After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 599863 - Segfault when >4kb entered in gjs console
Segfault when >4kb entered in gjs console
Status: RESOLVED FIXED
Product: gjs
Classification: Bindings
Component: general
unspecified
Other Linux
: Normal normal
: ---
Assigned To: gjs-maint
gjs-maint
Depends on:
Blocks:
 
 
Reported: 2009-10-27 23:56 UTC by Volodymyr M. Lisivka
Modified: 2011-06-04 15:24 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
avoid the segfault (3.72 KB, patch)
2011-01-20 21:46 UTC, Marc-Antoine Perennou 		reviewed Details | Review
avoid the segfault (3.77 KB, patch)
2011-01-20 21:49 UTC, Marc-Antoine Perennou 		none Details | Review
avoid the segfault (4.01 KB, patch)
2011-01-21 07:24 UTC, Marc-Antoine Perennou 		accepted-commit_now Details | Review

Description Volodymyr M. Lisivka 2009-10-27 23:56:24 UTC 
GJS expects that 4KiB buffer is large enough which is not true always. Code of a JS library in compressed form (with all white space deleted) can be much larger than 4KiB. Pasting of such large string to GJS console causes segmentation fault.

Problem is in this code in gjs/modules/console.c:gjs_console_readline
===================================================
line = readline(prompt);
...

strcpy(bufp, line); // Segfault when size of line is much larger than size of buffer
free(line);
===================================================

IMHO, gjs_console_readline should just return string instead of copying it to buffer without checking of buffer bounds.
Comment 1 Marc-Antoine Perennou 2011-01-20 21:46:03 UTC 
Created attachment 178892 [details] [review]
avoid the segfault

Dinamically reallocate memory instead of having a fixed buffer.
Making so allows us not to have any line length limit.
With this patch, it does not segfault anymore with for example jquery-min-1.4 (with which it did before)
Comment 2 Marc-Antoine Perennou 2011-01-20 21:49:19 UTC 
Created attachment 178893 [details] [review]
avoid the segfault

Typso ...
Comment 3 Colin Walters 2011-01-20 21:56:04 UTC 
Review of attachment 178892 [details] [review]:

Thanks for looking at this.

Typo in commit message, it's "dynamically".

::: modules/console.c
@@ +178,3 @@
     do {
+        g_free(buffer);
+        buffer = NULL;

I'd prefer to make buffer a GString, which makes memory handling a lot saner.

http://library.gnome.org/devel/glib/2.26/glib-Strings.html#GString

@@ +188,3 @@
          */
         startline = lineno;
         do {

Also, cleaner to allocate here, since the variable is local to the loop.

char *temp_buf = NULL;

@@ +200,3 @@
+                buffer = g_malloc0(buffer_len * sizeof(char));
+            strcat(buffer, bufp);
+            g_free(bufp);

This bit is pretty gross, if we were using a GString it'd just be:

g_string_append (buffer, bufp);

Also, can we call it "temp_buf" instead of "bufp"?

@@ +205,3 @@
 
+        if (buffer)
+            script = JS_CompileScript(context, object, buffer, strlen(buffer), "typein",

Then this would be:

buffer->str, buffer->len

@@ +233,3 @@
     } while (!eof);
 
+    g_free(buffer);

g_string_free(buffer, TRUE);
Comment 4 Marc-Antoine Perennou 2011-01-21 07:24:15 UTC 
Created attachment 178911 [details] [review]
avoid the segfault

Use a GString for the buffer
Comment 5 Colin Walters 2011-01-21 18:55:38 UTC 
Review of attachment 178911 [details] [review]:

Looks a lot better, no? =)  Thanks for the update, will push.
Comment 6 Marc-Antoine Perennou 2011-01-21 19:31:51 UTC 
Yep, thx for pointing me at that ! Never used GStrings before
Comment 7 Colin Walters 2011-06-04 15:24:22 UTC 
This was pushed