bug-coreutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#7357: csplit: memory exhausted when using stdout / pipe instead of a

From: Jim Meyering
Subject: bug#7357: csplit: memory exhausted when using stdout / pipe instead of a file
Date: Wed, 10 Nov 2010 13:56:58 +0100 
Pádraig Brady wrote:
...
> I just looked at the csplit code there,
> and it's more sophisticated than I expected.
> Therefore it seems this is just a plain old mem leak.
>
> diff --git a/src/csplit.c b/src/csplit.c
> index 40baba8..770f891 100644
> --- a/src/csplit.c
> +++ b/src/csplit.c
> @@ -418,6 +418,13 @@ get_new_buffer (size_t min_size)
>  static void
>  free_buffer (struct buffer_record *buf)
>  {
> +  struct line *l, *n;
> +  for (l = buf->line_start; l;)
> +    {
> +      n = l->next;
> +      free (l);
> +      l = n;
> +    }
>    free (buf->buffer);
>    buf->buffer = NULL;
>  }
> @@ -542,6 +549,7 @@ remove_line (void)
>    if (prev_buf)
>      {
>        free_buffer (prev_buf);
> +      free (prev_buf);
>        prev_buf = NULL;
>      }

Good one.  Thank you!
That looks fine and certainly belongs in the upcoming release.

Looking at that, I found yet another problem.
Here's all but the test, which will be done momentarily:

>From b6ab1ac32080060667dea3b864462b5535e2779d Mon Sep 17 00:00:00 2001
From: Jim Meyering <address@hidden>
Date: Wed, 10 Nov 2010 13:53:38 +0100
Subject: [PATCH] csplit: avoid buffer overrun when writing more than 999 files

Without this fix, seq 1000 | csplit - /./ '{*}' would write
the NUL-terminated file name, xx1000, into a buffer of size 6.
* src/csplit.c (main): Use properly sized file name buffer.
* NEWS (Bug fixes): Mention it.
---
 NEWS         |    4 ++++
 src/csplit.c |    9 +++++----
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/NEWS b/NEWS
index 0cd6153..89ae5d6 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,10 @@ GNU coreutils NEWS                                    -*- 
outline -*-
   latent bug introduced in coreutils 8.1, and possibly a second latent
   bug going at least as far back as coreutils 5.97]

+  csplit no longer corrupts heap when writing more than 999 files.
+  Demonstrate with: seq 1000 | csplit - /./ '{*}'
+  [the bug was present in the initial implementation]
+
   tail -F once again notices changes in a currently unavailable
   remote directory [bug introduced in coreutils-7.5]

diff --git a/src/csplit.c b/src/csplit.c
index 40baba8..57543f0 100644
--- a/src/csplit.c
+++ b/src/csplit.c
@@ -1372,10 +1372,11 @@ main (int argc, char **argv)
       usage (EXIT_FAILURE);
     }

-  if (suffix)
-    filename_space = xmalloc (strlen (prefix) + max_out (suffix) + 2);
-  else
-    filename_space = xmalloc (strlen (prefix) + digits + 2);
+  unsigned int max_digit_string_len
+    = (suffix
+       ? max_out (suffix)
+       : MAX (INT_STRLEN_BOUND (unsigned int), digits));
+  filename_space = xmalloc (strlen (prefix) + max_digit_string_len + 1);

   set_input_file (argv[optind++]);

--
1.7.3.2.4.g60aa9
reply via email to
[Prev in Thread] Current Thread [Next in Thread]