301033 – games-puzzle/braincurses-0.5b crashes with glibc "buffer overflow detected" error

Bug 301033 - games-puzzle/braincurses-0.5b crashes with glibc "buffer overflow detected" error

Summary: games-puzzle/braincurses-0.5b crashes with glibc "buffer overflow detected" e...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Games (show other bugs)
Hardware:	All Linux

Importance:	High critical (vote)
Assignee:	Gentoo Games

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2010-01-14 21:48 UTC by Thomas K
Modified:	2010-01-14 22:34 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
This patch fixes the crash issue (braincurses-memory-access.patch,627 bytes, patch) 2010-01-14 21:53 UTC, Thomas K	Details \| Diff
Patch for the ebuild to use the new patch (braincurses-0.5b.ebuild.patch,353 bytes, patch) 2010-01-14 21:53 UTC, Thomas K	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas K 2010-01-14 21:48:44 UTC

When started, braincurses crashes because glibc detects a buffer overflow in the code.

Reproducible: Always

Steps to Reproduce:




The backtrace points at the culprit:

(gdb) bt
#0  0x00007ffff70c01b5 in *__GI_raise (sig=<value optimized out>)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007ffff70c15e0 in *__GI_abort () at abort.c:92
#2  0x00007ffff70fae77 in __libc_message (do_abort=<value optimized out>, 
    fmt=<value optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:186
#3  0x00007ffff7174ec7 in *__GI___fortify_fail (
    msg=0x7ffff71ad194 "buffer overflow detected") at fortify_fail.c:32
#4  0x00007ffff7172d20 in *__GI___chk_fail () at chk_fail.c:29
#5  0x00007ffff7172089 in _IO_str_chk_overflow (fp=0x7367, c=29543)
    at vsprintf_chk.c:35
#6  0x00007ffff70feb35 in _IO_default_xsputn (f=0x7fffffffdc40, 
    data=<value optimized out>, n=6) at genops.c:485
#7  0x00007ffff70d0dce in _IO_vfprintf_internal (s=0x7fffffffdc40, 
    format=<value optimized out>, ap=0x7fffffffdd70) at vfprintf.c:1592
#8  0x00007ffff717212d in ___vsprintf_chk (
    s=0x7fffffffdfb0 " \034\267\367\377\177", flags=1, slen=2, 
    format=0x4037b3 "%2d", args=0x7fffffffdd70) at vsprintf_chk.c:87
#9  0x00007ffff717206f in ___sprintf_chk (
    s=0x7367 <Address 0x7367 out of bounds>, flags=29543, slen=6, 
    format=0xffffffffffffffff <Address 0xffffffffffffffff out of bounds>)
    at sprintf_chk.c:33
#10 0x0000000000403029 in sprintf (argv=<value optimized out>, 
    argc=<value optimized out>) at /usr/include/bits/stdio2.h:35
#11 main (argv=<value optimized out>, argc=<value optimized out>)
    at curses/windows.cpp:90


The following piece of code is the source of the problem:

   char guessLabel[2];
   for( int i = 1; i <= maxGuesses; i++ ) {
      sprintf( guessLabel, "%2d", i );

Because sprintf needs a third byte to store the null character.

Comment 1 Thomas K 2010-01-14 21:53:03 UTC

Created attachment 216545 [details, diff]
This patch fixes the crash issue

The problematic guessLabel is extended to 3 bytes and snprintf is used instead of sprintf.

Comment 2 Thomas K 2010-01-14 21:53:55 UTC

Created attachment 216546 [details, diff]
Patch for the ebuild to use the new patch

Comment 3 Mr. Bones. (RETIRED) gentoo-dev

2010-01-14 22:34:15 UTC

fixed in portage.  thanks for the bug report.