[PD-dev] [maxlib/history] segfault

Claude Heiland-Allen claudiusmaximus at goto10.org
Sun Oct 24 02:40:52 CEST 2010 

I tried here with trunk/externals/maxlib/history.c and attached 
history-test.pd patch, crashed:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6aad862 in history_float (x=0x831a80, f=<value optimised out>)
     at history.c:153
153		else x->x_average = x->x_input[x->x_inpointer];
(gdb) bt
#0  0x00007ffff6aad862 in history_float (x=0x831a80, f=<value optimised 
out>)
     at history.c:153
#1  0x000000000046a69f in outlet_float ()
#2  0x000000000046ab69 in outlet_bang ()
#3  0x00000000004b8e04 in ?? ()
#4  0x00000000004761ed in m_mainloop ()
#5  0x000000000047aaf5 in sys_main ()
#6  0x00007ffff6ccec4d in __libc_start_main (main=<value optimised out>,
     argc=<value optimised out>, ubp_av=<value optimised out>,
     init=<value optimised out>, fini=<value optimised out>,
     rtld_fini=<value optimised out>, stack_end=0x7fffffffe238)
     at libc-start.c:226
#7  0x0000000000412f99 in _start ()
(gdb) print x->x_inpointer
$1 = 4728264212663500800


I'm guessing that the array overrun dumped some garbage in the 
x_inpointer field, which then exploded...


with the s/>/>=/ patch to line ~155 (see below) I didn't manage to crash 
it, but I also don't know if the output was correct...


Claude


On 24/10/10 01:05, Brian Neltner wrote:
> Thanks Claude for your help.
>
> I will personally just be switching to mavg instead of history for now
> since I need to be confident it will work. Is there someone I can notify
> who maintains the history external who would be interested in knowing
> about the bug?
>
> Brian
>
> On Sun, 2010-10-24 at 00:38 +0100, Claude Heiland-Allen wrote:
>>
>> Yes, in the absence of symbol information from 'history.pd_linux', I
>> would guess that it is these lines that are the problem:
>>
>> http://pure-data.svn.sourceforge.net/viewvc/pure-data/branches/pd-extended/0.42/externals/maxlib/history.c?revision=13589&view=markup#l155
>>
>> 155 	 if(++x->x_inpointer>  MAX_ARG)
>> 156 	{
>> 157 	x->x_inpointer = 0;
>> 158 	}
>>
>> Possibly it should be>= instead of>, otherwise the code might end up
>> reading/writing past the end of the 0-indexed arrays of size MAX_ARG,
>> causing all kinds of memory corruption and random crashes, but I don't
>> suggest making the change without checking whether it is correct - the
>> code doesn't have any comments indicating the data invariants.

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: history-test.pd
URL: <http://lists.puredata.info/pipermail/pd-dev/attachments/20101024/9a619fea/attachment.txt>

More information about the Pd-dev mailing list