bug-ncurses
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ANN: ncurses-6.0-20170701


From: Sven Joachim
Subject: Re: ANN: ncurses-6.0-20170701
Date: Sat, 08 Jul 2017 07:06:57 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux)

On 2017-07-02 01:07 +0000, Thomas Dickey wrote:

>       + the fixes for Redhat #1464685 obscured a problem subsequently
>         reported in Redhat #1464687; the given test-case was no longer
>         reproducible.  Testing without the fixes for the earlier reports
>         showed a problem with buffer overflow in dump_entry.c, which is
>         addressed by reducing the use of a fixed-size buffer.

I can still reproduce the stack overflow in Redhat #1464687 with the
latest Debian package on i386 (but not on amd64):

,----
| $ infotocap POC4
| "POC4", line 1, col 4, terminal 'l': unknown capability 'l'
| "POC4", line 1, col 609, terminal 'l': Very long string found.  Missing 
separator?
| "POC4", line 1, col 1147, terminal 'l': Missing separator
| "POC4", line 1, col 1147, terminal 'l': unknown % code x (0x78) in xll
| "POC4", line 1, col 1147, terminal 'l': unknown % code M-~ (0xfe) in xll
| "POC4", line 1, col 1147, terminal 'l': unknown % code M-~ (0xfe) in xll
| infotocap: value for xl is too long
| *** stack smashing detected ***: infotocap terminated
| ======= Backtrace: =========
| /lib/i386-linux-gnu/libc.so.6(+0x6737a)[0xf75d837a]
| /lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x37)[0xf7668eb7]
| /lib/i386-linux-gnu/libc.so.6(+0xf7e78)[0xf7668e78]
| infotocap(+0xb544)[0x5665b544]
| infotocap(+0xa119)[0x5665a119]
| infotocap(+0xa1c7)[0x5665a1c7]
| infotocap(main+0xa05)[0x56652355]
| /lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf6)[0xf7589276]
| infotocap(+0x2d27)[0x56652d27]
| ======= Memory map: ========
| 56650000-56663000 r-xp 00000000 08:16 394908                             
/usr/bin/tic
| 56663000-56664000 r--p 00012000 08:16 394908                             
/usr/bin/tic
| 56664000-56665000 rw-p 00013000 08:16 394908                             
/usr/bin/tic
| 568e5000-56906000 rw-p 00000000 00:00 0                                  
[heap]
| f756f000-f7571000 rw-p 00000000 00:00 0 
| f7571000-f7722000 r-xp 00000000 08:16 791435                             
/lib/i386-linux-gnu/libc-2.24.so
| f7722000-f7724000 r--p 001b0000 08:16 791435                             
/lib/i386-linux-gnu/libc-2.24.so
| f7724000-f7725000 rw-p 001b2000 08:16 791435                             
/lib/i386-linux-gnu/libc-2.24.so
| f7725000-f7728000 rw-p 00000000 00:00 0 
| f7728000-f7748000 r-xp 00000000 08:16 811983                             
/lib/i386-linux-gnu/libtinfo.so.5.9
| f7748000-f7749000 ---p 00020000 08:16 811983                             
/lib/i386-linux-gnu/libtinfo.so.5.9
| f7749000-f774b000 r--p 00020000 08:16 811983                             
/lib/i386-linux-gnu/libtinfo.so.5.9
| f774b000-f774c000 rw-p 00022000 08:16 811983                             
/lib/i386-linux-gnu/libtinfo.so.5.9
| f774c000-f775b000 r-xp 00000000 08:16 527473                             
/usr/lib/i386-linux-gnu/libtic.so.5.9
| f775b000-f775c000 r--p 0000e000 08:16 527473                             
/usr/lib/i386-linux-gnu/libtic.so.5.9
| f775c000-f775d000 rw-p 0000f000 08:16 527473                             
/usr/lib/i386-linux-gnu/libtic.so.5.9
| f7763000-f777e000 r-xp 00000000 08:16 787642                             
/lib/i386-linux-gnu/libgcc_s.so.1
| f777e000-f777f000 r--p 0001a000 08:16 787642                             
/lib/i386-linux-gnu/libgcc_s.so.1
| f777f000-f7780000 rw-p 0001b000 08:16 787642                             
/lib/i386-linux-gnu/libgcc_s.so.1
| f7780000-f7784000 rw-p 00000000 00:00 0 
| f7784000-f7787000 r--p 00000000 00:00 0                                  
[vvar]
| f7787000-f7788000 r-xp 00000000 00:00 0                                  
[vdso]
| f7788000-f77ab000 r-xp 00000000 08:16 786604                             
/lib/i386-linux-gnu/ld-2.24.so
| f77ab000-f77ac000 r--p 00022000 08:16 786604                             
/lib/i386-linux-gnu/ld-2.24.so
| f77ac000-f77ad000 rw-p 00023000 08:16 786604                             
/lib/i386-linux-gnu/ld-2.24.so
| ffb09000-ffb2a000 rw-p 00000000 00:00 0                                  
[stack]
| [1]    12063 abort      infotocap POC4
`----

Attached is a backtrace after recompiling tic with -O0.

Cheers,
       Sven

(gdb) bt full
#0  0xf7f7faf9 in __kernel_vsyscall ()
No symbol table info available.
#1  0xf7d94dc0 in __libc_signal_restore_set (set=0xfffe9ca0) at 
../sysdeps/unix/sysv/linux/nptl-signals.h:79
No locals.
#2  __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:48
        set = {__val = {0, 0, 538976288, 538976288, 538976288, 538976288, 
538976288, 538976288, 538976288, 1935351840, 1801675124, 895879773, 808464436, 
1714906669, 808465717, 2003968048, 807432237, 1714434096, 540028976, 825899056, 
842342454, 859255863, 538976288, 538976288, 538976288, 538976288, 538976288, 
538976288, 538976288, 1937059616, 1768697714, 862531426}}
        pid = <optimized out>
        tid = <optimized out>
        ret = 0
#3  0xf7d96287 in __GI_abort () at abort.c:89
        save_stage = 2
        act = {__sigaction_handler = {sa_handler = 0x756e696c, sa_sigaction = 
0x756e696c}, sa_mask = {__val = {1852255608, 1768697717, 1667458914, 
1932424031, 170995311, 929445734, 808464440, 1714906669, 808477495, 2003968048, 
807432237, 808464432, 540028976, 809119792, 540024880, 1714906634, 808477495, 
929443120, 812005222, 1914712112, 544222509, 808464432, 808464432, 976236576, 
807415856, 538976288, 538976288, 538976288, 538976288, 538976288, 0, 4096}}, 
sa_flags = -136836986, sa_restorer = 0xfffe9f00}
        sigs = {__val = {32, 0 <repeats 31 times>}}
#4  0xf7dd037f in __libc_message (do_abort=<optimized out>, fmt=<optimized 
out>) at ../sysdeps/posix/libc_fatal.c:175
        ap = <optimized out>
        fd = 4
        on_2 = <optimized out>
        list = <optimized out>
        nlist = <optimized out>
        cp = <optimized out>
        written = <optimized out>
#5  0xf7e60eb7 in __GI___fortify_fail (msg=0xf7ec863b "stack smashing 
detected") at fortify_fail.c:30
No locals.
#6  0xf7e60e78 in __stack_chk_fail () at stack_chk_fail.c:28
No locals.
#7  0x56562614 in __stack_chk_fail_local ()
No symbol table info available.
#8  0x56560907 in fmt_entry (tterm=0x565723d0, pred=0x5655e42d 
<dump_predicate>, content_only=0, suppress_untranslatable=0, infodump=0, 
numbers=0) at ../../progs/dump_entry.c:1224
        i = 361
        j = 4214
        buffer = 
"%p1%{10}%/%{16}%*%p1%{10}%m%+\\266xli\\377%xn79llN%p0%{10}%/%{16}%*%p0%{10}%m%+ll=%p0%{10}%/%{16}%*%p0%{10}%m%+\\251W=%p/%{10}%/%{16}%*%p/%{10}%m%+\\276\\276\\276\\276\\276\\276\\276\\276\\276\\276\\276\\276\\276\\276"...
        capability = 0x56571dba 
"%p1%{10}%/%{16}%*%p1%{10}%m%+\266xli\377%xn79llN%p0%{10}%/%{16}%*%p0%{10}%m%+ll=%p0%{10}%/%{16}%*%p0%{10}%m%+\251W=%p/%{10}%/%{16}%*%p/%{10}%m%+",
 '\276' <repeats 65 times>...
        name = 0xf7f3adac "xl"
        predval = 1
        len = 2287
        num_bools = 0
        num_values = 0
        num_strings = 362
        outcount = true
#9  0x565610f5 in dump_entry (tterm=0x565723d0, suppress_untranslatable=0, 
limited=1, numbers=0, pred=0x0) at ../../progs/dump_entry.c:1460
        save_tterm = {term_names = 0x0, str_table = 0x0, Booleans = 0x0, 
Numbers = 0x0, Strings = 0x0, ext_str_table = 0x0, ext_Names = 0x0, 
num_Booleans = 0, num_Numbers = 0, num_Strings = 0, ext_Booleans = 0, 
ext_Numbers = 0, ext_Strings = 0}
        len = 0
        critlen = 1023
        legend = 0x56566fa6 "older termcap"
        infodump = false
#10 0x56558a68 in main (argc=2, argv=0xffffd384) at ../../progs/tic.c:1031
        j = -1
        len = 0
        my_tmpname = '\000' <repeats 2097 times>...
        my_altfile = '\000' <repeats 3617 times>...
        v_opt = -1
        debug_level = 0
        smart_defaults = 1
        termcap = 0x0
        qp = 0x565723d0
        this_opt = -1
        last_opt = 63
        outform = 2
        sortmode = 4
        width = 60
        height = 65535
        formatted = false
        literal = false
        numbers = 0
        forceresolve = false
        limited = true
        tversion = 0x0
        source_file = 0xffffd558 "POC4"
        outdir = 0x0
        check_only = false
        suppress_untranslatable = false
        quickdump = 0
        quiet = false
        wrap_strings = false
(gdb) 

reply via email to

[Prev in Thread] Current Thread [Next in Thread]