Details Ticket 4095


Comment | Reply | Resolve


Serial Number 4095
Subject SIGSEGV in Vect_cidx_find_next
Area grass6
Queue grass
Requestors stolze@de.ibm.com
Owner rblazek
Status open
Last User Contact Never contacted
Current Priority 70
Final Priority 70
Due No date assigned
Last Action Tue Feb 28 23:32:46 2006 (2 yr ago)
Created Thu Feb 16 18:14:39 2006 (3 yr ago)

Transaction History Ticket 4095


Thu, Feb 16 2006 18:14:39    Request created by guest  
Subject: SIGSEGV in Vect_cidx_find_next

Platform: GNU/Linux/x86
grass obtained from: Trento Italy site
grass binary for platform: Downloaded precompiled Binaries
GRASS Version: 6.0.1RC4

The function Vect_cidx_find_next() contains 3 critical bugs:

(1) bsearch() is called to find an element in the cat index where its cat
    value matches the given value.  The implemented logic ignores the fact
    that bsearch() does _not_ return the first element but rather _any_
    element that matches.  So there is the potential to loose elements with
successive scans on the cat index.

(2) When the type mask is evaluated, the cat value is ignored.  Thus, the
    returned id might refer to an element with a completely different cat
    value.

(3) The offset calculations for the second parameter passed to bsearch() are
wrong.  A single element in the "ci->cat" array already has a size of
    "3 * sizeof(int)".  Multiplying the start_index with this size will
    effectively result in an invalid offset, which can lead to traps or other
memory corruptions.

Proposed fixes:
---------------
(1) add the following piece after the bsearch() and the determination of
    "cat_index"

while (cat_index > start_index && ci->cat[cat_index-1][0] == cat) {
    cat_index--;
}


(2) fix the do-while loop at the end of the function like this:

do {
    if (ci->cat[cat_index][0] != cat) {
        return -1;
    }
    if (ci->cat[cat_index][1] & type_mask) {
        *type = ci->cat[cat_index][1];
        *id = ci->cat[cat_index][2];
        return cat_index;
    }
} while (cat_index < ci->n_cats);

(3) correct the parameters for bsearch() in the following way:

catp = bsearch(&cat, &ci->cat[start_index], ci->n_cats - start_index,
        sizeof ci->cat[0], cmp_cat);

Regards,
Knut Stolze
Tue, Feb 28 2006 23:32:46    Owner changed to rblazek by mneteler  
Comment | Reply | Resolve

You are currently authenticated as guest.
[Show Configuration] [Login as another user]

Users Guide - Mail Commands - Homepage of RequestTracker 1.0.7 - list any request