Opened 9 years ago

Closed 9 years ago

#1974 closed defect (fixed)

buffer overflow in

Reported by: mgeeves Owned by: grass-dev@…
Priority: minor Milestone: 6.4.3
Component: Vector Version: 6.4.2
Keywords: Cc:
CPU: All Platform: All


The issue in bug #800 is also present in, long names which are > the 80 char RECORD_LEN causes a buffer overflow when writing history

sprintf -> G_snprintf swap needed

(still present in develbranch_6)

Change History (7)

comment:1 by hamish, 9 years ago

Keywords: added

works for me in devbr6, and there's no difference in the code between that and relbr64.

r.mapcalc "map0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789 = 103" in=map0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789 \
   out=vmap0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789 \
   fea=area in=vmap0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789 \
   out=rvmap0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789 \
   use=val val=105 ...
 |                                                                            |
 | input="vmap01234567890123456789012345678901234567890123456\   |
 |    78901234567890123456789012345678901234567890123456789" layer=1 type=\   |
 |    "point,line,area" output="rvmap0123456789012345678901234567890123456\   |
 |    789012345678901234567890123456789012345678901234567890123456789" use\   |
 |    ="val" value=105 rows=4096                                              |
 |                                                                            |

can you provide more details about how to reproduce it? which platform?

thanks, Hamish

comment:2 by mgeeves, 9 years ago

Hi Hamish,

Sure - this is on Ubuntu 12.04 LTS, compiled from grass-6.4.2.tar.gz

Reproducible here from two identical vectors: fs=, input=- output=p1234567890123456789012345678901234567890123456789012
<CTRL+D> fs=, input=- output=p12345678901234567890123456789012345678901234567890123

This one works input=p1234567890123456789012345678901234567890123456789012 output=r_ok use=val

This one fails input=p12345678901234567890123456789012345678901234567890123 output=r_nok use=val

*** buffer overflow detected ***: terminated
======= Backtrace: =========


Hopefully I've not done something daft elsewhere!

Cheers, Mike

comment:3 by hamish, 9 years ago

I works for me on debian, 6.4.2, 6.4.3svn, and 6.5svn. Also tested 6.4.3svn on ubuntu 12.04 LTS.

Can you try building 6.4.3rc3? there were a number of overflow bugs fixed in since 6.4.2 to do with labels, which are now fixed. it could have been something related to that.

Hopefully I've not done something daft elsewhere!

a buffer overflow is pretty much always the programmer's fault.


comment:4 by mgeeves, 9 years ago

Hi Hamish,

Odd, I'm still seeing the same problem in grass-6.4.3RC3. Re being daft I mostly meant having old bits from previous SVN builds conflicting. To rule that out I've tried building another vm with vmbuilder (defaults apart from adding in a few bits like the sshd and deb-src repos), then an

apt-get build-dep grass

and building from grass-6.4.3RC3.tar.gz with:

./configure --with-proj-share=/usr/share/proj --with-tcltk-includes=/usr/include/tcl8.5

Installing using checkinstall with defaults

Same result, buffer overrun! Note the raster is actually generated and displays ok, it just displays the overflow error and doesn't record to hist

After changing the code in support.c to use G_snprintf, it doesn't error for me any more..

Cheers, Mike

comment:5 by hamish, 9 years ago

ok, I could reproduce it in a package build after making the name a bit longer, I guess the unoptimized 'gcc -g' in my source build was zeroing all memory or so, shrug.

fixed in devbr6 in r56254. please everyone test so it can be applied to 6.4svn in time for the release.

thanks, Hamish

comment:6 by mgeeves, 9 years ago

Looking better for me, thanks!

comment:7 by hamish, 9 years ago

Resolution: fixed
Status: newclosed

fix backported to relbr64 in r56744.

Note: See TracTickets for help on using tickets.