Howto resolv addresses in *** buffer overflow detected *** Backtrace after the fact

[Hans de Goede]

Daniel P. Berrange wrote:
> On Tue, Dec 11, 2007 at 09:57:57PM +0100, Hans de Goede wrote:
>> Hi,
>>
>> I just received a bug report with a backtrace generated by glibc attached:
>> https://bugzilla.redhat.com/attachment.cgi?id=284591
>>
>> Looks like a real bug however the reported desn't know exactly what he did 
>> to trigger this, so now I want to convert the backtrace glibc generated 
>> into one with filenames and line numbers for the addresses of the xfig 
>> stack frames.
>>
>> Can anyone tell me how to do this?
> 
> The following seems to work....
> 
>  # yum --enablerepo=development-debuginfo install xfig-debuginfo
> 
>  # gdb /usr/bin/xfig-plain
> 
> (gdb) list *0x4a3909
> 0x4a3909 is in reset_topruler (/usr/include/bits/stdio2.h:34).
> 29
> 30      #ifdef __va_arg_pack
> 31      __extern_always_inline int
> 32      __NTH (sprintf (char *__restrict __s, __const char *__restrict __fmt, ...))
> 33      {
> 34        return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1,
> 35                                        __bos (__s), __fmt, __va_arg_pack ());
> 36      }
> 37      #elif !defined __cplusplus
> 38      # define sprintf(str, ...) \
> 
> 
> So the code is a sprintf call from the reset_topruler method.
> 
> Looking at that method, we can see an likely candidate:
> 
> (gdb) list reset_topruler 
> 1160    /* Note: For reset_top/sideruler to work properly, the value of skip should be
> 1161     * such that (skip/ruler_unit) is an integer or (ruler_unit/skip) is an integer.
> 1162     */
> 1163
> 1164    void reset_topruler(void)
> 1165    {
> 1166        register int    i,k;
> 1167        register tick_info* tk;
> 1168        register Pixmap p = topruler_pm;
> 1169        char            number[6];
> (gdb) list +
> 1170        int             X0,len;
> 1171        int             tickmod, tickskip;
> 1172
> 1173        /* top ruler, adjustments for digits are kludges based on 6x13 char */
> 1174        XFillRectangle(tool_d, p, tr_erase_gc, 0, 0, TOPRULER_WD, TOPRULER_HT);
> 1175
> 1176        /* set the number of pixels to skip between labels and precision for float */
> 1177        get_skip_prec();
> 1178
> 1179        X0 = BACKX(0);
> (gdb) list +
> 1180        X0 -= (X0 % skip);
> 1181        tickmod = (int) round(ruler_unit/appres.userscale);
> 1182        if (tickmod == 0)
> 1183            tickmod = 1;
> 1184
> 1185        /* see how big a label is to adjust spacing, if necessary */
> 1186        sprintf(number, "%d%s", (X0+(int)((TOPRULER_WD/zoomscale)))/tickmod, cur_fig_units);
> 1187        len = XTextWidth(roman_font, number, strlen(number));
> 1188        while (skipx < (len + 5)/zoomscale) {
> 1189            skip *= 2;
> 
> 
> Line 1186 is printing a string into a fixed length buffer with no
> checking. A clear buffer overflow candidate there if the combo of
> the ruler size & the figure units are longer than 5 characters :-(
> 
> Regards,
> Dan.

Many thanks!

A fixed version is building now :)

Regards,

Hans