Bug#278426: libc6: memcpy is ignoring the size-parameter

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#278426: libc6: memcpy is ignoring the size-parameter
From: Thomas Dickey <tom@invisible-island.net>
Date: Tue, 26 Oct 2004 17:31:10 -0400
Message-id: <[🔎] 200410262131.i9QLVAas015475@crayon.invisible-island.net>
Reply-to: dickey@his.com, 278426@bugs.debian.org

Package: libc6
Version: 2.3.2.ds1-18
Severity: important

Checking for memory leaks (in vile) with valgrind,
I got some unexplainable errors, such as this:

==15339== Invalid write of size 1
==15339==    at 0x1B904B5C: memcpy (mac_replace_strmem.c:301)
==15339==    by 0x80ACDA2: doalloc (trace.c:498)
==15339==    by 0x8088283: extend_mode_list (modes.c:3096)
==15339==    by 0x8089377: do_a_submode (modes.c:3471)
==15339==    by 0x80894A4: define_submode (modes.c:3499)   
==15339==    by 0x80689D3: call_cmdfunc (exec.c:815)
==15339==    by 0x8068C28: execute (exec.c:914)
==15339==    by 0x806895E: docmd (exec.c:797)
==15339==    by 0x806B11A: perform_dobuf (exec.c:2306)
==15339==    by 0x806B338: dobuf (exec.c:2386)
==15339==  Address 0x1BAEC8AB is 3 bytes after a block of size 2968 alloc'd   
==15339==    at 0x1B905901: calloc (vg_replace_malloc.c:176)
==15339==    by 0x80ACCE8: doalloc (trace.c:492)
==15339==    by 0x8088283: extend_mode_list (modes.c:3096)
==15339==    by 0x8089377: do_a_submode (modes.c:3471)
==15339==    by 0x80894A4: define_submode (modes.c:3499)
==15339==    by 0x80689D3: call_cmdfunc (exec.c:815)
==15339==    by 0x8068C28: execute (exec.c:914)
==15339==    by 0x806895E: docmd (exec.c:797)
==15339==    by 0x806B11A: perform_dobuf (exec.c:2306)
==15339==    by 0x806B338: dobuf (exec.c:2386)

The "doalloc" wrapper in this case is calling memcpy to appease valgrind's
complaints about copying uninitialized data with a realloc (replaced by a
calloc and memcpy).  After checking the various limits and sizes, I finally
replaced the memcpy() call with a for-loop using the same variables:

	for (k = 0; k < area[j].size; ++k)
		newp[k] = oldp[k];
	//memcpy(newp, oldp, area[j].size); 

and the warnings went away.

My guess is that some change to memcpy modified its logic to copy words
(or larger chunks) rather than bytes has been broken.

Alternatively, valgrind is broken (it's hard to tell).

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.27-td2
Locale: LANG=C, LC_CTYPE=C

Versions of packages libc6 depends on:
ii  libdb1-compat                 2.1.3-7    The Berkeley database routines [gl

-- no debconf information

Reply to:

Follow-Ups:
- Bug#278426: libc6: memcpy is ignoring the size-parameter
  - From: Daniel Jacobowitz <dan@debian.org>

Prev by Date: Bug#278408: upgrade of libc6 fails if / (root) is readonly
Next by Date: Bug#278408: marked as done (upgrade of libc6 fails if / (root) is readonly)
Previous by thread: Re: Bug#278408: upgrade of libc6 fails if / (root) is readonly
Next by thread: Bug#278426: libc6: memcpy is ignoring the size-parameter
Index(es):
- Date
- Thread