Bug 150397
Summary: | Doing "pkg-config --help", *** buffer overflow detected *** | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | sangu <sangu.fedora> |
Component: | pkgconfig | Assignee: | Matthias Clasen <mclasen> |
Status: | CLOSED RAWHIDE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | jakub |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-03-07 14:37:33 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
sangu
2005-03-05 15:00:47 UTC
in glibc-2.3.12-12 $pkg-config --help Usage: pkg-config [OPTION...] --version output version of pkg-config --modversion output version for package --atleast-pkgconfig-version=VERSION *** buffer overflow detected ***: pkg-config terminated ======= Backtrace: ========= /lib/tls/libc.so.6(__chk_fail+0x41)[0x222ee5] /lib/tls/libc.so.6(__vsprintf_chk+0x0)[0x2227a8] /lib/tls/libc.so.6(_IO_default_xsputn+0x97)[0x1aa118] /lib/tls/libc.so.6(_IO_vfprintf+0xd8b)[0x1856dd] /lib/tls/libc.so.6(__vsprintf_chk+0xa1)[0x222849] /lib/tls/libc.so.6(__sprintf_chk+0x30)[0x22279c] pkg-config[0x804f743] pkg-config[0x804f906] pkg-config[0x804fa2c] pkg-config[0x804e615] pkg-config[0x804d24e] /lib/tls/libc.so.6(__libc_start_main+0xc6)[0x15edb6] pkg-config[0x8049471] ======= Memory map: ======== 0014a000-00268000 r-xp 00000000 03:08 16653 /lib/tls/libc-2.3.4.so 00268000-0026a000 r-xp 0011d000 03:08 16653 /lib/tls/libc-2.3.4.so 0026a000-0026c000 rwxp 0011f000 03:08 16653 /lib/tls/libc-2.3.4.so 0026c000-0026e000 rwxp 0026c000 00:00 0 00403000-0041d000 r-xp 00000000 03:08 895802 /lib/ld-2.3.4.so 0041d000-0041e000 r-xp 00019000 03:08 895802 /lib/ld-2.3.4.so 0041e000-0041f000 rwxp 0001a000 03:08 895802 /lib/ld-2.3.4.so 005ea000-005f3000 r-xp 00000000 03:08 895998 /lib/libgcc_s-4.0.0-20050303.so.1 005f3000-005f4000 rwxp 00008000 03:08 895998 /lib/libgcc_s-4.0.0-20050303.so.1 08048000-0805c000 r-xp 00000000 03:08 327403 /usr/bin/pkg-config 0805c000-0805d000 rw-p 00013000 03:08 327403 /usr/bin/pkg-config 09fb7000-09fd8000 rw-p 09fb7000 00:00 0 b7f92000-b7f94000 rw-p b7f92000 00:00 0 bfecf000-c0000000 rw-p bfecf000 00:00 0 ffffe000-fffff000 ---p 00000000 00:00 0 Aborted can you try to get the pkg-config debuginfo rpm so that the backtrace shows more information? arjanv : pkgconfig-debuginfo package contains no files. $rpm -qpl pkgconfig-debuginfo-0.15.0-4.i386.rpm (contains no files) This seems to be due to use of alloca in the copy of popt included in pkgconfig. Does gcc4 have known issues with alloca ? not known.. this sounds really like that alloca buffer gets overflown... line 64 of popthelp.c is char format[10]; .... line 97 of popthelp.c is then sprintf(format, "%%.%ds\n%%%ds", (int) (ch - help), indentLength); which is the culprit, the content for "format" at the time of crash is (gdb) print format $2 = "%.24s\n%49 " and is longer than 10 characters already (terminating zero), so this is actually overflowing a static buffer on the stack (and the sprintf might well not be finished yet) That's a big gun solution. Even if int is 64-bit (that's not the case on any of Linux arches), it can be at most 47 characters, for 32-bit it is 29 chars. Bad me...I wasted 81 bytes. Thankfully it is only --help output and the app will exit nanoseconds later anyway... |