921536 – games-puzzle/magiccube4d-2.2-r1 crash trying to read save state

Bug 921536 - games-puzzle/magiccube4d-2.2-r1 crash trying to read save state

Summary: games-puzzle/magiccube4d-2.2-r1 crash trying to read save state

Status:	UNCONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Games

URL:
Whiteboard:
Keywords:	PATCH

Depends on:
Blocks:

Reported:	2024-01-07 03:36 UTC by Khumba
Modified:	2024-01-07 04:39 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
emerge --info (emerge-info.txt,9.53 KB, text/plain) 2024-01-07 03:36 UTC, Khumba	Details
Patch to drop unused variable causing overflow (magiccube4d-2.2-overflow.patch,688 bytes, patch) 2024-01-07 03:37 UTC, Khumba	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Khumba 2024-01-07 03:36:23 UTC

magiccube4d saves the cube state in ~/.magiccube4dlog, when Save is clicked or on a clean exit (i.e. the Quit button, not closing the X window).  When this file exists, it tries to load it on startup, leading to a crash:

Program received signal SIGABRT, Aborted.
0x00007ffff78b2adc in ?? () from /usr/lib64/libc.so.6
(gdb) bt
#0  0x00007ffff78b2adc in ?? () from /usr/lib64/libc.so.6
#1  0x00007ffff78658b2 in raise () from /usr/lib64/libc.so.6
#2  0x00007ffff784f4ad in abort () from /usr/lib64/libc.so.6
#3  0x00007ffff78503ee in ?? () from /usr/lib64/libc.so.6
#4  0x00007ffff7940f05 in __fortify_fail () from /usr/lib64/libc.so.6
#5  0x00007ffff793f880 in __chk_fail () from /usr/lib64/libc.so.6
#6  0x00007ffff787c292 in ?? () from /usr/lib64/libc.so.6
#7  0x00007ffff787c6c9 in ?? () from /usr/lib64/libc.so.6
#8  0x00007ffff7884521 in ?? () from /usr/lib64/libc.so.6
#9  0x00007ffff789ea62 in ?? () from /usr/lib64/libc.so.6
#10 0x00007ffff793f325 in __sprintf_chk () from /usr/lib64/libc.so.6
#11 0x000055555555f8f1 in sprintf (__fmt=0x555555569509 " @%%%d[^@]@(", __s=0x7ffffffdaa36 " @%1233[^@\001") at /usr/include/bits/stdio2.h:30
#12 MacroManager::read (this=0x5555555aa450, fp=fp@entry=0x5555555a9270) at MacroManager.cpp:250
#13 0x0000555555559557 in EventHandler::readLogfile (this=this@entry=0x7ffffffdb020, filename=0x5555555a32ac "/home/khumba/.magiccube4dlog") at EventHandler.cpp:221
#14 0x00005555555599f9 in EventHandler::EventHandler (this=this@entry=0x7ffffffdb020, argc=<optimized out>, argv=<optimized out>, 
    machine_type=machine_type@entry=0x555555569710 "X") at EventHandler.cpp:133
#15 0x0000555555558873 in main (argc=<optimized out>, argv=<optimized out>) at Main.cpp:29

MacroManager.cpp has this bit of code:

bool
MacroManager::read(FILE *fp)
{
    int c;
    Macro* mac;
    int nrefs, refs[MAXREFS][4];
    int face, stickerwithinface;
    struct stickerspec sticker;
    char name[1234];
    char format[10];
    sprintf(format, " @%%%d[^@]@(", (int)sizeof(name) - 1);
    sprintf(format, " @%%[^@]@(");  /* ARGH! FIX THIS-- maybe the other way
                                       worked after all, check it out */
    /* FIX THIS!  overflow is quite likely if the final delimiter is missing
       in the file */
    ...

The first sprintf() call overflows 'format' and causes the crash.  'format' isn't used in the rest of the function though, so it should be safe to remove, and removing it fixes the crash, and the save state loads properly.

Comment 1 Khumba 2024-01-07 03:36:38 UTC

Created attachment 881585 [details]
emerge --info

Comment 2 Khumba 2024-01-07 03:37:40 UTC

Created attachment 881586 [details, diff]
Patch to drop unused variable causing overflow