[sword-devel] problem with max length in sword::OSISPlain::handleToken()

Karl Kleinpaste karl at kleinpaste.org
Thu May 29 08:29:49 MST 2008


I'm chasing a GS crash bug which turns out to be a problem with the
underlying Sword support, in which it has passed a max length of zero to
GS_StringMgr::upperUTF8().

The bug is tripped during a search which subsequently calls
SWModule::StripText() and eventually lands in this code:
32              int newlen = strlen(upper_str);
33              if (newlen >= maxlen) newlen = maxlen - 1;
34              memcpy(text, upper_str, newlen);                // SEGV HERE.
35              text[newlen] = 0;

In the backtrace, note that GS_StringMgr::upperUTF8() has been given maxlen=0.

#0  0x081231f4 in sword::GS_StringMgr::upperUTF8 (this=0x99cc550, text=0xb5b6c1b "LORD", maxlen=0) at gs_stringmgr.cpp:34
#1  0x0817c1b8 in sword::toupperstr (t=0xb5b6c1b "LORD", max=0) at ../include/stringmgr.h:94
#2  0x0818135f in sword::OSISPlain::handleToken (this=0xb7a5638, buf=@0xb9c6964, token=0xbfbe679c "/divineName", userData=0xc1d7560) at ../src/modules/filters/osisplain.cpp:172
#3  0x081d0d85 in sword::SWBasicFilter::processText (this=0xb7a5638, text=@0xb9c6964, key=0xc1cd6b8, module=0xb9c68dc) at ../src/modules/filters/swbasicfilter.cpp:364
#4  0x081be2e2 in sword::SWModule::filterBuffer (this=0xb9c68dc, filters=0x91c66d8, buf=@0xb9c6964, key=0xc1cd6b8) at ../src/modules/swmodule.cpp:1271
#5  0x081af5d9 in sword::SWModule::stripFilter (this=0xb9c68dc, buf=@0xb9c6964, key=0xc1cd6b8) at ../include/swmodule.h:566
#6  0x081c0f66 in sword::SWModule::RenderText (this=0xb9c68dc, buf=0x0, len=-1, render=false) at ../src/modules/swmodule.cpp:796
#7  0x081be256 in sword::SWModule::StripText (this=0xb9c68dc, buf=0x0, len=-1) at ../src/modules/swmodule.cpp:762
#8  0x0813582f in BackEnd::get_strip_text (this=0xb790b20, module_name=0x90f20c8 "NASB", key=0xc137dc0 "Deuteronomy 12:5") at sword_main.cc:496
#9  0x0810f991 in main_do_dialog_search () at search_dialog.cc:1492

(gdb) p text
$1 = 0xb5b6c1b "LORD"
(gdb) p upper_str
$2 = 0xc1d8f18 "LORD"
(gdb) p newlen
$3 = -1
(gdb) up
#1  0x0817c1b8 in sword::toupperstr (t=0xbc43653 "LORD", max=0) at ../include/stringmgr.h:94
94              return StringMgr::getSystemStringMgr()->upperUTF8(t, max);
(gdb) p max
$4 = 0

memcpy() takes an unsigned (size_t) length, and GS inadvertently handed
it 0xffffffff because sword::toupperstr() gave us 0.  That, in turn, is
because OSISPlain::handleToken() called toupperstr with one arg,
defaulting its 2nd arg "max" to zero.



More information about the sword-devel mailing list