After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 640646 - string memory corruption on long path names > ~200 characters
string memory corruption on long path names > ~200 characters
Status: RESOLVED FIXED
Product: doxygen
Classification: Other
Component: general
1.7.3
Other Linux
: Normal major
: ---
Assigned To: Dimitri van Heesch
Dimitri van Heesch
Depends on:
Blocks:
 
 
Reported: 2011-01-26 15:45 UTC by Matthias Gerstner
Modified: 2011-03-28 14:19 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
fix length limitation of vsprintf() by using two pass vsnprintf() approach (1.18 KB, patch)
2011-01-26 15:45 UTC, Matthias Gerstner
none Details | Review

Description Matthias Gerstner 2011-01-26 15:45:24 UTC
Created attachment 179378 [details] [review]
fix length limitation of vsprintf() by using two pass vsnprintf() approach

While attempting to build doxygen documentation for a large software project I encountered memory corruption in realloc() that caused execution to abort.

A debugging session showed that doxygen was trying to print a warning in doxygen.cpp:685 for a path that is longer than about 200 characters.

A further analysis showed that the problem is rooted in SCString::sprintf( const char*, ...) in qtools/scstring.cpp:152. The function temporarily increases the string object size to at least 256 characters and then calls vsprintf() for the given arguments.

In my case the string argument was longer than 200 characters causing the "minlen" of 256 characters to be overflowed and the heap being corrupted. The following resize operation using realloc() then causes the program to crash.

I've attached a simple bugfix for SCString::sprintf( const char*, ...) that adds a two-pass operation using vsnprintf(). The first pass determines the number of characters that the given format string will require, then the string is resized accordingly. The second pass then performs the actual printing.

In my tests this fixed the crash and building documentation was possible again. The patch might, however, require more tuning. I couldn't determine whether the two-pass operation is supported under all circumstances by vsnprintf. The man pages are a tad unclear about that. Also the MS Windows CRT traditionally has got limitations regarding such C99 functionality.

Best regards,

Matthias
Comment 1 Dimitri van Heesch 2011-01-29 22:37:54 UTC
Thanks, I'll include the patch in the next subversion update.
Comment 2 Dimitri van Heesch 2011-03-28 14:19:32 UTC
This bug was previously marked ASSIGNED, which means it should be fixed in
doxygen version 1.7.4. Please verify if this is indeed the case. Reopen the
bug if you think it is not fixed and please include any additional information
that you think can be relevant.