Bug#399828: [DebianGIS] gpstrans bug

2006-12-11 Thread Hamish 
re. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=399828

some more clues,

---

include/Garmin.h:
  typedef unsigned char BYTE;
...
/* Garmin message type characters */
#define RTE_NAM 0x1d/* Route name record */
#define RTE_WPT 0x1e/* Route waypoint record */
#define ALM 0x1f/* Almanac record */
#define TRK 0x22/* Track record */
#define WPT 0x23/* Waypoint record */
#define GMNID   0x7e/* Request Garmin ID */

---

If I add

src/gps/getgpsinfo.c
... line 333 ...
  unsigned short udata;
  int n;
+ for (i=0; i strlen(gGarminMessage); i++) {
+printf(gGarminMessage[%d]=[%d]\n, i, gGarminMessage[i]);
+ }
+ printf(\n);
  getGPSMessage();
  n=data[-1];
+ for (i=0; i strlen(gGarminMessage); i++) {
+printf(gGarminMessage[%d]=[%d]\n, i, gGarminMessage[i]);
+ }
  p=protocols=xmalloc(5*n/3+1);
  for ( ; n; n-=3)


I get
gGarminMessage[0]=[16]
gGarminMessage[1]=[32]
gGarminMessage[2]=[6]
gGarminMessage[3]=[52]
gGarminMessage[4]=[46]
gGarminMessage[5]=[54]
gGarminMessage[6]=[48]
gGarminMessage[7]=[32]

gGarminMessage[0]=[16]
gGarminMessage[1]=[9]
gGarminMessage[2]=[2]
gGarminMessage[3]=[1]
Segmentation fault

---

- n=data[-1];
+ gGarminMessage[2];

doesn't help any.

---

also, from -i --debug for my Garmin 48:

product ID 0x60=96, software version 0x01cc=460, protocol string: 
L001 A010 A100 D103 A200 D201 D103 A300 D300 A400 D403 A500 D501 A600 D600 A700 
D700

---


Hamish


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#399828: [DebianGIS] gpstrans

2006-12-09 Thread Hamish 
Hi,

I finally got my hands on a Garmin 48 to test with.
(running self compiled v0.40 on Sarge, ia32)


# get GPS identity
$ gpstrans-0.40 -p/dev/ttyS0 -i 2/dev/null
Connected GPS [/dev/ttyS0] is: Garmin GPS 48 SOFTWARE - V4.60


# download waypoints
$ gpstrans-0.40 -p/dev/ttyS0 -dw --debug
[... (c) 1998-2005 ...]
CheckGPS: sending test packet
CheckGPS: sending test packet
getGPSVersion: sending product data request
Segmentation fault


(but every 6th or so time the program works and downloads the data)


(gdb) bt f
#0  0x400b103b in vsprintf () from /lib/libc.so.6
No symbol table info available.
#1  0x4009e98d in sprintf () from /lib/libc.so.6
No symbol table info available.
#2  0x0804e9db in getGPSVersion (string=0xb8e8) at getgpsinfo.c:344
s = (
BYTE *) 0x806ff22 824 2128 4128 1143  126 4824 1131 1822 1138  143 2824  
128 8136 1131  126 3824  128 5128 8133  125 2824 8133 3125 1125  125 2824 2128 
4130 1143  125 3824 1133 3822 1136  143 2824 1131 1143 8128  125 3...
udata = 13362
p = 0x807cff9  813362 Address 0x807d000 out of bounds
tag = 56 '8'
n = -78685
temp =  - [EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL 
PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL 
PROTECTED]@[EMAIL PROTECTED]@[EMAIL 
PROTECTED]@\001\000\000\000\000\000\000\000|,[EMAIL PROTECTED]@Àè\027@@[EMAIL 
PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]...
err = 0
last = 6
i = 8
data = (BYTE *) 0x805cbc3 \001
#3  0x0804ed0d in getGPSInfo (refNum=0x40178320, type=3) at getgpsinfo.c:592
total = -1644
done = 0
init = (BYTE *) 0x8056516 debug
req = (BYTE *) 0x2d Address 0x2d out of bounds
err = -16385
rType = 0xb908 8ùÿ¿É¦\004\b [EMAIL PROTECTED]
junk = -1073743468
junk_str = 0x805b6e0 
#4  0x0804a6c9 in main (argc=0, argv=0xb9a4) at main.c:439
No locals.



As Frankie found in the coredump, the error happens during the sprintf()
call in the src/gps/getgpsinfo.c getGPSVersion() fn, line 342.

int getGPSVersion (char **string)
..
  BYTE *data=gGarminMessage+3;
...
if (serialCharsAvail())
{   /* the device apparently implements
   the protocol capability protocol */
  char *p;
  BYTE *s=data;
  BYTE tag;
  unsigned short udata;
  int n;
  getGPSMessage();
  n=data[-1];
  p=protocols=xmalloc(5*n/3+1);
  for ( ; n; n-=3)
{
  tag=*s; udata=toshort(s+1); 
  /* translate each protocol tag and data to the string used in the
docs */
  sprintf(p,  %c%03d, tag, udata);
  s+=3; p+=5;
}
  *p=0;
...



in particular:

  int n;
  getGPSMessage();
  n=data[-1];
  p=protocols=xmalloc(5*n/3+1);


n=data[-1]; seems to be bogus (for me gdb bt full reports n=-78685),
so xmalloc() allocates junk and it segfaults when sprintf() tries to
write something to that memory address?

if I try
...
  n=data[-1];
  printf(n=%d\n, n);
...
I get n=2 which sounds more reasonable, but still the segfault.

shrug.

let me know if you need more tests, I can act as a dumb (C) terminal.


If not, and we are out of time for Etch, I suggest replacing v0.40-2 in
sid with 0.39-3 from Sarge. It is slightly less featureful but it works
and is very well tested.


Note:
 [2006-12-05] gpstrans REMOVED from testing (Britney)



Hamish