Hi all,
I'm running 3.1-branch git head currently under valgrind. And I've seen
several invalid reads and writes (apparently most are off by one).
==22274== Invalid read of size 1
==22274== at 0x6DA2C0A: pv_set_ruri_user (pv_core.c:1755)
==22274== by 0x13BA15: lval_pvar_assign (lvalue.c:357)
==22274== by 0x13BF0F: lval_assign (lvalue.c:405)
==22274== by 0x139E4D: do_action (action.c:1472)
==22274== by 0x13A6F1: run_actions (action.c:1555)
==22274== by 0x12FDEB: do_action (action.c:711)
==22274== by 0x13A6F1: run_actions (action.c:1555)
==22274== by 0x13A86F: run_actions_safe (action.c:1607)
==22274== by 0x1E2666: rval_get_int (rvalue.c:904)
==22274== by 0x1E5252: rval_expr_eval_int (rvalue.c:1866)
==22274== by 0x131B8A: do_action (action.c:1071)
==22274== by 0x13A6F1: run_actions (action.c:1555)
Is fairly obvious. modules_k/pv/pv_core.c has several places which take
backup of "val->rs.s[val->rs.len]" and replaces it with zero for string
termination. It's than later on set back to the original value. However,
it would appear that the value passed does not always point to a memory
area which is large enough. This results in multiple invalid reads and
writes of one.
The remaining reads are not so clear to me.
==22274== Invalid read of size 1
==22274== at 0x4811A69: strncpy (mc_replace_strmem.c:339)
==22274== by 0x6DA77FF: set_var_value (pv_svar.c:122)
==22274== by 0x6DA1EDB: pv_set_scriptvar (pv_core.c:1636)
==22274== by 0x13BA15: lval_pvar_assign (lvalue.c:357)
==22274== by 0x13BF0F: lval_assign (lvalue.c:405)
==22274== by 0x139E4D: do_action (action.c:1472)
==22274== by 0x13A6F1: run_actions (action.c:1555)
==22274== by 0x131E05: do_action (action.c:1086)
==22274== by 0x13A6F1: run_actions (action.c:1555)
==22274== by 0x12FDEB: do_action (action.c:711)
==22274== by 0x13A6F1: run_actions (action.c:1555)
==22274== by 0x131E05: do_action (action.c:1086)
==22274== Invalid read of size 2
==22274== at 0x4811E1F: memcpy (mc_replace_strmem.c:523)
==22274== by 0x1E134D: rval_new_str (rvalue.c:269)
==22274== by 0x1E394E: rval_convert (rvalue.c:1301)
==22274== by 0x1E4780: rval_str_add2 (rvalue.c:1610)
==22274== by 0x1E8681: rval_expr_eval (rvalue.c:2399)
==22274== by 0x13BBD9: lval_assign (lvalue.c:389)
==22274== by 0x139E4D: do_action (action.c:1472)
==22274== by 0x13A6F1: run_actions (action.c:1555)
==22274== by 0x12FDEB: do_action (action.c:711)
==22274== by 0x13A6F1: run_actions (action.c:1555)
==22274== by 0x139229: do_action (action.c:1342)
==22274== by 0x13A6F1: run_actions (action.c:1555)
Any ideas how to fix these? Or any instructions what to provide more in
the bug report?
Cheers,
Timo