[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Howto resolv addresses in *** buffer overflow detected *** Backtrace after the fact



Daniel P. Berrange wrote:
On Tue, Dec 11, 2007 at 09:57:57PM +0100, Hans de Goede wrote:
Hi,

I just received a bug report with a backtrace generated by glibc attached:
https://bugzilla.redhat.com/attachment.cgi?id=284591

Looks like a real bug however the reported desn't know exactly what he did to trigger this, so now I want to convert the backtrace glibc generated into one with filenames and line numbers for the addresses of the xfig stack frames.

Can anyone tell me how to do this?

The following seems to work....

 # yum --enablerepo=development-debuginfo install xfig-debuginfo

 # gdb /usr/bin/xfig-plain

(gdb) list *0x4a3909
0x4a3909 is in reset_topruler (/usr/include/bits/stdio2.h:34).
29
30      #ifdef __va_arg_pack
31      __extern_always_inline int
32      __NTH (sprintf (char *__restrict __s, __const char *__restrict __fmt, ...))
33      {
34        return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1,
35                                        __bos (__s), __fmt, __va_arg_pack ());
36      }
37      #elif !defined __cplusplus
38      # define sprintf(str, ...) \


So the code is a sprintf call from the reset_topruler method.

Looking at that method, we can see an likely candidate:

(gdb) list reset_topruler 1160 /* Note: For reset_top/sideruler to work properly, the value of skip should be
1161     * such that (skip/ruler_unit) is an integer or (ruler_unit/skip) is an integer.
1162     */
1163
1164    void reset_topruler(void)
1165    {
1166        register int    i,k;
1167        register tick_info* tk;
1168        register Pixmap p = topruler_pm;
1169        char            number[6];
(gdb) list +
1170        int             X0,len;
1171        int             tickmod, tickskip;
1172
1173        /* top ruler, adjustments for digits are kludges based on 6x13 char */
1174        XFillRectangle(tool_d, p, tr_erase_gc, 0, 0, TOPRULER_WD, TOPRULER_HT);
1175
1176        /* set the number of pixels to skip between labels and precision for float */
1177        get_skip_prec();
1178
1179        X0 = BACKX(0);
(gdb) list +
1180        X0 -= (X0 % skip);
1181        tickmod = (int) round(ruler_unit/appres.userscale);
1182        if (tickmod == 0)
1183            tickmod = 1;
1184
1185        /* see how big a label is to adjust spacing, if necessary */
1186        sprintf(number, "%d%s", (X0+(int)((TOPRULER_WD/zoomscale)))/tickmod, cur_fig_units);
1187        len = XTextWidth(roman_font, number, strlen(number));
1188        while (skipx < (len + 5)/zoomscale) {
1189            skip *= 2;


Line 1186 is printing a string into a fixed length buffer with no
checking. A clear buffer overflow candidate there if the combo of
the ruler size & the figure units are longer than 5 characters :-(

Regards,
Dan.

Many thanks!

A fixed version is building now :)

Regards,

Hans


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]