bug in file when using -c

Paul van Genderen paulvg at member.fsf.org
Tue Apr 4 13:09:14 BST 2006 

Hi,

The '-c' parameter in the file command didn't work (segfault), so I
wanted to write a bug report about it. While chasing the bug, as writing
a report requires you to do, I found something interesting:

ubuntu at ubuntu:~$ file -c Examples/LICENSES.TXT
Segmentatie fout
ubuntu at ubuntu:~$ export LANG=C
ubuntu at ubuntu:~$ file -c Examples/LICENSES.TXT
(null), 0: Warning using regular magic file `/etc/magic'
cont    offset  type    opcode  mask    value   desc

Suddenly this seemed to be a translation bug, but upon investigating it
further, it seems to come down to the function magic_open in magic.c. It
does a malloc to allocate a struct magic_set, but doesn't fully
initialise the values:

(gdb) run
Starting program: /usr/bin/file -c ~/Examples/LICENSE.TXT

Breakpoint 5, main (argc=3, argv=0xbff98b74) at file.c:284
284                     magic = magic_open(flags|MAGIC_CHECK);
(gdb) print magic
$23 = (struct magic_set *) 0x0
(gdb) step 1
magic_open (flags=64) at magic.c:87
warning: Source file is more recent than executable.
87              if ((ms = malloc(sizeof(struct magic_set))) == NULL)
(gdb) print ms
$24 = (struct magic_set *) 0xb7f61020
(gdb) print ms->file
$25 = 0x8b000001 <Address 0x8b000001 out of bounds>
(gdb) step 1
90
(gdb) print ms->file
$26 = 0x45505954 <Address 0x45505954 out of bounds>
(gdb) continue
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0xb7e852a3 in strlen () from /lib/tls/i686/cmov/libc.so.6
(gdb) up
#1  0xb7e592f7 in vfprintf () from /lib/tls/i686/cmov/libc.so.6
(gdb) up
#2  0xb7e55d7c in cuserid () from /lib/tls/i686/cmov/libc.so.6
(gdb) up
#3  0xb7e55fbb in vfprintf () from /lib/tls/i686/cmov/libc.so.6
(gdb) up
#4  0xb7e5e6af in fprintf () from /lib/tls/i686/cmov/libc.so.6
(gdb) up
#5  0xb7f6c5e1 in file_magwarn (ms=0x804d230,
    f=0xb7f6d85e "using regular magic file `%s'") at print.c:144
144             (void) fprintf(stderr, "%s, %lu: Warning ", ms->file,
(gdb) print ms->file
$27 = 0x45505954 <Address 0x45505954 out of bounds>

Clearly the uninitialised ms->file causes the segfault. strlen tries to
access the pointer and Linux promptly sends SIGSEGV as it should. What I
don't yet understand is why when I set the LANG environment variable to
C, the pointer is a NULL pointer, as shown in the above output example,
and verifiable with gdb:

Breakpoint 1, magic_open (flags=64) at magic.c:87
87              if ((ms = malloc(sizeof(struct magic_set))) == NULL)
(gdb) print ms->file
$4 = 0x8b000001 <Address 0x8b000001 out of bounds>
(gdb) step 1
90              if (magic_setflags(ms, flags) == -1) {
(gdb) print ms->file
$5 = 0x0

I've added a call to memset after line 88, here's the diff:
88a89
>       memset((void *)ms, 0, sizeof(struct magic_set));

This proved to be a useful workaround:

ubuntu at ubuntu:~$ echo $LANG
nl_NL.UTF-8
ubuntu at ubuntu:~$ file -c ~/Examples/LICENSES.TXT
(null), 0: Warning using regular magic file `/etc/magic'
cont    offset  type    opcode  mask    value   desc

But then the null pointer still looks ugly. So I chose to fix that in
apprentice_map in apprentice.c, by adding the following line after line
1057 (after the block of variable defines):

ms->file = fn;

Here's the diff:
1057a1058
>       ms->file = fn;

This fixed the null pointer problem regardless of the LANG environment
variable:

ubuntu at ubuntu:~$ export LANG=C
ubuntu at ubuntu:~$ file -c Examples/LICENSES.TXT
/etc/magic, 0: Warning using regular magic file `/etc/magic'
cont    offset  type    opcode  mask    value   desc
ubuntu at ubuntu:~$ export LANG=nl_NL.UTF-8
ubuntu at ubuntu:~$ file -c Examples/LICENSES.TXT
/etc/magic, 0: Warning using regular magic file `/etc/magic'
cont    offset  type    opcode  mask    value   desc

So after this discovery I filled in the bugreport form. It's reported
here: https://launchpad.net/distros/ubuntu/+source/file/+bug/38015 and I
have some questions:

1) I don't know exactly what magic -c should do, is this the right fix?
I suspect not.
2) Is the bug report ok?
3) Did I correctly assign it to myself? Should someone else have it?
4) Do I have to mail the upstream or Debian maintainer about this?

Thank you all,
Paul
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: Dit berichtdeel is digitaal ondertekend
Url : https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20060404/49ac9409/attachment.pgp

More information about the ubuntu-devel mailing list