Opened 6 years ago

Closed 6 years ago

#1249 closed defect/bug (fixed)

maptool segfaults if memory slices > 32GB

Reported by: kazer Owned by: KaZeR
Priority: major Milestone:
Component: tools Version: git master
Severity: normal Keywords:


I ran some tests on a server with a lot of RAM. When the memory slice is bigger than 32GB, maptool segfaults.

(gdb) r -M -k -S "36000000000" -u -5 planet-36.bin.md5 -6 planet-36.bin < planet.o5m
Starting program: /navit/bin/navit/maptool/maptool -M -k -S "36000000000" -u -5 planet-36.bin.md5 -6 planet-36.bin < planet.o5m
warning: Could not load shared library symbols for
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/".
I will KEEP tmp files
PROGRESS: Phase 1: reading input data 0:00 0 MB

Program received signal SIGSEGV, Segmentation fault.
0x000000000041edf3 in node_item_find_index_in_ordered_list (id=200542) at /navit/navit/maptool/osm.c:1377
1377          if (node_buffer_base[node_count-1].id < id)
(gdb) bt
#0  0x000000000041edf3 in node_item_find_index_in_ordered_list (id=200542) at /navit/navit/maptool/osm.c:1377
#1  node_item_get (id=200542) at /navit/navit/maptool/osm.c:1426
#2  0x000000000041eea0 in node_ref_way (node=<optimized out>) at /navit/navit/maptool/osm.c:2904
#3  nodes_ref_item_bin (ib=ib@entry=0x6a5c80 <misc_item_buffer>) at /navit/navit/maptool/osm.c:2915
#4  0x0000000000421701 in osm_end_way (osm=0x7fffffffe550) at /navit/navit/maptool/osm.c:1743
#5  0x0000000000424c99 in map_collect_data_osm_o5m (in=<optimized out>, osm=osm@entry=0x7fffffffe550) at /navit/navit/maptool/osm_o5m.c:307
#6  0x0000000000418e07 in osm_read_input_data (p=0x7fffffffe4e0, suffix=<optimized out>) at /navit/navit/maptool/maptool.c:498
#7  main (argc=<optimized out>, argv=<optimized out>) at /navit/navit/maptool/maptool.c:888

Attachments (1)

huge_slices.diff (1.2 KB) - added by tryagain 6 years ago.

Download all attachments as: .zip

Change History (5)

Changed 6 years ago by tryagain

comment:1 Changed 6 years ago by tryagain

I think i know the reason, signed int32 count of nodes in buffer overflows and you get a pointer before array beginning.

Please verify if it works with >32gb slice an huge_slices.diff​ applied.

comment:2 Changed 6 years ago by kazer

It works, good job tryagain!

comment:3 Changed 6 years ago by kazer

Committed in r5890

comment:4 Changed 6 years ago by kazer

  • Component changed from core to tools
  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.