Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 336604 - sci-geosciences/gmt _FORTIFY_SOURCE indicates presence of overflow
Summary: sci-geosciences/gmt _FORTIFY_SOURCE indicates presence of overflow
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Sci-geo Project
Depends on:
Blocks: fortify-source
  Show dependency tree
Reported: 2010-09-09 14:45 UTC by Diego Elio Pettenò (RETIRED)
Modified: 2011-06-07 13:03 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Build log (gmt-4.5.0-r2:20100909-102458.log,40.82 KB, text/plain)
2010-09-09 14:45 UTC, Diego Elio Pettenò (RETIRED)

Note You need to log in before you can comment on or make changes to this bug.
Description Diego Elio Pettenò (RETIRED) gentoo-dev 2010-09-09 14:45:36 UTC
You're receiving this bug because the package in Summary has produced _FORTIFY_SOURCE related warnings indicating the presence of a sure overflow in a static buffer.

Even though this is not always an indication of a security problem it might even be. So please check this out ASAP.

By the way, _FORTIFY_SOURCE is disabled when you disable optimisation, so don't try finding out the cause using -O0.

Your friendly neighborhood tinderboxer
Comment 1 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-09-09 14:45:52 UTC
Created attachment 246601 [details]
Build log
Comment 2 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2010-09-10 16:37:25 UTC
+*eugene-3.6-r1 (10 Sep 2010)
+  10 Sep 2010; Kacper Kowalik <> -eugene-3.6.ebuild,
+  +eugene-3.6-r1.ebuild, +files/eugene-3.6-overflow.patch,
+  +files/eugene-3.6-plugins.patch:
+  Fix overflows wrt bug 336604 and install path wrt bug 297536. Thanks to
+  Diego for the reports.
Comment 3 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2010-09-10 16:40:15 UTC
grrr wrong bug, sorry
Comment 4 Kevin Pyle 2010-09-11 05:34:01 UTC
The overflows in gmt_customio.c are because the code uses a char id[4], but uses it as a sequence of 4 bytes, rather than a 4 character string.  It does not use a null terminator, but uses str* functions on it anyway.  Unfortunately, the structure containing the char id[4] is written to a file, so the array cannot simply be expanded.
Comment 5 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-09-15 12:04:35 UTC
Should use memcpy or strncpy then…
Comment 6 Tomáš Chvátal (RETIRED) gentoo-dev 2011-06-07 13:03:41 UTC
4.5.6 does not suffer from this issue. Closing as fixed.