Howto resolv addresses in *** buffer overflow detected *** Backtrace after the fact
Hans de Goede
j.w.r.degoede at hhs.nl
Wed Dec 12 19:39:41 UTC 2007
Daniel P. Berrange wrote:
> On Tue, Dec 11, 2007 at 09:57:57PM +0100, Hans de Goede wrote:
>> Hi,
>>
>> I just received a bug report with a backtrace generated by glibc attached:
>> https://bugzilla.redhat.com/attachment.cgi?id=284591
>>
>> Looks like a real bug however the reported desn't know exactly what he did
>> to trigger this, so now I want to convert the backtrace glibc generated
>> into one with filenames and line numbers for the addresses of the xfig
>> stack frames.
>>
>> Can anyone tell me how to do this?
>
> The following seems to work....
>
> # yum --enablerepo=development-debuginfo install xfig-debuginfo
>
> # gdb /usr/bin/xfig-plain
>
> (gdb) list *0x4a3909
> 0x4a3909 is in reset_topruler (/usr/include/bits/stdio2.h:34).
> 29
> 30 #ifdef __va_arg_pack
> 31 __extern_always_inline int
> 32 __NTH (sprintf (char *__restrict __s, __const char *__restrict __fmt, ...))
> 33 {
> 34 return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1,
> 35 __bos (__s), __fmt, __va_arg_pack ());
> 36 }
> 37 #elif !defined __cplusplus
> 38 # define sprintf(str, ...) \
>
>
> So the code is a sprintf call from the reset_topruler method.
>
> Looking at that method, we can see an likely candidate:
>
> (gdb) list reset_topruler
> 1160 /* Note: For reset_top/sideruler to work properly, the value of skip should be
> 1161 * such that (skip/ruler_unit) is an integer or (ruler_unit/skip) is an integer.
> 1162 */
> 1163
> 1164 void reset_topruler(void)
> 1165 {
> 1166 register int i,k;
> 1167 register tick_info* tk;
> 1168 register Pixmap p = topruler_pm;
> 1169 char number[6];
> (gdb) list +
> 1170 int X0,len;
> 1171 int tickmod, tickskip;
> 1172
> 1173 /* top ruler, adjustments for digits are kludges based on 6x13 char */
> 1174 XFillRectangle(tool_d, p, tr_erase_gc, 0, 0, TOPRULER_WD, TOPRULER_HT);
> 1175
> 1176 /* set the number of pixels to skip between labels and precision for float */
> 1177 get_skip_prec();
> 1178
> 1179 X0 = BACKX(0);
> (gdb) list +
> 1180 X0 -= (X0 % skip);
> 1181 tickmod = (int) round(ruler_unit/appres.userscale);
> 1182 if (tickmod == 0)
> 1183 tickmod = 1;
> 1184
> 1185 /* see how big a label is to adjust spacing, if necessary */
> 1186 sprintf(number, "%d%s", (X0+(int)((TOPRULER_WD/zoomscale)))/tickmod, cur_fig_units);
> 1187 len = XTextWidth(roman_font, number, strlen(number));
> 1188 while (skipx < (len + 5)/zoomscale) {
> 1189 skip *= 2;
>
>
> Line 1186 is printing a string into a fixed length buffer with no
> checking. A clear buffer overflow candidate there if the combo of
> the ruler size & the figure units are longer than 5 characters :-(
>
> Regards,
> Dan.
Many thanks!
A fixed version is building now :)
Regards,
Hans
More information about the fedora-devel-list
mailing list