octave-bug-tracker
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Octave-bug-tracker] [bug #50974] SEGFAULT with constructed cmdline_opti

From: Steven Bergner
Subject: [Octave-bug-tracker] [bug #50974] SEGFAULT with constructed cmdline_options
Date: Mon, 8 May 2017 17:12:18 -0400 (EDT)
User-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36 
URL:
  <http://savannah.gnu.org/bugs/?50974>

                 Summary: SEGFAULT with constructed cmdline_options
                 Project: GNU Octave
            Submitted by: steb
            Submitted on: Mon 08 May 2017 09:12:17 PM UTC
                Category: Interpreter
                Severity: 3 - Normal
                Priority: 5 - Normal
              Item Group: Segfault, Bus Error, etc.
                  Status: None
             Assigned to: None
         Originator Name: Steven
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any
                 Release: 4.2.1
        Operating System: Any

    _______________________________________________________

Details:

There is a potential for SEGFAULT when using Octave as library via embedded
interpreter inside an application that has its own command line arguments,
independent of the arguments that are passed to some internal
octave::cli_application instance.

The bug reaches back a number of versions and is still present in v4.3.0+.

In file libinterp/octave.cc
the function
cmdline_options::cmdline_options (int argc, char **argv)
constructs an object like this
m_remaining_args = string_vector (argv+octave_optind_wrapper (),
argc-octave_optind_wrapper ())

Here, argv may be a user-constructed char**, whereas octave_optind_wrapper()
returns the optind integer from getopt.h, which reports the number of command
line arguments of the actual application.

When using Octave as a library, this constructed address may point to invalid
memory and a SEGFAULT is triggered.

Observation and mitigation of this bug is documented here:
https://github.com/renozao/RcppOctave/pull/17/commits/7cdb1d4f0b6253920869ac74709554fc822cac96
related commit msg: "
- octave.cc (v4.2, 4.3+) cmdline_options::cmdline_options() uses
  argv + octave_optind_wrapper(), where argv is the char** produced
  in rcpp_octave.cpp octave_session and optind is a global int
  giving the number of arguments getopt.h reports for the executable,
  having nothing to do with the args produced here. If the executable
  was called with more than narg arguments, this gives a SEGFAULT.
  resolved: octave_session now ensures that char** is long enough
"
with corresponding code changes in function octave_session in
src/rcpp_octave.cpp of https://github.com/git-steb/RcppOctave/tree/develop

Thanks for keeping up this great project!

Steven
https://github.com/git-steb





    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?50974>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]