From david@catwhisker.org  Sun Mar 12 03:01:42 2006
Return-Path: <david@catwhisker.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id DF57116A87B;
	Sun, 12 Mar 2006 03:01:42 +0000 (GMT)
	(envelope-from david@catwhisker.org)
Received: from bunrab.catwhisker.org (adsl-63-193-123-122.dsl.snfc21.pacbell.net [63.193.123.122])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 600D445485;
	Sun, 12 Mar 2006 00:28:31 +0000 (GMT)
	(envelope-from david@catwhisker.org)
Received: from bunrab.catwhisker.org (localhost [127.0.0.1])
	by bunrab.catwhisker.org (8.13.3/8.13.3) with ESMTP id k2C0SUhO012784;
	Sat, 11 Mar 2006 16:28:30 -0800 (PST)
	(envelope-from david@bunrab.catwhisker.org)
Received: (from david@localhost)
	by bunrab.catwhisker.org (8.13.3/8.13.1/Submit) id k2C0SU2S012783;
	Sat, 11 Mar 2006 16:28:30 -0800 (PST)
	(envelope-from david)
Message-Id: <200603120028.k2C0SU2S012783@bunrab.catwhisker.org>
Date: Sat, 11 Mar 2006 16:28:30 -0800 (PST)
From: David Wolfskill <david@catwhisker.org>
Reply-To: David Wolfskill <david@catwhisker.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc: ports@freebsd.org
Subject: piewm: (malloc) Corrupted redzone 1 byte after 0xa00cbe0 (size 41) (0x0)
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         94378
>Category:       ports
>Synopsis:       piewm: (malloc) Corrupted redzone 1 byte after 0xa00cbe0 (size 41) (0x0)
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    lawrance
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Mar 12 03:10:25 GMT 2006
>Closed-Date:    Sun Apr 16 01:33:43 GMT 2006
>Last-Modified:  Sun Apr 16 01:33:43 GMT 2006
>Originator:     David Wolfskill
>Release:        FreeBSD 7.0-CURRENT i386
>Organization:
Wolfskill & Dowling Residence
>Environment:
System: FreeBSD g1-18.catwhisker.org. 7.0-CURRENT FreeBSD 7.0-CURRENT #18: Sat Mar 11 11:14:00 PST 2006     root@g1-18.catwhisker.org.:/common/S1/obj/usr/src/sys/LAPTOP_30W  i386

Above is where the problem symptoms were noticed, thanks to jemalloc.
I believe the problem has actually existed for a very long time.

>Description:
piewm uses m4 in parsing its configuration file.  Before it does so, it
creates a temporary file of definitions.  It does this in the MkDef()
function in parse.c.

In creating the definition lines, it tries to only allocate as much
memory as necessary.

However, there is an off-by-one error; I believe that when the
routine was coded the trailing NUL character for the strings in
question was overlooked.  (There is code to "pad" the allocation
for known "extra" characters that will be needed.  It's just a
little smaller than it needs to be.)

By default, FreeBSD 7-CURRENT (as of this time) has code enabled to
identify "red zone corruption;" in this case, it's a matter of an
attempt to write on storage that was not allocated.

One symptom is the message:
piewm: (malloc) Corrupted redzone 1 byte after 0xa00cbe0 (size 41) (0x0)

Another is that the window manager is not, in fact, functional.

It would be extremely cool if we could get this simple fix in before
the ports tree is completely frozen for the 6.1 release.

And my thanks to Jason for providing the hints for me to be able to
finally(!) track this bug down and squash it.

And I am presently using the patched version; it does work.

>How-To-Repeat:
Install ports/x11-wm/piewm, then run it.

>Fix:

--- parse.c.port	Sat Mar 11 16:06:49 2006
+++ parse.c	Sat Mar 11 16:08:22 2006
@@ -1389,7 +1389,7 @@
 /* Code taken and munged from xrdb.c */
 #define MAXHOSTNAME 255
 #define Resolution(pixels, mm)	((((pixels) * 100000 / (mm)) + 50) / 100)
-#define EXTRA	11
+#define EXTRA	12
 
 static char *
 MkDef(char *name, const char *def)
>Release-Note:
>Audit-Trail:

From: David Wolfskill <david@catwhisker.org>
To: bug-followup@freebsd.org
Cc:  
Subject: ports/94378: piewm: (malloc) Corrupted redzone 1 byte after 0xa00cbe0 (size 41) (0x0)
Date: Tue, 14 Mar 2006 09:34:58 -0800

 Looks as if there should be an updated source tarball soon, if not
 already.
 
 ----- Forwarded message from Russell Nelson <nelson@crynwr.com> -----
 
 From: Russell Nelson <nelson@crynwr.com>
 Date: Tue, 14 Mar 2006 10:58:53 -0500
 To: David Wolfskill <david@catwhisker.org>
 Subject: Re: Off-by-one bug in piewm -- interested?
 
 Thanks!  Fixed.
 -russ
 
 David Wolfskill writes:
  > 
  > I filed a PR with the FreeBSD ports folks Saturday (11 March), but the
  > bug appears to be in tghe sources for piewm itself (rather than the
  > "port" gunk thatt FreeBSD uses to build 3rd-party applications), and a
  > colleague at work -- who also uses piewm -- mentioned that you might
  > have an interest in the fix.
  > 
  > Since the PR includes the (nearly trivial) fix, I'll direct you to
  > <http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/94378> for the
  > explanation & unidiff-formatted patch.
  > 
  > Succinctly, the #define for EXTRA in parse.c needs to be (at least) 12,
  > rather than 11 -- it's an off-by-one error in calculating how much
  > memory will be needed for creating a line of m4 input.
  > 
  > Turns out that tvtwm doesn't have the problem:  although tvtwm also
  > spits out the "dnl" token (which was intentionally omitted for piewm),
  > tvtwm's EXTRA is 15.  Looks as if someone got a touch over-zealous with
  > respect to trying to ensure that piewm didn't allocate more memory than
  > necessary.
  > 
  > Peace,
  > david
  > -- 
  > David H. Wolfskill				david@catwhisker.org
  > Mail filters, like sewers, need to be most restrictive at the point of entry.
  > 
  > See http://www.catwhisker.org/~david/publickey.gpg for my public key.
 
 ----- End forwarded message -----
 
 Peace,
 david
 -- 
 David H. Wolfskill				david@catwhisker.org
 Mail filters, like sewers, need to be most restrictive at the point of entry.
 
 See http://www.catwhisker.org/~david/publickey.gpg for my public key.
Responsible-Changed-From-To: freebsd-ports-bugs->lawrance 
Responsible-Changed-By: lawrance 
Responsible-Changed-When: Sun Apr 16 00:41:20 UTC 2006 
Responsible-Changed-Why:  
Handling it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=94378 
State-Changed-From-To: open->closed 
State-Changed-By: lawrance 
State-Changed-When: Sun Apr 16 01:33:41 UTC 2006 
State-Changed-Why:  
piewm bumped to fixed version 1.04. Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=94378 
>Unformatted:
