Return-Path: X-Original-To: apmail-subversion-dev-archive@minotaur.apache.org Delivered-To: apmail-subversion-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 71746185FA for ; Mon, 4 Jan 2016 15:17:10 +0000 (UTC) Received: (qmail 15434 invoked by uid 500); 4 Jan 2016 15:17:10 -0000 Delivered-To: apmail-subversion-dev-archive@subversion.apache.org Received: (qmail 15374 invoked by uid 500); 4 Jan 2016 15:17:10 -0000 Mailing-List: contact dev-help@subversion.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@subversion.apache.org Received: (qmail 15363 invoked by uid 99); 4 Jan 2016 15:17:10 -0000 Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 04 Jan 2016 15:17:10 +0000 Received: from [192.168.1.240] (e183083236.adsl.alicedsl.de [85.183.83.236]) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id 735F51A0238; Mon, 4 Jan 2016 15:17:09 +0000 (UTC) Message-ID: <568A8CF3.9050707@apache.org> Date: Mon, 04 Jan 2016 16:17:07 +0100 From: Stefan Fuhrmann Organization: Apache Software Foundation User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: =?UTF-8?B?SGFubm8gQsO2Y2s=?= CC: dev@subversion.apache.org Subject: Re: Invalid memory reads in first_non_fsm_start_char_cstring (utf_validate.c) References: <20151219000359.4baf4691@pc1> <567E751C.2030706@apache.org> <20160103154638.58ff9e8d@pc1> <5689568F.4090702@apache.org> <20160103185031.1c1ef529@pc1> In-Reply-To: <20160103185031.1c1ef529@pc1> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit On 03.01.2016 18:50, Hanno Böck wrote: > On Sun, 3 Jan 2016 18:12:47 +0100 > Branko Čibej wrote: > >> GCC (or any other compiler) may do a lot of things, but it's not >> allowed to change the way APR pool allocation works. We're not using >> malloc(); we're using apr_palloc() & co. > > Okay, I think we have a misunderstanding here. > > The error I encountered is not by code allocated by apr_palloc. It > actually comes from this line in notify.c: > SVN_ERR(svn_dirent_get_absolute(&nb->path_prefix, "", pool)); > > The memory that is read out of bounds is the "" string literal. Yep, you are right. Turns out that the whole code path was (almost) a duplication of a function that does not have this problem. Fixed in r1722860. A related problem was then found by our SOLARIS build bot and got fixed in r1722879 and r1722887. Thanks for the detailed report! -- Stefan^2.