Date: Sun, 25 May 2008 14:10:03 GMT From: Jille <jille@quis.cx> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/123977: Segmentation fault in dialog with ghostscript-gpl-nox11 port Message-ID: <200805251410.m4PEA3BL039908@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/123977; it has been noted by GNATS. From: Jille <jille@quis.cx> To: Kris Kennaway <kris@FreeBSD.org> Cc: FreeBSD-gnats-submit@FreeBSD.org, Ed <ed@FreeBSD.org>, ache@freebsd.org Subject: Re: bin/123977: Segmentation fault in dialog with ghostscript-gpl-nox11 port Date: Sun, 25 May 2008 16:02:39 +0200 ache: Bumping MAX_LEN from 2048 -> 4096 is not really the fix. See the url below, and try it. Yes, it fixes my situation, with 3426 bytes, but it will crash again if (eg) ghostscript gets more options. Kris Kennaway wrote: > Jille wrote: >> >> >> Kris Kennaway wrt: [...] > > The process is documented in the developers handbook. > >> The backtrace I could get (without function names, files, linenos etc) >> was huge, I didn't made it to the top (> 500). >> I can try to dump it entirely, might it ever stop. >> >> I can also upload my dialog-binary, dialog-core, libdialog-with-debug, >> and libc somewhere ? >> >> I have compiled dialog and libdialog with -g, should I also do it with >> libc ? > > It may be necessary, but if it is crashing in dialog then those parts of > the backtrace should be fine at least. If you are not seeing any > file:line details then something went wrong with your -g binaries, e.g. > they were stripped when they were installed. > >> A few minutes after submitting this PR I saw >> http://www.freebsd.org/cgi/query-pr.cgi?pr=gnu/45168 >> A buffer overflow in dialog, when having too many options selected >> (MAX_LEN (output length) = 2048, and they're using strcpy) > > Yes, the dialog code is quite "low-grade" :) > >> (The category should be changed from bin -> gnu btw, missed the gnu in >> the list) >> >> I'm gonna try to get to the top of the backtrace now. Okay, I can't get a backtrace, the stack gets fucked up. I stepped (next't) trough the program till it crashed. Last lines: 269 fprintf(stderr, "\"%s\"", h); (gdb) "GS_wtscmyk"270 h = s; (gdb) 339 EndDialog(clear_screen); (gdb) 346 } (gdb) 340 return retval; (gdb) 346 } (gdb) Warning: Cannot insert breakpoint 0. Error accessing memory address 0x53470066: Bad address. The file is /usr/src/gnu/usr.bin/dialog/dialog.c at the end of main(). Quite interesting, is that the EndDialog on line 339 should only be called if (!strcmp(argv[offset+1], "--tree")), which is _NOT_ the case. On this url you can find the commandline arguments: http://junk.quis.cx/suWFMqdS/dialog-crash.sh (I would like to hear whether it reproduces) (I generated it from ports) -- Jille > > Kris
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200805251410.m4PEA3BL039908>