#522 incidental crash when using {via} transformations

1.7.x
closed-fixed
core (110)
5
2014-12-08
2012-05-09
Walter Doekes
No

Hi,

see attached patch.

If you look at it, you'll see that the old code is wrong. If the next via is only 1-4 bytes longer than the previous one, we start overwriting memory.

And that looks like this:
CRITICAL:core:qm_debug_frag: qm_*: prev. fragm. tail overwritten(c000410a, abcdefed)[0x8701f0:0x870220]!
or this:
CRITICAL:core:qm_debug_frag: qm_*: prev. fragm. tail overwritten(c0c0c000, abcdefed)[0x86f890:0x86f8c0]!

Regards,
Walter Doekes
OSSO B.V.

Discussion

  • Hi Walter,

    I tried a different approach for the fix - without adding a new variable, but using _tr_via.len to keep the real len, and to correct +4 where needed :)

    Could you please test this fix ?

    Thanks and regards,
    Bogdan

     
    • assigned_to: nobody --> bogdan_iancu
    • status: open --> open-accepted
     
  • following the IRC chat, here is is an optimised patch ;). Could you confirm everything is ok ?

    Thanks and regards,
    Bogdan

     
  • fix on SVN trunk, 1.8 and 1.7

     
    • status: open-accepted --> closed-fixed