On Mon, Jul 13, 2015 at 11:46:28AM -0700, Linus Torvalds wrote: > On Sat, Jul 11, 2015 at 4:39 PM, Linus Torvalds > <torva...@linux-foundation.org> wrote: > > > > which is just the taxonomy.category writes. Looks like it writes past > > the end of the allocation. > > Ok, looking at this, the problem seems to be pretty clear. > > When the code does the taxonomy lookup in > ReverseGeoLookupThread::run(), it keeps on just adding data to the > taxonomy field. > > IOW, the code that overflows the allocation is this, which just keeps doing: > > if (ds->taxonomy.category == NULL) > ds->taxonomy.category = > alloc_taxonomy(); > > ds->taxonomy.category[ds->taxonomy.nr].category = TC_OCEAN; > > ds->taxonomy.category[ds->taxonomy.nr].origin = taxonomy::GEOCODED; > > ds->taxonomy.category[ds->taxonomy.nr].value = > copy_string(qPrintable(oceanName["name"].toString())); > ds->taxonomy.nr++; > > and eventually "ds->taxonomy.nr" will grow past TC_NR_CATEGORIES and > we corrupt memory. > > I don't know exactly how it happens, though. Normally I would expect that the > > ds->taxonomy.nr = ri; > > that happens a bit earlier would reset the taxonomy number to 0 or 1, > but that is all inside that > > if (geoNames.count() > 0) { > > conditional, so maybe there is some situation where that doesn't > happen, and then the later code ends up adding too many entries > because it keeps adding things on top of older data. > > I don't know the code. It looks like both Tomaz started it and Dirk > has been changing code in this area, soo..
It's all my doing. Tomaz is innocent. I need to re-read the code (I'm completely distracted by getting the Android app working... sorry) - when I designed it there was no way we could ever fill the array... I actually thought that I had one too many elements in the array... we reset ri to 0 we loop over the known categories except for the first two (NONE and OCEAN) so ri can't be bigger than TC_NR_CATEGORIES - 2 then we try to add the adminName3 thingy (but only if it's not there already) then we try to add the ocean So we should still have one unused slot... I still don't see how this can overflow. If you put a printf or qDebug() or something at this line ds->taxonomy.nr = ri; do you ever see a value that indicates we stored too many? If yes, how did you get there :-) /D _______________________________________________ subsurface mailing list subsurface@subsurface-divelog.org http://lists.subsurface-divelog.org/cgi-bin/mailman/listinfo/subsurface