valgrind: read memory below stack

XmlDoc::getMsg20Reply() was using local stack buffers and setting pointer members in Msg20Reply to point them and then returning. Valgrind found that below-stack-memory was references in Msg20Reply::serialize()
2025-07-13 02:36:06 -04:00 · 2016-01-12 15:01:14 +01:00
parent 8960ab655e
commit b18e363e3e
2 changed files with 12 additions and 11 deletions
--- a/XmlDoc.cpp
+++ b/XmlDoc.cpp
@ -29542,8 +29542,6 @@ Msg20Reply *XmlDoc::getMsg20Reply ( ) {
 	//   rss/atom feed
 	char  *rssItem    = NULL;
 	int32_t   rssItemLen = 0;
-	// store link text in here
-	char  linkTextBuf[MAX_LINK_TEXT_LEN];

 	//
 	// TODO: for getting siteinlinks just match the site in the url
@ -29556,8 +29554,8 @@ Msg20Reply *XmlDoc::getMsg20Reply ( ) {
 	//   something like blogspot.com/mary/ or some other site.
 	int32_t blen = links->getLinkText ( m_req->ptr_linkee  ,//&linkee,
 					 m_req->m_isSiteLinkInfo ,
-					 linkTextBuf         ,
-					 MAX_LINK_TEXT_LEN-2 ,
+					 m_linkTextBuf       ,
+					 sizeof(m_linkTextBuf)-2,
 					 &rssItem            ,
 					 &rssItemLen         ,
 					 &linkNode           ,
@ -29595,10 +29593,10 @@ Msg20Reply *XmlDoc::getMsg20Reply ( ) {
 	// breathe
 	QUICKPOLL(m_niceness);

-	if ( ! verifyUtf8 ( linkTextBuf , blen ) ) {
+	if ( ! verifyUtf8 ( m_linkTextBuf , blen ) ) {
 		log("xmldoc: bad OUT link text from url=%s for %s",
 		    m_req->ptr_linkee,m_firstUrl.m_url);
-		linkTextBuf[0] = '\0';
+		m_linkTextBuf[0] = '\0';
 		blen = 0;
 	}

@ -29613,13 +29611,13 @@ Msg20Reply *XmlDoc::getMsg20Reply ( ) {

 	// point to it, include the \0.
 	if ( blen > 0 ) {
-		reply->ptr_linkText  = linkTextBuf;
+		reply->ptr_linkText  = m_linkTextBuf;
 		// save the size into the reply, include the \0
 		reply->size_linkText = blen + 1;
 		// sanity check
 		if ( blen + 2 > MAX_LINK_TEXT_LEN ) { char *xx=NULL;*xx=0; }
 		// sanity check. null termination required.
-		if ( linkTextBuf[blen] ) { char *xx=NULL;*xx=0; }
+		if ( m_linkTextBuf[blen] ) { char *xx=NULL;*xx=0; }
 	}

 	// . the link we link to
@ -29814,10 +29812,9 @@ Msg20Reply *XmlDoc::getMsg20Reply ( ) {
 	// get the surrounding link text, around "linkNode"
 	//
 	// radius of 80 characters around n
-	char  sbuf[1201];
 	int32_t  radius = 80;
-	char *p      = sbuf;
-	char *pend   = sbuf + 600;
+	char *p      = m_surroundingTextBuf;
+	char *pend   = m_surroundingTextBuf + sizeof(m_surroundingTextBuf)/2;
 	// . make a neighborhood in the "words" space [a,b]
 	// . radius is in characters, so "convert" into words by dividing by 5
 	int32_t a = n - radius / 5;
--- a/XmlDoc.h
+++ b/XmlDoc.h
@ -82,6 +82,8 @@

 #define XD_MAX_AD_IDS         5

+#define MAX_LINK_TEXT_LEN     512
+#define MAX_SURROUNDING_TEXT_WIDTH 600

 bool setLangVec ( class Words *words , 
 		  class SafeBuf *langBuf , 
@ -1973,6 +1975,8 @@ public:
 	Url m_baseUrl;
 	Msg20Reply m_reply;
 	Msg20Request *m_req;
+	char  m_linkTextBuf[MAX_LINK_TEXT_LEN];
+	char m_surroundingTextBuf[MAX_SURROUNDING_TEXT_WIDTH];
 	//char *m_gsbuf;
 	SafeBuf m_gsbuf;
 	//int32_t  m_gsbufSize;