2.reportlab.com
> > https://pairlist2.pair.net/mailman/listinfo/reportlab-users
More information about the reportlab-users
mailing list