[GRASS5] [bug #1969] (grass) bug 1969: r.fill.dir segfaults

Glynn Clements glynn.clements at virgin.net
Sat Aug 9 05:01:28 EDT 2003

Harmisch Bowman via RT wrote:

> this bug's URL: http://intevation.de/rt/webrt?serial_num=1969
> Request number 1969 was commented on by 'hbowman' (Harmisch Bowman). 
> Responding to this message will send mail to the requestor.
> 			Request Tracker
> 			rt at intevation.de
> --------------------------------------------------------------
> Cc: grass5 at grass.itc.it
> [bug 1969]
> doing a dumb debug, just populating grass/src/raster/r.fill.dir/ppupdate.c
> with some printf()'s, the SegFault happens for me during the G_free(list) call.

   list = G_malloc(nbasins * sizeof(struct links));


The code overruns the array. If you want to access list[nbasins], you
have to allocate nbasins+1 elements. For an N-element array, the valid
indices are 0 to N-1 inclusive; element N is not valid.

Note that the old version also overran the array. However, the old
version had the array on the stack, where you are more likely to get
away with an overrun (although list[nbasins] will be trashed by
function calls, writing to it won't usually cause problems). 

Overrunning a heap block tends to result in segfault in a later
(sometimes much later) call to malloc(), free() etc. At least, that's
the case for GNU malloc(), which stores metadata at the start of the
block; BSD's malloc() stores metadata in separate areas, so you just
overrun into the next data block rather than into metadata.

Glynn Clements <glynn.clements at virgin.net>

More information about the grass-dev mailing list