Howto resolv addresses in *** buffer overflow detected *** Backtrace after the fact
Daniel P. Berrange
berrange at redhat.com
Tue Dec 11 21:15:56 UTC 2007
On Tue, Dec 11, 2007 at 09:57:57PM +0100, Hans de Goede wrote:
> Hi,
>
> I just received a bug report with a backtrace generated by glibc attached:
> https://bugzilla.redhat.com/attachment.cgi?id=284591
>
> Looks like a real bug however the reported desn't know exactly what he did
> to trigger this, so now I want to convert the backtrace glibc generated
> into one with filenames and line numbers for the addresses of the xfig
> stack frames.
>
> Can anyone tell me how to do this?
The following seems to work....
# yum --enablerepo=development-debuginfo install xfig-debuginfo
# gdb /usr/bin/xfig-plain
(gdb) list *0x4a3909
0x4a3909 is in reset_topruler (/usr/include/bits/stdio2.h:34).
29
30 #ifdef __va_arg_pack
31 __extern_always_inline int
32 __NTH (sprintf (char *__restrict __s, __const char *__restrict __fmt, ...))
33 {
34 return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1,
35 __bos (__s), __fmt, __va_arg_pack ());
36 }
37 #elif !defined __cplusplus
38 # define sprintf(str, ...) \
So the code is a sprintf call from the reset_topruler method.
Looking at that method, we can see an likely candidate:
(gdb) list reset_topruler
1160 /* Note: For reset_top/sideruler to work properly, the value of skip should be
1161 * such that (skip/ruler_unit) is an integer or (ruler_unit/skip) is an integer.
1162 */
1163
1164 void reset_topruler(void)
1165 {
1166 register int i,k;
1167 register tick_info* tk;
1168 register Pixmap p = topruler_pm;
1169 char number[6];
(gdb) list +
1170 int X0,len;
1171 int tickmod, tickskip;
1172
1173 /* top ruler, adjustments for digits are kludges based on 6x13 char */
1174 XFillRectangle(tool_d, p, tr_erase_gc, 0, 0, TOPRULER_WD, TOPRULER_HT);
1175
1176 /* set the number of pixels to skip between labels and precision for float */
1177 get_skip_prec();
1178
1179 X0 = BACKX(0);
(gdb) list +
1180 X0 -= (X0 % skip);
1181 tickmod = (int) round(ruler_unit/appres.userscale);
1182 if (tickmod == 0)
1183 tickmod = 1;
1184
1185 /* see how big a label is to adjust spacing, if necessary */
1186 sprintf(number, "%d%s", (X0+(int)((TOPRULER_WD/zoomscale)))/tickmod, cur_fig_units);
1187 len = XTextWidth(roman_font, number, strlen(number));
1188 while (skipx < (len + 5)/zoomscale) {
1189 skip *= 2;
Line 1186 is printing a string into a fixed length buffer with no
checking. A clear buffer overflow candidate there if the combo of
the ruler size & the figure units are longer than 5 characters :-(
Regards,
Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|
More information about the fedora-devel-list
mailing list