From owner-freebsd-bugs@FreeBSD.ORG Sun May 25 14:10:03 2008 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A2DAF1065679 for ; Sun, 25 May 2008 14:10:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 91E0F8FC19 for ; Sun, 25 May 2008 14:10:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m4PEA337039909 for ; Sun, 25 May 2008 14:10:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m4PEA3BL039908; Sun, 25 May 2008 14:10:03 GMT (envelope-from gnats) Date: Sun, 25 May 2008 14:10:03 GMT Message-Id: <200805251410.m4PEA3BL039908@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Jille Cc: Subject: Re: bin/123977: Segmentation fault in dialog with ghostscript-gpl-nox11 port X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Jille List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 May 2008 14:10:03 -0000 The following reply was made to PR bin/123977; it has been noted by GNATS. From: Jille To: Kris Kennaway Cc: FreeBSD-gnats-submit@FreeBSD.org, Ed , ache@freebsd.org Subject: Re: bin/123977: Segmentation fault in dialog with ghostscript-gpl-nox11 port Date: Sun, 25 May 2008 16:02:39 +0200 ache: Bumping MAX_LEN from 2048 -> 4096 is not really the fix. See the url below, and try it. Yes, it fixes my situation, with 3426 bytes, but it will crash again if (eg) ghostscript gets more options. Kris Kennaway wrote: > Jille wrote: >> >> >> Kris Kennaway wrt: [...] > > The process is documented in the developers handbook. > >> The backtrace I could get (without function names, files, linenos etc) >> was huge, I didn't made it to the top (> 500). >> I can try to dump it entirely, might it ever stop. >> >> I can also upload my dialog-binary, dialog-core, libdialog-with-debug, >> and libc somewhere ? >> >> I have compiled dialog and libdialog with -g, should I also do it with >> libc ? > > It may be necessary, but if it is crashing in dialog then those parts of > the backtrace should be fine at least. If you are not seeing any > file:line details then something went wrong with your -g binaries, e.g. > they were stripped when they were installed. > >> A few minutes after submitting this PR I saw >> http://www.freebsd.org/cgi/query-pr.cgi?pr=gnu/45168 >> A buffer overflow in dialog, when having too many options selected >> (MAX_LEN (output length) = 2048, and they're using strcpy) > > Yes, the dialog code is quite "low-grade" :) > >> (The category should be changed from bin -> gnu btw, missed the gnu in >> the list) >> >> I'm gonna try to get to the top of the backtrace now. Okay, I can't get a backtrace, the stack gets fucked up. I stepped (next't) trough the program till it crashed. Last lines: 269 fprintf(stderr, "\"%s\"", h); (gdb) "GS_wtscmyk"270 h = s; (gdb) 339 EndDialog(clear_screen); (gdb) 346 } (gdb) 340 return retval; (gdb) 346 } (gdb) Warning: Cannot insert breakpoint 0. Error accessing memory address 0x53470066: Bad address. The file is /usr/src/gnu/usr.bin/dialog/dialog.c at the end of main(). Quite interesting, is that the EndDialog on line 339 should only be called if (!strcmp(argv[offset+1], "--tree")), which is _NOT_ the case. On this url you can find the commandline arguments: http://junk.quis.cx/suWFMqdS/dialog-crash.sh (I would like to hear whether it reproduces) (I generated it from ports) -- Jille > > Kris