xdiskusage crashes with simple input (reproducible at will)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
xdiskusage (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Hello,
* Summary
Ubuntu 13.10's xdiskusage crashes with simple input (reproducible at will).
Just
{ echo "1 a" ; echo "2 b" ; } | xdiskusage
* Detailed info
I had by chance xdiskusage crash on data fed via stdin.
Arguably data isn't exactly what xdiskusage expects. Each line is "size-as-a-number filename" whereas xdiskusage expects "size-as-a-number dirname/filename".
Yet xdiskusage should not crash on slightly invalid data.
The minimal test case here is enough to have it crash:
{ echo "1 a" ; echo "2 b" ; } | xdiskusage
* Additional info
For clarity of the program traces I recompiled xdiskusage from upstream CVS source [CVS Repository: Code](http://
apt-get source xdiskusage
sudo apt-get build-dep xdiskusage
...
-xdiskusage recompiled from upstream CVS does not crash
-xdiskusage-1.48 compiled from pristine upstream source does not compile
* Crash traces
Please find below gdb info, valgrind info.
gdb ./xdiskusage
GNU gdb (GDB) 7.6.1-ubuntu
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://
Reading symbols from mypath/
(gdb) args -aq </tmp/testcrash
Undefined command: "args". Try "help".
(gdb) set args -aq </tmp/testcrash
(gdb) run
Starting program: mypath/
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_
Program received signal SIGSEGV, Segmentation fault.
0x00000000004057c7 in OutputWindow:
713 unsigned char c = (unsigned char)(n-
(gdb) bt
#0 0x00000000004057c7 in OutputWindow:
#1 0x0000000000405fc4 in OutputWindow::draw (this=0x6175c0) at xdiskusage.C:790
#2 0x00007ffff7b5eb22 in Fl::flush() () from /usr/lib/
#3 0x00007ffff7b5ffd3 in Fl::wait(double) () from /usr/lib/
#4 0x00007ffff7b6010d in Fl::run() () from /usr/lib/
#5 0x00000000004040b9 in main (argc=2, argv=0x7fffffff
(gdb)
{ echo "1 a" ; echo "2 b" ; } | valgrind ./xdiskusage
==31756== Memcheck, a memory error detector
==31756== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==31756== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==31756== Command: ./xdiskusage
==31756==
==31756== Invalid read of size 1
==31756== at 0x403CD1: OutputWindow:
==31756== by 0x4E5CB21: Fl::flush() (in /usr/lib/
==31756== by 0x4E5DFD2: Fl::wait(double) (in /usr/lib/
==31756== by 0x4E5E10C: Fl::run() (in /usr/lib/
==31756== by 0x4026FD: main (in mypath/
==31756== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==31756==
==31756==
==31756== Process terminating with default action of signal 11 (SIGSEGV)
==31756== Access not within mapped region at address 0x0
==31756== at 0x403CD1: OutputWindow:
==31756== by 0x4E5CB21: Fl::flush() (in /usr/lib/
==31756== by 0x4E5DFD2: Fl::wait(double) (in /usr/lib/
==31756== by 0x4E5E10C: Fl::run() (in /usr/lib/
==31756== by 0x4026FD: main (in mypath/
==31756== If you believe this happened as a result of a stack
==31756== overflow in your program's main thread (unlikely but
==31756== possible), you can try to increase the size of the
==31756== main thread stack using the --main-stacksize= flag.
==31756== The main thread stack size used in this run was 8388608.
==31756==
==31756== HEAP SUMMARY:
==31756== in use at exit: 491,242 bytes in 4,040 blocks
==31756== total heap usage: 9,446 allocs, 5,406 frees, 2,830,568 bytes allocated
==31756==
==31756== LEAK SUMMARY:
==31756== definitely lost: 2,433 bytes in 6 blocks
==31756== indirectly lost: 4,191 bytes in 133 blocks
==31756== possibly lost: 0 bytes in 0 blocks
==31756== still reachable: 484,618 bytes in 3,901 blocks
==31756== suppressed: 0 bytes in 0 blocks
==31756== Rerun with --leak-check=full to see details of leaked memory
==31756==
==31756== For counts of detected and suppressed errors, rerun with: -v
==31756== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 2 from 2)
Erreur de segmentation (core dumped)
Crash occurs at xdiskusage.C:713 because n->name is null.
unsigned char c = (unsigned char)(n-
Looks like an invalid linked list is built in memory, then fed for display which causes the crash.
* Requested information
LC_ALL=C lsb_release -rd
Description: Ubuntu 13.10
Release: 13.10
LC_ALL=C apt-cache policy xdiskusage
xdiskusage:
Installed: 1.48-10.1
Candidate: 1.48-10.1
Version table:
*** 1.48-10.1 0
500 http://
100 /var/lib/
ProblemType: Bug
DistroRelease: Ubuntu 13.10
Package: xdiskusage 1.48-10.1
ProcVersionSign
Uname: Linux 3.11.0-15-generic x86_64
ApportVersion: 2.12.5-0ubuntu2.2
Architecture: amd64
Date: Tue Jan 14 18:56:19 2014
MarkForUpload: True
SourcePackage: xdiskusage
UpgradeStatus: No upgrade log present (probably fresh install)
This bug was fixed in the package xdiskusage - 1.60-2
---------------
xdiskusage (1.60-2) unstable; urgency=medium
* debian/docs: Dropped, we use debian/ xdiskusage. docs. CXXFLAGS/ LDFLAGS to
* New version actually solves stalled behavior with certain
file names. (Closes: #873572) (LP: #1269089)
* New version now recognizes UTF-8 filenames. (Closes: #311435)
* debian/control: Add build-dependency on fluid in fltk1.3.
* debian/rules: Explicitly pass CPPFLAGS/
Makefile during build.
-- Boyuan Yang <email address hidden> Tue, 29 Aug 2023 12:15:33 -0400