Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 339248

Summary: media-gfx/exact-image _FORTIFY_SOURCE indicates presence of overflow
Product: Gentoo Linux Reporter: Diego Elio Pettenò (RETIRED) <flameeyes>
Component: Current packagesAssignee: Gentoo Graphics Project <graphics+disabled>
Status: RESOLVED FIXED    
Severity: major CC: hardened, hwoarang
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 259417    
Attachments: Build log
Patch to exact-image-0.8.1.ebuild to address some QA issues
build.log

Description Diego Elio Pettenò (RETIRED) gentoo-dev 2010-09-30 12:58:23 UTC
You're receiving this bug because the package in Summary has produced _FORTIFY_SOURCE related warnings indicating the presence of a sure overflow in a static buffer.

Even though this is not always an indication of a security problem it might even be. So please check this out ASAP.

By the way, _FORTIFY_SOURCE is disabled when you disable optimisation, so don't try finding out the cause using -O0.

Thanks,
Your friendly neighborhood tinderboxer
Comment 1 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-09-30 12:58:39 UTC
Created attachment 249072 [details]
Build log
Comment 2 Kevin Pyle 2010-10-02 04:57:14 UTC
Created attachment 249258 [details, diff]
Patch to exact-image-0.8.1.ebuild to address some QA issues

This patch addresses the following problems:

- User CFLAGS/CXXFLAGS ignored!
- Unqualified CC/CXX used.  This disrupts cross-compiling.
- Make commands were unconditionally hidden, so reading the build log does not show you that the build ignored your CFLAGS.
- Buffer overflow warning due to copying a string into a buffer which lacks room for the null.
- Array bounds warning due to abuse of array math to index elements.

Upstream seems to be a bit aggressive with their choice of default CXXFLAGS.  They use flags that would probably get a Gentoo bug rejected as INVALID with a request to "stop ricing and try again."  However, I have left that alone here.  With user CXXFLAGS respected, concerned users can modify their CXXFLAGS to counter the upstream flags if needed.
Comment 3 Markos Chandras (RETIRED) gentoo-dev 2010-10-26 10:54:48 UTC
I am still getting the QA warning about array bounds with your patch 
Comment 4 Kevin Pyle 2010-10-27 01:57:03 UTC
(In reply to comment #3)
> I am still getting the QA warning about array bounds with your patch 

Could you be more specific?  What file and line warn?
Comment 5 Markos Chandras (RETIRED) gentoo-dev 2010-10-27 07:55:15 UTC
Created attachment 252165 [details]
build.log

See the attached log
Comment 6 Kevin Pyle 2010-10-28 03:26:46 UTC
(In reply to comment #5)
> Created an attachment (id=252165) [details]
> build.log

That looks like my patch was not used at all.  Among the changes I made, I removed the directives that print just "C++ <filename>" and instead made it print the real command executed.  I also fixed the _FORTIFY_SOURCE issue, but your build log shows that upstream bug is also present.
Comment 7 Markos Chandras (RETIRED) gentoo-dev 2010-10-28 10:17:47 UTC
Ok I might forgot to apply your patch. Now that I did, I still get QA warnings about the array bounds

* QA Notice: Package has poor programming practices which may compile
* fine but exhibit random runtime failures.    
* codecs/dcraw.h:6469:96: warning: array subscript is above array bounds
* codecs/dcraw.h:6469:96: warning: array subscript is above array bounds
* codecs/dcraw.h:6469:96: warning: array subscript is above array bounds
Comment 8 Kevin Pyle 2010-10-29 03:37:57 UTC
(In reply to comment #7)
> Ok I might forgot to apply your patch. Now that I did, I still get QA warnings
> about the array bounds

I lack the setup to build the entire media-gfx/exact-image package here, and cannot reproduce the warning on a trivial testcase consisting of overstepping an array using the [0][j] construct used in the original code.  As far as I know, the method they use happens to work (although it is bad form).  I only fixed it since I was in the area cleaning up real problems, like the _FORTIFY_SOURCE failure.

Looking more closely at the proposed fix, I think I made a mistake.  The lengthof construct I used is measuring the wrong value for the division operations.  I suggest dropping my attempt at fixing the -Warray-overflow problem for now so as not to hold up the real fix for the _FORTIFY_SOURCE issue over a currently cosmetic warning.  The array bounds issue can be revisited later.
Comment 9 Pacho Ramos gentoo-dev 2012-10-06 11:47:17 UTC
+*exact-image-0.8.1-r1 (06 Oct 2012)
+
+  06 Oct 2012; Pacho Ramos <pacho@gentoo.org> +exact-image-0.8.1-r1.ebuild:
+  Include various fixes from Kevin Pyle, bug #339248.
+