Bug 134091 - [PATCH] svn_hacks.1.2.diff crashes subversion
Summary: [PATCH] svn_hacks.1.2.diff crashes subversion
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Lev A. Serebryakov
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-04-29 14:00 UTC by Giorgos Keramidas
Modified: 2009-04-30 08:50 UTC (History)
0 users

See Also:

Attachments
file.diff (1.58 KB, patch)
2009-04-29 14:00 UTC, Giorgos Keramidas 		no flags Details | Diff
file.diff (689 bytes, patch)
2009-04-29 14:00 UTC, Giorgos Keramidas 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Giorgos Keramidas freebsd_committer freebsd_triage 2009-04-29 14:00:04 UTC 
The svn_hacks.1.2.diff patch crashes subversion when a tag is created.

Fix: A git-style patch that renames svn_hacks_1.2.diff to svn_hacks_1.3.diff
and patches the subversion ports to use it, and bumps PORTREVISION to 3
is attached below:

%%%
===========================================================================

The changes from svn_hacks_1.2.diff to svn_hacks_1.3.diff are ...

%%%
How-To-Repeat: 
Running the following shell script shows the core dump in action, and
leaves an `svn.core' file in `B/svn.core':

    #!/bin/sh

    set -e

    svnpath=`pwd`
    svnadmin create svn-repo

    mkdir proj
    cd proj
    mkdir trunk
    mkdir tags
    cd ..

    svnurl=file://$svnpath/svn-repo/proj%20B
    svn import -m "init project repository" proj $svnurl

    echo % add filename with spaces
    svn co $svnurl/trunk B
    cd B
    echo hello > 'letter .txt'
    svn add 'letter .txt'
    svn ci -m hello

    echo % append to filename with spaces
    echo world >> 'letter .txt'
    svn ci -m world

    echo % create tag
    svn copy -m "tag v0.1" $svnurl/trunk $svnurl/tags/v0.1

    echo % append once more
    echo 'nice day today!' >> 'letter .txt'
    svn ci -m "nice day"
    cd ..

    echo % append after tagging and add a new file
    cd B
    echo "see second letter" >> 'letter .txt'
    echo "nice to meet you" > letter2.txt
    svn add letter2.txt
    svn ci -m "second letter"

    echo % second tag
    svn copy -m "tag v0.2" $svnurl/trunk $svnurl/tags/v0.2

    echo % append to second letter
    echo "blah-blah-blah" >> letter2.txt
    svn ci -m "work in progress"
    cd ..

Running the script with subversion-freebsd patched by svn_hacks.1.2.diff
results in:

    keramida@kobe:/tmp/svncore$ sh test.sh
    Adding         proj/trunk
    Adding         proj/tags

    Committed revision 1.
    % add filename with spaces
    Checked out revision 1.
    A         letter .txt
    Adding         letter .txt
    Transmitting file data .
    Committed revision 2.
    % append to filename with spaces
    Sending        letter .txt
    Transmitting file data .
    Committed revision 3.
    % create tag
    Segmentation fault (core dumped)
    keramida@kobe:/tmp/svncore$ find . -name svn.core
    ./B/svn.core
    keramida@kobe:/tmp/svncore$

and the core dump backtrace is:

    #0  strstr (s=0x4 <Address 0x4 out of bounds>, find=0x806e78a "R:") at /usr/src/lib/libc/string/strstr.c:54
    54                                      if ((sc = *s++) == '\0')
    [New Thread 28a01140 (LWP 100167)]
    (gdb) bt
    #0  strstr (s=0x4 <Address 0x4 out of bounds>, find=0x806e78a "R:") at /usr/src/lib/libc/string/strstr.c:54
    #1  0x0805c3cc in cleanmsg ()
    #2  0x0805d1f9 in svn_cl__get_log_message ()
    #3  0x280bf4d2 in svn_client__get_log_msg () from /usr/local/lib/libsvn_client-1.so.0
    #4  0x280c4a96 in repos_to_repos_copy () from /usr/local/lib/libsvn_client-1.so.0
    #5  0x280c5997 in try_copy () from /usr/local/lib/libsvn_client-1.so.0
    #6  0x280c6383 in svn_client_copy5 () from /usr/local/lib/libsvn_client-1.so.0
    #7  0x0804edca in svn_cl__copy ()
    #8  0x08054c79 in main ()
    (gdb)

The problem seems to be a use before initialization of the `log_msg'
pointer in the (patched) version of util.c:svn_cl__get_log_message() in
subversion-1.6.0/subversion/svn/util.c.  near line 743 of the patched
version we have:

      truncate_buffer_at_prefix(&(log_msg_buf->len), log_msg_buf->data,
                                EDITOR_EOF_PREFIX);
      cleanmsg(NULL, (char*)*log_msg);

So we prepare the log message in log_msg_buf->data, but then we try to
cleanmsg() the (uninitialized so far) pointer at *log_msg.

I've renamed svn_hacks.1.2.diff to svn_hacks.1.3.diff and changed only
the cleanmsg() call to use:

      cleanmsg(NULL, (char *)log_msg_buf->data);

This seems to work slightly better, and now I can run the test script
without any core dumps.
Comment 1 dfilter service freebsd_committer freebsd_triage 2009-04-30 08:43:00 UTC 
lev         2009-04-30 07:42:50 UTC

  FreeBSD ports repository

  Modified files:
    devel/subversion     distinfo 
    devel/subversion-freebsd Makefile 
  Log:
    Fix FreeBSD hacks not to crash on memory deallocation.
  
  PR:             ports/134091
  Submitted by:   Giorgos Keramidas <keramida@freebsd.org>
  
  Revision  Changes    Path
  1.132     +2 -1      ports/devel/subversion-freebsd/Makefile
  1.65      +3 -3      ports/devel/subversion/distinfo
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 2 Lev A. Serebryakov freebsd_committer freebsd_triage 2009-04-30 08:43:28 UTC 
State Changed
From-To: open->closed


Committed, thanks!
Comment 3 Lev A. Serebryakov freebsd_committer freebsd_triage 2009-04-30 08:43:28 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->lev


Take it.