[Bug 166626] Review Request: xscorch - A Scorched Earth clone

[bugzilla at redhat.com]

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: Review Request: xscorch - A Scorched Earth clone


https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166626





------- Additional Comments From j.w.r.degoede at hhs.nl  2005-08-25 11:16 EST -------
In reply to comment 7:
I tried using LIBS=-ltemrcap, does this make configure detect readline, but
causes the make to fail because -ltermcap doesn't get added when linking.

About the stack overflow, here is a (x86_64) backtrace:
#0  0x00002aaaac17cb60 in raise () from /lib64/libc.so.6
#1  0x00002aaaac17e030 in abort () from /lib64/libc.so.6
#2  0x00002aaaac1b22a8 in __libc_message () from /lib64/libc.so.6
#3  0x00002aaaac22b8ef in __stack_chk_fail () from /lib64/libc.so.6
#4  0x0000000000415683 in _sc_scoring_read_item (ec=0x5ac4a0, reader=0x5ab760, 
    item=0x5acda0) at saddconf.c:253
#5  0x0000000000415c71 in sc_addconf_append_file (type=Variable "type" is not
available.
) at saddconf.c:461
#6  0x00000000004063ad in sc_economy_config_create (c=0x599010)
    at seconomy.c:66
#7  0x0000000000405bf4 in sc_config_new (argc=0x7fffff83757c, 
    argv=0x7fffff837570) at sconfig.c:193
#8  0x00000000004058bf in main (argc=1, argv=0x7fffff837798) at xscorch.c:86

If I change:
char desc[SC_INVENTORY_MAX_DESC_LEN]; 
char name[SC_INVENTORY_MAX_NAME_LEN];
to:
char desc[SC_INVENTORY_MAX_DESC_LEN+256]; 
char name[SC_INVENTORY_MAX_NAME_LEN+256];

Things work fine, I can't find an obvious bufferoverflow in this functions or in
functions to which desc/name get passed.

sc_scoring_lookup_by_name does do ugly things (casting a ptr to a long int), but
with that commented out the stacks still gets overflowed.


-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.