Number: 106
Title: Dot crash in Windows when using -Tdot
Submitter: Gerik Rhoden
Date: Thu Mar 7 08:30:25 2002
Subsys: Dot
Version: 1.8
System: x86-Other-Win2k
Severity: major
Problem:
Problem with Windows version 1.8 dated 25th Feb obtained from //www.graphviz.org/pub/graphviz/windows/gv18.exe Ran it from DOXYGEN, and the crashes in DOT were still present, so I did a little tracing. The crashes appear to be due buffer overruns is large source files, as a problem is reported at memory locations like 0x2c333039, i.e. ",309".

The problem only appears when running dot with -Tdot, -Tplain & -Tplain-ext. Output of jpg, gif, png, imap etc all appear to work OK.

Had a look at the source code. In dotneato/common/output.c function dotneato_write(). The only thing in common in the above output modes is a call to attach_attrs() in the same file.

Inspection of the function attach_attrs() reveals the following code pattern: 


{
  char  buf[BUFSIZ],*p;


  p = buf;
  for (...)   /* there two of these */
  {
    sprintf(p,"%d,%d", ...);
    while (*p) p++;
  }
  agset(e,"pos",buf);
}
It is evident from the above code that there is no protection from a buffer overrun in variable buf.

On Windows platforms BUFSIZ is set in STDIO.H to 512. On Linux platforms BUFSIZ is set to 8192. In other words, BUFSIZ is compiler and operating system dependent.

When run on Linux, the max line length of the output file, after removing line splits, appears to be at least 2020. I have no easy access to a debug version, so to check can you run dot with the supplied file, and check how many bytes of variable buf are used. If it is more than 512 then the problem is confirmed.

If confirmed and fixed, I would appreciate a new Windows build of dot.
Input: 

Sorry about the large source file, the problem only happens with large ones.
Input file: b106.dot
Comments:
Overlooked static buffer in attach_attrs in output.c; see also b104, b102, b103.
Owner: erg
Status: Fixed (8 March 2002)