[sword-devel] problem with max length in sword::OSISPlain::handleToken()
Ben Morgan
benpmorgan at gmail.com
Thu May 29 16:34:25 MST 2008
If maxlen is 0, then I believe you should use the string length as the max
length.
For example, from the ICU string mgr:
int max = (maxlen) ? maxlen : strlen(buf);
God Bless,
Ben
-------------------------------------------------------------------------------------------
The Lord is not slow to fulfill his promise as some count slowness,
but is patient toward you, not wishing that any should perish,
but that all should reach repentance.
2 Peter 3:9 (ESV)
On Fri, May 30, 2008 at 1:29 AM, Karl Kleinpaste <karl at kleinpaste.org>
wrote:
> I'm chasing a GS crash bug which turns out to be a problem with the
> underlying Sword support, in which it has passed a max length of zero to
> GS_StringMgr::upperUTF8().
>
> The bug is tripped during a search which subsequently calls
> SWModule::StripText() and eventually lands in this code:
> 32 int newlen = strlen(upper_str);
> 33 if (newlen >= maxlen) newlen = maxlen - 1;
> 34 memcpy(text, upper_str, newlen); // SEGV
> HERE.
> 35 text[newlen] = 0;
>
> In the backtrace, note that GS_StringMgr::upperUTF8() has been given
> maxlen=0.
>
> #0 0x081231f4 in sword::GS_StringMgr::upperUTF8 (this=0x99cc550,
> text=0xb5b6c1b "LORD", maxlen=0) at gs_stringmgr.cpp:34
> #1 0x0817c1b8 in sword::toupperstr (t=0xb5b6c1b "LORD", max=0) at
> ../include/stringmgr.h:94
> #2 0x0818135f in sword::OSISPlain::handleToken (this=0xb7a5638,
> buf=@0xb9c6964, token=0xbfbe679c "/divineName", userData=0xc1d7560) at
> ../src/modules/filters/osisplain.cpp:172
> #3 0x081d0d85 in sword::SWBasicFilter::processText (this=0xb7a5638,
> text=@0xb9c6964, key=0xc1cd6b8, module=0xb9c68dc) at
> ../src/modules/filters/swbasicfilter.cpp:364
> #4 0x081be2e2 in sword::SWModule::filterBuffer (this=0xb9c68dc,
> filters=0x91c66d8, buf=@0xb9c6964, key=0xc1cd6b8) at
> ../src/modules/swmodule.cpp:1271
> #5 0x081af5d9 in sword::SWModule::stripFilter (this=0xb9c68dc,
> buf=@0xb9c6964, key=0xc1cd6b8) at ../include/swmodule.h:566
> #6 0x081c0f66 in sword::SWModule::RenderText (this=0xb9c68dc, buf=0x0,
> len=-1, render=false) at ../src/modules/swmodule.cpp:796
> #7 0x081be256 in sword::SWModule::StripText (this=0xb9c68dc, buf=0x0,
> len=-1) at ../src/modules/swmodule.cpp:762
> #8 0x0813582f in BackEnd::get_strip_text (this=0xb790b20,
> module_name=0x90f20c8 "NASB", key=0xc137dc0 "Deuteronomy 12:5") at
> sword_main.cc:496
> #9 0x0810f991 in main_do_dialog_search () at search_dialog.cc:1492
>
> (gdb) p text
> $1 = 0xb5b6c1b "LORD"
> (gdb) p upper_str
> $2 = 0xc1d8f18 "LORD"
> (gdb) p newlen
> $3 = -1
> (gdb) up
> #1 0x0817c1b8 in sword::toupperstr (t=0xbc43653 "LORD", max=0) at
> ../include/stringmgr.h:94
> 94 return StringMgr::getSystemStringMgr()->upperUTF8(t, max);
> (gdb) p max
> $4 = 0
>
> memcpy() takes an unsigned (size_t) length, and GS inadvertently handed
> it 0xffffffff because sword::toupperstr() gave us 0. That, in turn, is
> because OSISPlain::handleToken() called toupperstr with one arg,
> defaulting its 2nd arg "max" to zero.
>
> _______________________________________________
> sword-devel mailing list: sword-devel at crosswire.org
> http://www.crosswire.org/mailman/listinfo/sword-devel
> Instructions to unsubscribe/change your settings at above page
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.crosswire.org/pipermail/sword-devel/attachments/20080530/c048ec76/attachment.html
More information about the sword-devel
mailing list