[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

AIX 5.1 client crash (buffer-overflow)

From: Travis <svn_at_castle.fastmail.fm>
Date: 2004-01-15 02:47:16 CET

I've moved on to version 0.36.0. I still get the same dynamic-lib
problem with this version that I got with 0.35.1. However, I've found
a way around that and onto a new crash:

The configure option enable-shared=no allowed me to get past the expat
dynamic-lib link crash that plagued me. I've also compiled without
optimization at all.

I'm getting a crash from the following:

subversion/libsvn_subr/subst.c:
561: readlen = sizeof (buf);
562: while (readlen == sizeof (buf))
563: {
564: SVN_ERR (svn_stream_read (s, buf, &readlen));
565: buf[readlen] = '\0';

buf is 102401 bytes in size.
readlen gets set to 102401.
svn_stream_read does not modify readlen.
buf[102401] is out-of-range and causes the crash.

Clearly, something is wrong. This always occurs in the same place when
run directly or under two different debuggers.

% subversion/clients/cmdline/svn checkout
http://svn.collab.net/repos/svn/trunk svn
A svn/Makefile.in
A svn/build.conf
A svn/ac-helpers
A svn/ac-helpers/install.sh
A svn/ac-helpers/install-sh
A svn/www
A svn/www/svn-repositories2.html
A svn/www/project_header.html
A svn/www/release-history.html
Trace/BPT trap

% env CC="xlc" CFLAGS="-qmaxmem=-1 -g -qoptimize=0 -qstrict "
./configure
--prefix=/.../austin.ibm.com/fs/projects/gsys/pkg/subversion-0.36.0
--without-berkeley-db --enable-maintainer-mode --enable-shared=no

% env CC="xlc" CFLAGS="-qmaxmem=-1 -g -qoptimize=0 -qstrict -bnoquiet"
gmake

The crash callstack:
svn_subst_translate_stream() : subversion/libsvn_subr/subst.c, line 565
svn_subst_copy_and_translate() : subversion/libsvn_subr/subst.c, 747
file_xfer_under_path() : subversion/libsvn_wc/log.c, 123
log_do_file_xfer()
start_handler()
expat_start_handler()
doContent()
contentProcessor()
XML_ParseBuffer()
XML_Parse()
svn_xml_parse()
svn_wc__run_log()
install_file()
close_file()
close_file()
end_element()
end_element()
doContent()
contentProcessor()
XML_ParseBuffer()
XML_Parse()
ne_xml_parse()
ne_xml_parse_v()
ne_read_response_block()
ne_request_dispatch()
parsed_request()
svn_ra_dav__parsed_request()
reporter_finish_report()
svn_wc_crawl_revisions()
svn_client__update_internal()
svn_client_update()
svn_client__checkout_internal()
svn_client_checkout()
svn_cl__checkout()
main()
__start()

-Travis

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Jan 15 02:47:29 2004

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.