[Rd] read.table() causes segfault with incorrect data (PR#11627)

Bill Dunlap bill at insightful.com
Wed Jun 11 18:37:56 CEST 2008


On Wed, 11 Jun 2008 juho.vuori at fimr.fi wrote:

> Full_Name: Juho Vuori
> Version: 2.7.0 (2008-04-22)
> OS: Linux poseidon.fimr.fi 2.6.23.17-88.fc7PAE #1 SMP Thu May 15 00:22:53 EDT 2008 i686 i686 i386 GNU/Linux
> Submission from: (NULL) (193.166.188.194)
>
>
> Calling read.table() twice the following way causes a segmentation fault in R.
> Run R and type the following commands:
>
> > read.table(stdin())
> 0: 1 2 3
> 1: 3
> 2:
> Error in scan(file, what, nmax, sep, dec, quote, skip, nlines, na.strings,  :
>   line 2 did not have 3 elements
> > read.table(stdin())
>
>  *** caught segfault ***
> address 0x64616572, cause 'memory not mapped'
>

valgrind shows that con->nPushBack>0 but con->PushBack
has already been freed by do_clearpushback:

    > read.table(stdin())
    0: 1 2 3
    1: 3
    2:
    Error in scan(file, what, nmax, sep, dec, quote, skip, nlines, na.strings,  :
      line 2 did not have 3 elements
    > read.table(stdin())
    ==11631== Invalid read of size 4
    ==11631==    at 0x80B3281: ConsoleGetcharWithPushBack (scan.c:130)
    ==11631==    by 0x80B348E: scanchar (scan.c:214)
    ==11631==    by 0x80B7E24: do_readtablehead (scan.c:1568)
    ==11631==    by 0x80653E0: do_internal (names.c:1129)
    ...
    ==11631==  Address 0x443E638 is 0 bytes inside a block of size 20 free'd
    ==11631==    at 0x40052A3: free (vg_replace_malloc.c:233)
    ==11631==    by 0x8128A41: do_clearpushback (connections.c:3671)
    ==11631==    by 0x80653E0: do_internal (names.c:1129)
    ==11631==    by 0x815EA27: Rf_eval (eval.c:461)
    ==11631==    by 0x812B133: R_run_onexits (context.c:147)

    0x080b3281 in ConsoleGetcharWithPushBack (con=0x4067c50) at scan.c:130
    130             curLine = con->PushBack[con->nPushBack-1];
    (gdb) print con
    $1 = 0x4067c50
    (gdb) print con->PushBack
    $2 = (char **) 0x443e638

The following change to connections.c:do_clearpushback() seems to fix it.

Index: connections.c
===================================================================
--- connections.c       (revision 45893)
+++ connections.c       (working copy)
@@ -3669,6 +3669,7 @@
     if(con->nPushBack > 0) {
        for(j = 0; j < con->nPushBack; j++) free(con->PushBack[j]);
        free(con->PushBack);
+        con->nPushBack = 0 ;
     }
     return R_NilValue;
 }

----------------------------------------------------------------------------
Bill Dunlap
Insightful Corporation
bill at insightful dot com

 "All statements in this message represent the opinions of the author and do
 not necessarily reflect Insightful Corporation policy or position."



More information about the R-devel mailing list