Description of problem: Program halts on 'memory corruption' message after typing too many '-' characters. It appears to be a bad handling of memory in wordwrapping function. Version-Release number of selected component (if applicable): joe-3.7-5.fc13.x86_64 How reproducible: every time, at least for me (even with C locale) Steps to Reproduce: 1. open joe editor 2. start typing character '-' repeatedly (it should be exactly '-' character) 3. after around 80 or 90 ones you got 'detected *** joe: malloc(): memory corruption: 0x0000000001639050 ***' Actual results: glibc detects memory corruption Expected results: no memory corruption Additional info: I tried the same steps with ElectricFence (also 100% reproducible): --- Core was generated by `joe'. Program terminated with signal 11, Segmentation fault. #0 0x0000000000434a41 in wrapword (bw=0x7f331470be98, p=0x7f3314607f30, indent=79, french=<value optimized out>, no_over=0, indents=<value optimized out>) at uformat.c:368 368 indents[x] = 0; Missing separate debuginfos, use: debuginfo-install ElectricFence-2.2.2-29.fc14.x86_64 (gdb) bt full #0 0x0000000000434a41 in wrapword (bw=0x7f331470be98, p=0x7f3314607f30, indent=79, french=<value optimized out>, no_over=0, indents=<value optimized out>) at uformat.c:368 x = 80 r = <value optimized out> x = <value optimized out> y = <value optimized out> q = <value optimized out> r = <value optimized out> s = <value optimized out> rmf = 0 c = <value optimized out> to = 79 my_indents = 0 #1 0x000000000042f383 in utypebw_raw (bw=0x7f331470be98, k=45, no_decode=<value optimized out>) at uedit.c:1845 upd = 0 simple = 1 x = 78 map = <value optimized out> #2 0x000000000040eabb in execmd (cmd=0x6663a0, k=45) at cmd.c:408 bw = 0x7f331470be98 ret = -1 #3 0x0000000000411755 in exsimple (m=0x7f33147deb60, arg=<value optimized out>, u=<value optimized out>) at macro.c:425 cmd = 0x6663a0 flg = <value optimized out> ret = 0 #4 0x0000000000412910 in edloop (flg=0) at main.c:126 m = <value optimized out> c = <value optimized out> term = 0 ret = 0 #5 0x00000000004131b2 in main (argc=<value optimized out>, real_argv=<value optimized out>, envv=0x1) at main.c:535 cap = <value optimized out> sbuf = {st_dev = 64770, st_ino = 1968714, st_nlink = 1, st_mode = 33188, st_uid = 0, st_gid = 0, __pad0 = 0, st_rdev = 0, st_size = 38136, st_blksize = 4096, st_blocks = 80, st_atim = {tv_sec = 1292443461, tv_nsec = 230314016}, st_mtim = {tv_sec = 1265785025, tv_nsec = 0}, st_ctim = {tv_sec = 1292443454, tv_nsec = 966314016}, __unused = {0, 0, 0}} s = <value optimized out> t = <value optimized out> time_rc = <value optimized out> run = 0x1 <Address 0x1 out of bounds> n = <value optimized out> opened = <value optimized out> omid = <value optimized out> backopt = <value optimized out> c = <value optimized out> ---
I can reproduce this in F14, both i686 and x86_64. Please change Platform to "All Linux". Also happens in both F13 and Rawhide x86_64 which have the same version (joe-3.7-5.fc13.x86_64). The Version could be changed to "rawhide".
Fixed in joe-3.7-6.fc15.
Confirmed (at least with the "-" test). Please reopen with Version set to 14, and push fixed builds for 13 and 14 as well. Thanks.
Miroslav: Could you reopen this with Version either 14 or 13? The bug still exists in both of those versions.
Miroslav: Fixed versions of joe for F13 and F14 were just pushed to updates-testing (see bug 684905). Please test and give karma if you can.