Package: expect Version: 5.45-4 The ecases_remove_by_expi() function in expect.c uses memcpy() to shift elements down. The areas can be overlapping. When they are, the construct is non-portable and can lead to memory corruption.
Please replace the memcpy call with a memmove call. That fixes the issue. I have already reported this issue upstream. See: https://sourceforge.net/p/expect/patches/16/ The following script demonstrates the problem. Save it in a file called trigger2.expect and run the following: $ valgrind expect trigger2.expect You will see an error message similar to: ==10665== Source and destination overlap in memcpy(0x60b9170, 0x60b9178, 16) ==10665== at 0x4C2E820: memcpy@@GLIBC_2.14 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) I have not been able to come up with a minimal example that crashes expect, but when I'm trying to run the test suite of the LysKOM server it very often (but unpredictably) crashes. ---cut here for trigger2.expect--- #!/usr/bin/env expect spawn echo set a $spawn_id spawn sleep 1 set b $spawn_id set spawn_id $a expect_after { -i $a full_buffer { } -i $b full_buffer { } timeout { } } expect eof { } ---cut here for trigger2.expect--- Suggested fix: --- expect5.45/expect.c~ 2010-10-27 00:09:36.000000000 +0200 +++ expect5.45/expect.c 2013-08-01 20:23:12.747965810 +0200 @@ -1094,10 +1094,10 @@ /* shift remaining elements down */ /* but only if there are any left */ if (i+1 != ecmd->ecd.count) { - memcpy(&ecmd->ecd.cases[i], - &ecmd->ecd.cases[i+1], - ((ecmd->ecd.count - i) - 1) * - sizeof(struct exp_cmd_descriptor *)); + memmove(&ecmd->ecd.cases[i], + &ecmd->ecd.cases[i+1], + ((ecmd->ecd.count - i) - 1) * + sizeof(struct exp_cmd_descriptor *)); } ecmd->ecd.count--; if (0 == ecmd->ecd.count) { Yours, /ceder -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
