From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1J4Qx3-0006ma-Lb
	for qemu-devel@nongnu.org; Mon, 17 Dec 2007 20:08:53 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1J4Qx2-0006lr-7q
	for qemu-devel@nongnu.org; Mon, 17 Dec 2007 20:08:53 -0500
Received: from [199.232.76.173] (helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1J4Qx1-0006lh-Pp
	for qemu-devel@nongnu.org; Mon, 17 Dec 2007 20:08:51 -0500
Received: from ug-out-1314.google.com ([66.249.92.171])
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <balrogg@gmail.com>) id 1J4Qx1-0002Yk-Js
	for qemu-devel@nongnu.org; Mon, 17 Dec 2007 20:08:51 -0500
Received: by ug-out-1314.google.com with SMTP id m2so29722uge.4
	for <qemu-devel@nongnu.org>; Mon, 17 Dec 2007 17:08:50 -0800 (PST)
Message-ID: <fb249edb0712171708j763de0a0ndaae035d7ab5949f@mail.gmail.com>
Date: Tue, 18 Dec 2007 02:08:50 +0100
From: "andrzej zaborowski" <balrogg@gmail.com>
Subject: Re: [Qemu-devel] New Qemu Crash found with evidence of memory
	corruption
In-Reply-To: <je63yywo0p.fsf@sykes.suse.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <64F9B87B6B770947A9F8391472E032160C95C60D@ehost011-8.exch011.intermedia.net>
	<je63yywo0p.fsf@sykes.suse.de>
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

On 16/12/2007, Andreas Schwab <schwab@suse.de> wrote:
> "Alexey Eremenko" <alexey.eremenko@qumranet.com> writes:
>
> > ======================================================
> > The error seems to be in Qemu's readline.c:
> >
> > if (idx == TERM_MAX_CMDS) {
> > /* Need to get one free slot */
> > free(term_history[0]); <-- Here is the error.
> > memcpy(term_history, &term_history[1],
> > &term_history[TERM_MAX_CMDS] - &term_history[1]);
> > term_history[TERM_MAX_CMDS - 1] = NULL;
> > idx = TERM_MAX_CMDS - 1;
> > }
> >
>
> Please try this:
>
> --- readline.c  09 Dez 2007 19:27:48 +0100      1.7
> +++ readline.c  16 Dez 2007 18:22:43 +0100
> @@ -267,7 +267,7 @@ static void term_hist_add(const char *cm
>             new_entry = hist_entry;
>             /* Put this entry at the end of history */
>             memmove(&term_history[idx], &term_history[idx + 1],
> -                   &term_history[TERM_MAX_CMDS] - &term_history[idx + 1]);
> +                   (TERM_MAX_CMDS - idx + 1) * sizeof(char *));
>             term_history[TERM_MAX_CMDS - 1] = NULL;
>             for (; idx < TERM_MAX_CMDS; idx++) {
>                 if (term_history[idx] == NULL)
> @@ -280,7 +280,7 @@ static void term_hist_add(const char *cm
>         /* Need to get one free slot */
>         free(term_history[0]);
>         memcpy(term_history, &term_history[1],
> -              &term_history[TERM_MAX_CMDS] - &term_history[1]);
> +              (TERM_MAX_CMDS - 1) * sizeof(char *));
>         term_history[TERM_MAX_CMDS - 1] = NULL;
>         idx = TERM_MAX_CMDS - 1;
>      }

This is correct. I remember submitting the exact same fix about a year
and a half ago in the patch to save/restore monitor history between
sessions. By the way would there be interest to have such feature in
mainline cvs?

Regards