Opened 15 years ago
Last modified 15 years ago
#5596 closed bug
BMessage::PrintToStream() can crash — at Version 4
Reported by: | jackburton | Owned by: | axeld |
---|---|---|---|
Priority: | normal | Milestone: | R1 |
Component: | Kits/Application Kit | Version: | R1/Development |
Keywords: | Cc: | ||
Blocked By: | Blocking: | ||
Platform: | All |
Description (last modified by )
This can be reproduced by adding a string, an int32 and an int8 (in that order) to a BMessage and then calling PrintToStream().
Change History (5)
by , 15 years ago
Attachment: | backtrace.png added |
---|
comment:1 by , 15 years ago
follow-up: 3 comment:2 by , 15 years ago
The culprit seems to be the following code in BMessage::_PrintToStream()
case B_STRING_TYPE: printf("string(\"%.*s\", %ld bytes)\n", (int)size, (char *)pointer, (long)size); break;
Which is already correct, though: it uses the passed size to print the string. Maybe something becomes corrupt.
comment:3 by , 15 years ago
Replying to jackburton:
Which is already correct, though: it uses the passed size to print the string. Maybe something becomes corrupt.
Reproducible with the following test case:
Add a string, an int32 and an int8 (in that order) to a BMessage and call PrintToStream().
comment:4 by , 15 years ago
Description: | modified (diff) |
---|---|
Summary: | calling BMessage::PrintToStream() on an archived BPicture causes a crash → BMessage::PrintToStream() can crash |
I think I've fixed a similar bug recently. It should probably use the field data length instead of letting vprintf figure out the length, if something is not terminated.