Opened 14 years ago
Last modified 14 years ago
#5596 closed bug
BMessage::PrintToStream() can crash — at Version 4
| Reported by: | jackburton | Owned by: | axeld |
|---|---|---|---|
| Priority: | normal | Milestone: | R1 |
| Component: | Kits/Application Kit | Version: | R1/Development |
| Keywords: | Cc: | ||
| Blocked By: | Blocking: | ||
| Platform: | All |
Description (last modified by )
This can be reproduced by adding a string, an int32 and an int8 (in that order) to a BMessage and then calling PrintToStream().
Change History (5)
by , 14 years ago
| Attachment: | backtrace.png added |
|---|
comment:1 by , 14 years ago
follow-up: 3 comment:2 by , 14 years ago
The culprit seems to be the following code in BMessage::_PrintToStream()
case B_STRING_TYPE:
printf("string(\"%.*s\", %ld bytes)\n", (int)size,
(char *)pointer, (long)size);
break;
Which is already correct, though: it uses the passed size to print the string. Maybe something becomes corrupt.
comment:3 by , 14 years ago
Replying to jackburton:
Which is already correct, though: it uses the passed size to print the string. Maybe something becomes corrupt.
Reproducible with the following test case:
Add a string, an int32 and an int8 (in that order) to a BMessage and call PrintToStream().
comment:4 by , 14 years ago
| Description: | modified (diff) |
|---|---|
| Summary: | calling BMessage::PrintToStream() on an archived BPicture causes a crash → BMessage::PrintToStream() can crash |
Note:
See TracTickets
for help on using tickets.
I think I've fixed a similar bug recently. It should probably use the field data length instead of letting vprintf figure out the length, if something is not terminated.