magiccube4d saves the cube state in ~/.magiccube4dlog, when Save is clicked or on a clean exit (i.e. the Quit button, not closing the X window). When this file exists, it tries to load it on startup, leading to a crash: Program received signal SIGABRT, Aborted. 0x00007ffff78b2adc in ?? () from /usr/lib64/libc.so.6 (gdb) bt #0 0x00007ffff78b2adc in ?? () from /usr/lib64/libc.so.6 #1 0x00007ffff78658b2 in raise () from /usr/lib64/libc.so.6 #2 0x00007ffff784f4ad in abort () from /usr/lib64/libc.so.6 #3 0x00007ffff78503ee in ?? () from /usr/lib64/libc.so.6 #4 0x00007ffff7940f05 in __fortify_fail () from /usr/lib64/libc.so.6 #5 0x00007ffff793f880 in __chk_fail () from /usr/lib64/libc.so.6 #6 0x00007ffff787c292 in ?? () from /usr/lib64/libc.so.6 #7 0x00007ffff787c6c9 in ?? () from /usr/lib64/libc.so.6 #8 0x00007ffff7884521 in ?? () from /usr/lib64/libc.so.6 #9 0x00007ffff789ea62 in ?? () from /usr/lib64/libc.so.6 #10 0x00007ffff793f325 in __sprintf_chk () from /usr/lib64/libc.so.6 #11 0x000055555555f8f1 in sprintf (__fmt=0x555555569509 " @%%%d[^@]@(", __s=0x7ffffffdaa36 " @%1233[^@\001") at /usr/include/bits/stdio2.h:30 #12 MacroManager::read (this=0x5555555aa450, fp=fp@entry=0x5555555a9270) at MacroManager.cpp:250 #13 0x0000555555559557 in EventHandler::readLogfile (this=this@entry=0x7ffffffdb020, filename=0x5555555a32ac "/home/khumba/.magiccube4dlog") at EventHandler.cpp:221 #14 0x00005555555599f9 in EventHandler::EventHandler (this=this@entry=0x7ffffffdb020, argc=<optimized out>, argv=<optimized out>, machine_type=machine_type@entry=0x555555569710 "X") at EventHandler.cpp:133 #15 0x0000555555558873 in main (argc=<optimized out>, argv=<optimized out>) at Main.cpp:29 MacroManager.cpp has this bit of code: bool MacroManager::read(FILE *fp) { int c; Macro* mac; int nrefs, refs[MAXREFS][4]; int face, stickerwithinface; struct stickerspec sticker; char name[1234]; char format[10]; sprintf(format, " @%%%d[^@]@(", (int)sizeof(name) - 1); sprintf(format, " @%%[^@]@("); /* ARGH! FIX THIS-- maybe the other way worked after all, check it out */ /* FIX THIS! overflow is quite likely if the final delimiter is missing in the file */ ... The first sprintf() call overflows 'format' and causes the crash. 'format' isn't used in the rest of the function though, so it should be safe to remove, and removing it fixes the crash, and the save state loads properly.
Created attachment 881585 [details] emerge --info
Created attachment 881586 [details, diff] Patch to drop unused variable causing overflow
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=95d699746eb43cc79aa51c241596e59998a153ad commit 95d699746eb43cc79aa51c241596e59998a153ad Author: James Le Cuirot <chewi@gentoo.org> AuthorDate: 2024-08-17 22:56:18 +0000 Commit: James Le Cuirot <chewi@gentoo.org> CommitDate: 2024-08-17 22:59:34 +0000 games-puzzle/magiccube4d: Drop old 2.2-r1 Closes: https://bugs.gentoo.org/899008 Closes: https://bugs.gentoo.org/921536 Signed-off-by: James Le Cuirot <chewi@gentoo.org> games-puzzle/magiccube4d/Manifest | 2 - .../files/magiccube4d-2.2-64bit-ptr.patch | 53 ---------------------- .../magiccube4d/files/magiccube4d-2.2-gcc41.patch | 22 --------- .../files/magiccube4d-2.2-ldflags.patch | 15 ------ .../files/magiccube4d-EventHandler.patch | 11 ----- games-puzzle/magiccube4d/magiccube4d-2.2-r1.ebuild | 44 ------------------ 6 files changed, 147 deletions(-)
