Package: mc
Version: 2:4.7.0-pre1-3
--- Please enter the report below this line. ---
Hi,
I created files in a directory with this:
----------------8<--------------
#!/usr/bin/perl
#
use strict;
use warnings;
for (1..255) {
my $name = 'a' x $_;
system "echo $name> $name";
}
----------------8<--------------
now mc crashes when entering the directory, the backtrace of mc-dbg:
----------------8<--------------
Core was generated by `mc'.
Program terminated with signal 11, Segmentation fault.
#0 0xb7dd9457 in ?? () from /lib/i686/cmov/libc.so.6
(gdb) bt
#0 0xb7dd9457 in ?? () from /lib/i686/cmov/libc.so.6
#1 0xb7ddb07a in malloc () from /lib/i686/cmov/libc.so.6
#2 0xb7ff8144 in g_malloc () from /lib/libglib-2.0.so.0
#3 0xb80128ac in g_strconcat () from /lib/libglib-2.0.so.0
#4 0x08085958 in concat_dir_and_file (dir=0xb806b184 "L`\v",
file=0x9167ba3 "aaaaaaaa") at util.c:1180
#5 0x080bb829 in vfs_canon (path=0x9167ba3 "aaaaaaaa") at vfs.c:992
#6 0x080bbfbb in vfs_canon_and_translate (
path=0x762f696b <Address 0x762f696b out of bounds>) at vfs.c:512
#7 0x080bc07f in mc_lstat (filename=0x9167ba3 "aaaaaaaa", buf=0xbf8b8c54)
at vfs.c:858
#8 0x0805a637 in handle_dirent (list=0x916ba3c, filter=0x0, dp=0x9167b90,
buf1=0xbf8b8c54, next_free=17, link_to_dir=0xbf8b8cb8,
stale_link=0xbf8b8cb4) at dir.c:297
#9 0x0805b196 in do_load_dir (path=0x916ba4c "/home/miki/var/mccrash",
list=0x916ba3c, sort=0x805b330 <sort_name>, reverse=0, case_sensitive=1,
exec_ff=0, filter=0x0) at dir.c:402
#10 0x08072a42 in _do_panel_cd (panel=0x916ba10,
new_dir=0x916ae30 "h\256\026\te/miki/var/mccrash/", 'a' <repeats 31
times>, cd_type=<value optimized out>) at main.c:633
#11 0x08072cfc in do_panel_cd (panel=0x916ba10,
new_dir=0x916ae30 "h\256\026\te/miki/var/mccrash/", 'a' <repeats 31
times>, cd_type=cd_exact) at main.c:656
#12 0x08072d41 in do_cd (
new_dir=0x916ae30 "h\256\026\te/miki/var/mccrash/", 'a' <repeats 31
times>, exact=cd_exact) at main.c:665
#13 0x08072e18 in maybe_cd (move_up_dir=0) at main.c:768
#14 0x08059cf2 in dlg_key_event (h=0x9169930, key=405, event=0xbf8b9dd4)
at dialog.c:673
#15 dlg_process_event (h=0x9169930, key=405, event=0xbf8b9dd4) at dialog.c:776
#16 0x0805a00d in frontend_run_dlg (h=0x9169930) at dialog.c:808
#17 run_dlg (h=0x9169930) at dialog.c:823
#18 0x080720fd in setup_panels_and_run_mc (argc=-1209334800, argv=0xb7eb03f0)
at main.c:1797
#19 do_nc (argc=-1209334800, argv=0xb7eb03f0) at main.c:1869
#20 main (argc=-1209334800, argv=0xb7eb03f0) at main.c:2359
----------------8<--------------
mc within valgrind -- only starting, changing into the malicious directory,
and exiting:
----------------8<--------------
==2908== Memcheck, a memory error detector
==2908== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==2908== Using Valgrind-3.5.0-Debian and LibVEX; rerun with -h for copyright
info
==2908== Command: mc
==2908==
==2908== Conditional jump or move depends on uninitialised value(s)
==2908== at 0x400BF88: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x40033F2: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4014980: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4000C7F: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4000856: ??? (in /lib/ld-2.10.1.so)
==2908==
==2908== Conditional jump or move depends on uninitialised value(s)
==2908== at 0x400A99C: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x40033F2: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4014980: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4000C7F: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4000856: ??? (in /lib/ld-2.10.1.so)
==2908==
==2908== Conditional jump or move depends on uninitialised value(s)
==2908== at 0x400B83F: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x40033F2: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4014980: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4000C7F: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4000856: ??? (in /lib/ld-2.10.1.so)
==2908==
==2908== Conditional jump or move depends on uninitialised value(s)
==2908== at 0x400A66E: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x40032DC: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4014980: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4000C7F: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4000856: ??? (in /lib/ld-2.10.1.so)
==2908==
==2908== Conditional jump or move depends on uninitialised value(s)
==2908== at 0x400A676: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x40032DC: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4014980: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4000C7F: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4000856: ??? (in /lib/ld-2.10.1.so)
==2908==
==2908== Conditional jump or move depends on uninitialised value(s)
==2908== at 0x400A99C: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x40032DC: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4014980: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4000C7F: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4000856: ??? (in /lib/ld-2.10.1.so)
==2908==
==2908== Invalid read of size 4
==2908== at 0x4016C13: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4005CE2: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4007644: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x401234F: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x400E155: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4011D0D: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4306F41: ??? (in /lib/i686/cmov/libc-2.10.1.so)
==2908== by 0x400E155: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4307040: ??? (in /lib/i686/cmov/libc-2.10.1.so)
==2908== by 0x430716A: __libc_dlopen_mode (in
/lib/i686/cmov/libc-2.10.1.so)
==2908== by 0x42E10F4: __nss_lookup_function (in
/lib/i686/cmov/libc-2.10.1.so)
==2908== by 0x42E11CB: ??? (in /lib/i686/cmov/libc-2.10.1.so)
==2908== Address 0x43a6d80 is 32 bytes inside a block of size 34 alloc'd
==2908== at 0x4024C4C: malloc (vg_replace_malloc.c:195)
==2908== by 0x4004AAE: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x40078D3: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x401234F: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x400E155: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4011D0D: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4306F41: ??? (in /lib/i686/cmov/libc-2.10.1.so)
==2908== by 0x400E155: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4307040: ??? (in /lib/i686/cmov/libc-2.10.1.so)
==2908== by 0x430716A: __libc_dlopen_mode (in
/lib/i686/cmov/libc-2.10.1.so)
==2908== by 0x42E10F4: __nss_lookup_function (in
/lib/i686/cmov/libc-2.10.1.so)
==2908== by 0x42E11CB: ??? (in /lib/i686/cmov/libc-2.10.1.so)
==2908==
==2908== Invalid read of size 4
==2908== at 0x4016C40: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4005CE2: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4007644: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x400D7C6: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x400E155: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x400C8EC: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x40123AF: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x400E155: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4011D0D: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4306F41: ??? (in /lib/i686/cmov/libc-2.10.1.so)
==2908== by 0x400E155: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4307040: ??? (in /lib/i686/cmov/libc-2.10.1.so)
==2908== Address 0x43a70d0 is 24 bytes inside a block of size 27 alloc'd
==2908== at 0x4024C4C: malloc (vg_replace_malloc.c:195)
==2908== by 0x4004AAE: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x40078D3: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x400D7C6: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x400E155: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x400C8EC: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x40123AF: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x400E155: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4011D0D: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4306F41: ??? (in /lib/i686/cmov/libc-2.10.1.so)
==2908== by 0x400E155: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4307040: ??? (in /lib/i686/cmov/libc-2.10.1.so)
==2908==
==2908== Conditional jump or move depends on uninitialised value(s)
==2908== at 0x400BF88: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4012492: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x400E155: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4011D0D: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4306F41: ??? (in /lib/i686/cmov/libc-2.10.1.so)
==2908== by 0x400E155: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4307040: ??? (in /lib/i686/cmov/libc-2.10.1.so)
==2908== by 0x430716A: __libc_dlopen_mode (in
/lib/i686/cmov/libc-2.10.1.so)
==2908== by 0x42E10F4: __nss_lookup_function (in
/lib/i686/cmov/libc-2.10.1.so)
==2908== by 0x42E11CB: ??? (in /lib/i686/cmov/libc-2.10.1.so)
==2908== by 0x42E24AC: __nss_passwd_lookup2 (in
/lib/i686/cmov/libc-2.10.1.so)
==2908== by 0x4299925: getpwuid_r (in /lib/i686/cmov/libc-2.10.1.so)
==2908==
==2908== Conditional jump or move depends on uninitialised value(s)
==2908== at 0x400A99C: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4012492: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x400E155: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4011D0D: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4306F41: ??? (in /lib/i686/cmov/libc-2.10.1.so)
==2908== by 0x400E155: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4307040: ??? (in /lib/i686/cmov/libc-2.10.1.so)
==2908== by 0x430716A: __libc_dlopen_mode (in
/lib/i686/cmov/libc-2.10.1.so)
==2908== by 0x42E10F4: __nss_lookup_function (in
/lib/i686/cmov/libc-2.10.1.so)
==2908== by 0x42E11CB: ??? (in /lib/i686/cmov/libc-2.10.1.so)
==2908== by 0x42E24AC: __nss_passwd_lookup2 (in
/lib/i686/cmov/libc-2.10.1.so)
==2908== by 0x4299925: getpwuid_r (in /lib/i686/cmov/libc-2.10.1.so)
==2908==
==2908== Invalid read of size 4
==2908== at 0x4016C57: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4005CE2: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4007644: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x401234F: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x400E155: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4011D0D: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4306F41: ??? (in /lib/i686/cmov/libc-2.10.1.so)
==2908== by 0x400E155: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4307040: ??? (in /lib/i686/cmov/libc-2.10.1.so)
==2908== by 0x430716A: __libc_dlopen_mode (in
/lib/i686/cmov/libc-2.10.1.so)
==2908== by 0x42E10F4: __nss_lookup_function (in
/lib/i686/cmov/libc-2.10.1.so)
==2908== by 0x49A6F3B: ??? (in /lib/i686/cmov/libnss_compat-2.10.1.so)
==2908== Address 0x43a7794 is 28 bytes inside a block of size 31 alloc'd
==2908== at 0x4024C4C: malloc (vg_replace_malloc.c:195)
==2908== by 0x4004AAE: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x40078D3: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x401234F: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x400E155: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4011D0D: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4306F41: ??? (in /lib/i686/cmov/libc-2.10.1.so)
==2908== by 0x400E155: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4307040: ??? (in /lib/i686/cmov/libc-2.10.1.so)
==2908== by 0x430716A: __libc_dlopen_mode (in
/lib/i686/cmov/libc-2.10.1.so)
==2908== by 0x42E10F4: __nss_lookup_function (in
/lib/i686/cmov/libc-2.10.1.so)
==2908== by 0x49A6F3B: ??? (in /lib/i686/cmov/libnss_compat-2.10.1.so)
==2908==
==2908== Invalid read of size 4
==2908== at 0x4016C13: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4005CE2: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4007644: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x400D7C6: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x400E155: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x400C8EC: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x40123AF: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x400E155: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4011D0D: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4306F41: ??? (in /lib/i686/cmov/libc-2.10.1.so)
==2908== by 0x400E155: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4307040: ??? (in /lib/i686/cmov/libc-2.10.1.so)
==2908== Address 0x43a7ae0 is 32 bytes inside a block of size 33 alloc'd
==2908== at 0x4024C4C: malloc (vg_replace_malloc.c:195)
==2908== by 0x4004AAE: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x40078D3: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x400D7C6: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x400E155: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x400C8EC: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x40123AF: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x400E155: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4011D0D: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4306F41: ??? (in /lib/i686/cmov/libc-2.10.1.so)
==2908== by 0x400E155: ??? (in /lib/ld-2.10.1.so)
==2908== by 0x4307040: ??? (in /lib/i686/cmov/libc-2.10.1.so)
==2908==
==2908== Warning: invalid file descriptor -1 in syscall close()
==2908== Warning: invalid file descriptor -1 in syscall close()
==2908== Invalid write of size 1
==2908== at 0x40A3A00: g_strlcpy (in /lib/libglib-2.0.so.0.2200.2)
==2908== by 0x80BD4EC: mc_readdir (vfs.c:809)
==2908== by 0x805B15D: do_load_dir (dir.c:401)
==2908== by 0x8072A41: _do_panel_cd (main.c:633)
==2908== by 0x8072CFB: do_panel_cd (main.c:656)
==2908== by 0x8072D40: do_cd (main.c:665)
==2908== by 0x8072E17: maybe_cd (main.c:768)
==2908== by 0x8059CF1: dlg_process_event (dialog.c:673)
==2908== by 0x805A00C: run_dlg (dialog.c:808)
==2908== by 0x80720FC: main (main.c:1797)
==2908== Address 0x4516aec is 0 bytes after a block of size 260 alloc'd
==2908== at 0x4024C4C: malloc (vg_replace_malloc.c:195)
==2908== by 0x80BD503: mc_readdir (vfs.c:792)
==2908== by 0x805B15D: do_load_dir (dir.c:401)
==2908== by 0x807C75C: panel_new (screen.c:1159)
==2908== by 0x806D8FC: set_display_type (layout.c:958)
==2908== by 0x8070225: create_panels (main.c:1101)
==2908== by 0x8071239: setup_mc (main.c:1432)
==2908== by 0x8071F26: main (main.c:1868)
==2908==
==2908== Invalid read of size 1
==2908== at 0x4025BC3: strlen (mc_replace_strmem.c:275)
==2908== by 0x40A589A: g_strconcat (in /lib/libglib-2.0.so.0.2200.2)
==2908== by 0x8085957: concat_dir_and_file (util.c:1180)
==2908== by 0x80BB828: vfs_canon (vfs.c:992)
==2908== by 0x80BBFBA: vfs_canon_and_translate (vfs.c:512)
==2908== by 0x80BC07E: mc_lstat (vfs.c:858)
==2908== by 0x805A636: handle_dirent (dir.c:297)
==2908== by 0x805B195: do_load_dir (dir.c:402)
==2908== by 0x8072A41: _do_panel_cd (main.c:633)
==2908== by 0x8072CFB: do_panel_cd (main.c:656)
==2908== by 0x8072D40: do_cd (main.c:665)
==2908== by 0x8072E17: maybe_cd (main.c:768)
==2908== Address 0x4516aec is 0 bytes after a block of size 260 alloc'd
==2908== at 0x4024C4C: malloc (vg_replace_malloc.c:195)
==2908== by 0x80BD503: mc_readdir (vfs.c:792)
==2908== by 0x805B15D: do_load_dir (dir.c:401)
==2908== by 0x807C75C: panel_new (screen.c:1159)
==2908== by 0x806D8FC: set_display_type (layout.c:958)
==2908== by 0x8070225: create_panels (main.c:1101)
==2908== by 0x8071239: setup_mc (main.c:1432)
==2908== by 0x8071F26: main (main.c:1868)
==2908==
==2908== Invalid read of size 1
==2908== at 0x402684D: stpcpy (mc_replace_strmem.c:558)
==2908== by 0x40A55AB: g_stpcpy (in /lib/libglib-2.0.so.0.2200.2)
==2908== by 0x40A58DE: g_strconcat (in /lib/libglib-2.0.so.0.2200.2)
==2908== by 0x8085957: concat_dir_and_file (util.c:1180)
==2908== by 0x80BB828: vfs_canon (vfs.c:992)
==2908== by 0x80BBFBA: vfs_canon_and_translate (vfs.c:512)
==2908== by 0x80BC07E: mc_lstat (vfs.c:858)
==2908== by 0x805A636: handle_dirent (dir.c:297)
==2908== by 0x805B195: do_load_dir (dir.c:402)
==2908== by 0x8072A41: _do_panel_cd (main.c:633)
==2908== by 0x8072CFB: do_panel_cd (main.c:656)
==2908== by 0x8072D40: do_cd (main.c:665)
==2908== Address 0x4516aec is 0 bytes after a block of size 260 alloc'd
==2908== at 0x4024C4C: malloc (vg_replace_malloc.c:195)
==2908== by 0x80BD503: mc_readdir (vfs.c:792)
==2908== by 0x805B15D: do_load_dir (dir.c:401)
==2908== by 0x807C75C: panel_new (screen.c:1159)
==2908== by 0x806D8FC: set_display_type (layout.c:958)
==2908== by 0x8070225: create_panels (main.c:1101)
==2908== by 0x8071239: setup_mc (main.c:1432)
==2908== by 0x8071F26: main (main.c:1868)
==2908==
==2908== Invalid read of size 1
==2908== at 0x4025BC3: strlen (mc_replace_strmem.c:275)
==2908== by 0x805B1AD: do_load_dir (dir.c:412)
==2908== by 0x8072A41: _do_panel_cd (main.c:633)
==2908== by 0x8072CFB: do_panel_cd (main.c:656)
==2908== by 0x8072D40: do_cd (main.c:665)
==2908== by 0x8072E17: maybe_cd (main.c:768)
==2908== by 0x8059CF1: dlg_process_event (dialog.c:673)
==2908== by 0x805A00C: run_dlg (dialog.c:808)
==2908== by 0x80720FC: main (main.c:1797)
==2908== Address 0x4516aec is 0 bytes after a block of size 260 alloc'd
==2908== at 0x4024C4C: malloc (vg_replace_malloc.c:195)
==2908== by 0x80BD503: mc_readdir (vfs.c:792)
==2908== by 0x805B15D: do_load_dir (dir.c:401)
==2908== by 0x807C75C: panel_new (screen.c:1159)
==2908== by 0x806D8FC: set_display_type (layout.c:958)
==2908== by 0x8070225: create_panels (main.c:1101)
==2908== by 0x8071239: setup_mc (main.c:1432)
==2908== by 0x8071F26: main (main.c:1868)
==2908==
==2908== Invalid read of size 1
==2908== at 0x4025BC3: strlen (mc_replace_strmem.c:275)
==2908== by 0x40A3BED: g_strdup (in /lib/libglib-2.0.so.0.2200.2)
==2908== by 0x805B1C7: do_load_dir (dir.c:413)
==2908== by 0x8072A41: _do_panel_cd (main.c:633)
==2908== by 0x8072CFB: do_panel_cd (main.c:656)
==2908== by 0x8072D40: do_cd (main.c:665)
==2908== by 0x8072E17: maybe_cd (main.c:768)
==2908== by 0x8059CF1: dlg_process_event (dialog.c:673)
==2908== by 0x805A00C: run_dlg (dialog.c:808)
==2908== by 0x80720FC: main (main.c:1797)
==2908== Address 0x4516aec is 0 bytes after a block of size 260 alloc'd
==2908== at 0x4024C4C: malloc (vg_replace_malloc.c:195)
==2908== by 0x80BD503: mc_readdir (vfs.c:792)
==2908== by 0x805B15D: do_load_dir (dir.c:401)
==2908== by 0x807C75C: panel_new (screen.c:1159)
==2908== by 0x806D8FC: set_display_type (layout.c:958)
==2908== by 0x8070225: create_panels (main.c:1101)
==2908== by 0x8071239: setup_mc (main.c:1432)
==2908== by 0x8071F26: main (main.c:1868)
==2908==
==2908== Invalid read of size 1
==2908== at 0x4026090: memcpy (mc_replace_strmem.c:482)
==2908== by 0x40A3C0D: g_strdup (in /lib/libglib-2.0.so.0.2200.2)
==2908== by 0x805B1C7: do_load_dir (dir.c:413)
==2908== by 0x8072A41: _do_panel_cd (main.c:633)
==2908== by 0x8072CFB: do_panel_cd (main.c:656)
==2908== by 0x8072D40: do_cd (main.c:665)
==2908== by 0x8072E17: maybe_cd (main.c:768)
==2908== by 0x8059CF1: dlg_process_event (dialog.c:673)
==2908== by 0x805A00C: run_dlg (dialog.c:808)
==2908== by 0x80720FC: main (main.c:1797)
==2908== Address 0x4516af5 is 9 bytes after a block of size 260 alloc'd
==2908== at 0x4024C4C: malloc (vg_replace_malloc.c:195)
==2908== by 0x80BD503: mc_readdir (vfs.c:792)
==2908== by 0x805B15D: do_load_dir (dir.c:401)
==2908== by 0x807C75C: panel_new (screen.c:1159)
==2908== by 0x806D8FC: set_display_type (layout.c:958)
==2908== by 0x8070225: create_panels (main.c:1101)
==2908== by 0x8071239: setup_mc (main.c:1432)
==2908== by 0x8071F26: main (main.c:1868)
==2908==
==2908== Invalid read of size 1
==2908== at 0x4026097: memcpy (mc_replace_strmem.c:482)
==2908== by 0x40A3C0D: g_strdup (in /lib/libglib-2.0.so.0.2200.2)
==2908== by 0x805B1C7: do_load_dir (dir.c:413)
==2908== by 0x8072A41: _do_panel_cd (main.c:633)
==2908== by 0x8072CFB: do_panel_cd (main.c:656)
==2908== by 0x8072D40: do_cd (main.c:665)
==2908== by 0x8072E17: maybe_cd (main.c:768)
==2908== by 0x8059CF1: dlg_process_event (dialog.c:673)
==2908== by 0x805A00C: run_dlg (dialog.c:808)
==2908== by 0x80720FC: main (main.c:1797)
==2908== Address 0x4516af4 is 8 bytes after a block of size 260 alloc'd
==2908== at 0x4024C4C: malloc (vg_replace_malloc.c:195)
==2908== by 0x80BD503: mc_readdir (vfs.c:792)
==2908== by 0x805B15D: do_load_dir (dir.c:401)
==2908== by 0x807C75C: panel_new (screen.c:1159)
==2908== by 0x806D8FC: set_display_type (layout.c:958)
==2908== by 0x8070225: create_panels (main.c:1101)
==2908== by 0x8071239: setup_mc (main.c:1432)
==2908== by 0x8071F26: main (main.c:1868)
==2908==
==2908== Invalid read of size 1
==2908== at 0x40260A0: memcpy (mc_replace_strmem.c:482)
==2908== by 0x40A3C0D: g_strdup (in /lib/libglib-2.0.so.0.2200.2)
==2908== by 0x805B1C7: do_load_dir (dir.c:413)
==2908== by 0x8072A41: _do_panel_cd (main.c:633)
==2908== by 0x8072CFB: do_panel_cd (main.c:656)
==2908== by 0x8072D40: do_cd (main.c:665)
==2908== by 0x8072E17: maybe_cd (main.c:768)
==2908== by 0x8059CF1: dlg_process_event (dialog.c:673)
==2908== by 0x805A00C: run_dlg (dialog.c:808)
==2908== by 0x80720FC: main (main.c:1797)
==2908== Address 0x4516af3 is 7 bytes after a block of size 260 alloc'd
==2908== at 0x4024C4C: malloc (vg_replace_malloc.c:195)
==2908== by 0x80BD503: mc_readdir (vfs.c:792)
==2908== by 0x805B15D: do_load_dir (dir.c:401)
==2908== by 0x807C75C: panel_new (screen.c:1159)
==2908== by 0x806D8FC: set_display_type (layout.c:958)
==2908== by 0x8070225: create_panels (main.c:1101)
==2908== by 0x8071239: setup_mc (main.c:1432)
==2908== by 0x8071F26: main (main.c:1868)
==2908==
==2908== Invalid read of size 1
==2908== at 0x40260A9: memcpy (mc_replace_strmem.c:482)
==2908== by 0x40A3C0D: g_strdup (in /lib/libglib-2.0.so.0.2200.2)
==2908== by 0x805B1C7: do_load_dir (dir.c:413)
==2908== by 0x8072A41: _do_panel_cd (main.c:633)
==2908== by 0x8072CFB: do_panel_cd (main.c:656)
==2908== by 0x8072D40: do_cd (main.c:665)
==2908== by 0x8072E17: maybe_cd (main.c:768)
==2908== by 0x8059CF1: dlg_process_event (dialog.c:673)
==2908== by 0x805A00C: run_dlg (dialog.c:808)
==2908== by 0x80720FC: main (main.c:1797)
==2908== Address 0x4516af2 is 6 bytes after a block of size 260 alloc'd
==2908== at 0x4024C4C: malloc (vg_replace_malloc.c:195)
==2908== by 0x80BD503: mc_readdir (vfs.c:792)
==2908== by 0x805B15D: do_load_dir (dir.c:401)
==2908== by 0x807C75C: panel_new (screen.c:1159)
==2908== by 0x806D8FC: set_display_type (layout.c:958)
==2908== by 0x8070225: create_panels (main.c:1101)
==2908== by 0x8071239: setup_mc (main.c:1432)
==2908== by 0x8071F26: main (main.c:1868)
==2908==
==2908== Invalid write of size 1
==2908== at 0x40A3A20: g_strlcpy (in /lib/libglib-2.0.so.0.2200.2)
==2908== by 0x80BD4EC: mc_readdir (vfs.c:809)
==2908== by 0x805B15D: do_load_dir (dir.c:401)
==2908== by 0x8072A41: _do_panel_cd (main.c:633)
==2908== by 0x8072CFB: do_panel_cd (main.c:656)
==2908== by 0x8072D40: do_cd (main.c:665)
==2908== by 0x8072E17: maybe_cd (main.c:768)
==2908== by 0x8059CF1: dlg_process_event (dialog.c:673)
==2908== by 0x805A00C: run_dlg (dialog.c:808)
==2908== by 0x80720FC: main (main.c:1797)
==2908== Address 0x4516afa is 14 bytes after a block of size 260 alloc'd
==2908== at 0x4024C4C: malloc (vg_replace_malloc.c:195)
==2908== by 0x80BD503: mc_readdir (vfs.c:792)
==2908== by 0x805B15D: do_load_dir (dir.c:401)
==2908== by 0x807C75C: panel_new (screen.c:1159)
==2908== by 0x806D8FC: set_display_type (layout.c:958)
==2908== by 0x8070225: create_panels (main.c:1101)
==2908== by 0x8071239: setup_mc (main.c:1432)
==2908== by 0x8071F26: main (main.c:1868)
==2908==
==2908==
==2908== HEAP SUMMARY:
==2908== in use at exit: 23,510 bytes in 319 blocks
==2908== total heap usage: 27,978 allocs, 27,659 frees, 1,713,810 bytes
allocated
==2908==
==2908== LEAK SUMMARY:
==2908== definitely lost: 528 bytes in 48 blocks
==2908== indirectly lost: 435 bytes in 56 blocks
==2908== possibly lost: 8,734 bytes in 123 blocks
==2908== still reachable: 13,813 bytes in 92 blocks
==2908== suppressed: 0 bytes in 0 blocks
==2908== Rerun with --leak-check=full to see details of leaked memory
==2908==
==2908== For counts of detected and suppressed errors, rerun with: -v
==2908== Use --track-origins=yes to see where uninitialised values come from
==2908== ERROR SUMMARY: 755 errors from 22 contexts (suppressed: 0 from 0)
----------------8<--------------
During experimenting I found a not very reliably producible crash as well:
sometimes entering into a directory containing long filenames don't crash mc
immediately, but only upon exiting (even if it already left the malicious
directory).
backtrace:
----------------8<--------------
#0 0xb80d8424 in __kernel_vsyscall ()
#1 0xb7dd33d0 in raise () from /lib/i686/cmov/libc.so.6
#2 0xb7dd6a85 in abort () from /lib/i686/cmov/libc.so.6
#3 0xb7e0c2ed in ?? () from /lib/i686/cmov/libc.so.6
#4 0xb7e168f4 in ?? () from /lib/i686/cmov/libc.so.6
#5 0xb804bfe6 in g_free () from /lib/libglib-2.0.so.0
#6 0x08073b70 in destroy_menu (menu=0x9) at menu.c:550
#7 0x08070ff3 in done_menu () at main.c:991
#8 0x08071040 in done_mc () at main.c:1534
#9 0x08072133 in do_nc (argc=Cannot access memory at address 0x4457) at
main.c:1878
#10 main (argc=Cannot access memory at address 0x4457) at main.c:2359
----------------8<--------------
valgrind:
----------------8<--------------
==17610== Memcheck, a memory error detector
==17610== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==17610== Using Valgrind-3.5.0-Debian and LibVEX; rerun with -h for
copyright info
==17610== Command: mc
==17610==
==17610== Warning: invalid file descriptor -1 in syscall close()
==17610== Warning: invalid file descriptor -1 in syscall close()
==17610==
==17610== HEAP SUMMARY:
==17610== in use at exit: 34,742 bytes in 375 blocks
==17610== total heap usage: 26,633 allocs, 26,258 frees, 1,360,640
bytes allocated
==17610==
==17610== LEAK SUMMARY:
==17610== definitely lost: 404 bytes in 43 blocks
==17610== indirectly lost: 315 bytes in 46 blocks
==17610== possibly lost: 22,886 bytes in 194 blocks
==17610== still reachable: 11,137 bytes in 92 blocks
==17610== suppressed: 0 bytes in 0 blocks
==17610== Rerun with --leak-check=full to see details of leaked memory
==17610==
==17610== For counts of detected and suppressed errors, rerun with: -v
==17610== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 47 from 24)
----------------8<--------------
I hope this information is enough for fixing the bug(s).
MM
--- System information. ---
Architecture: i386
Kernel: Linux 2.6.30-2-686
Debian Release: squeeze/sid
500 unstable ftp.uni-kl.de
500 unstable ftp.hu.debian.org
--- Package information. ---
Depends (Version) | Installed
=============================-+-=============
libc6 (>= 2.3) | 2.10.1-3
libglib2.0-0 (>= 2.16.0) | 2.22.2-2
libgpm2 (>= 1.20.4) | 1.20.4-3.2
libslang2 (>= 2.0.7-1) | 2.2.1-1
Recommends (Version) | Installed
==========================-+-===========
imagemagick | 7:6.5.5.3-1
Suggests (Version) | Installed
===========================-+-===========
mime-support | 3.46-1
perl | 5.10.1-6
zip | 3.0-1
unzip | 6.0-1
bzip2 | 1.0.5-3
links |
OR w3m |
OR lynx | 2.8.8dev.1-1
arj |
file | 5.03-2
xpdf |
dbview |
odt2txt |
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
