Hi,
as jsg@ pointed out, rcs will segfault reliably when using malloc.conf with
'J' (the pointer in question is filled with d0's).
The pointer "rp_delta" is checked at the end of rcsparse_delta. If it's
non-NULL, it will be included into a linked list; line 1181 of rcsparse.c.
This RCS file triggers the segfault, as supplied by jsg@:
----------
head 1.1;
access;
symbols
OPENBSD_5_6_BASE:1.1;
locks; strict;
comment @# @;
@.1
date 95.12.18.15.18.15; author deraadt; state Exp;
branches:
n
----------
$ rlog foo,v
rlog: foo,v:9: no newline at end of file
Segmentation fault (core dumped)
Tobias
Index: usr.bin/cvs/rcsparse.c
===================================================================
RCS file: /cvs/src/usr.bin/cvs/rcsparse.c,v
retrieving revision 1.8
diff -u -p -u -p -r1.8 rcsparse.c
--- usr.bin/cvs/rcsparse.c 16 Nov 2014 19:14:34 -0000 1.8
+++ usr.bin/cvs/rcsparse.c 22 Nov 2014 10:32:32 -0000
@@ -228,6 +228,7 @@ rcsparse_init(RCSFILE *rfp)
pdp->rp_buf = xmalloc(RCS_BUFSIZE);
pdp->rp_blen = RCS_BUFSIZE;
pdp->rp_bufend = pdp->rp_buf + pdp->rp_blen - 1;
+ pdp->rp_delta = NULL;
pdp->rp_token = -1;
pdp->rp_lineno = 1;
pdp->rp_msglineno = 1;
Index: usr.bin/rcs/rcsparse.c
===================================================================
RCS file: /cvs/src/usr.bin/rcs/rcsparse.c,v
retrieving revision 1.11
diff -u -p -u -p -r1.11 rcsparse.c
--- usr.bin/rcs/rcsparse.c 16 Nov 2014 19:14:34 -0000 1.11
+++ usr.bin/rcs/rcsparse.c 22 Nov 2014 10:32:32 -0000
@@ -227,6 +227,7 @@ rcsparse_init(RCSFILE *rfp)
pdp->rp_buf = xmalloc(RCS_BUFSIZE);
pdp->rp_blen = RCS_BUFSIZE;
pdp->rp_bufend = pdp->rp_buf + pdp->rp_blen - 1;
+ pdp->rp_delta = NULL;
pdp->rp_token = -1;
pdp->rp_lineno = 1;
pdp->rp_msglineno = 1;
