Bug 1549478
Summary: | buffer overflow in uim | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Akira TAGOH <tagoh> |
Component: | uim | Assignee: | Akira TAGOH <tagoh> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | rawhide | CC: | aoliva, davejohansen, dmalcolm, fweimer, i18n-bugs, jakub, jwakely, law, mpolacek, msebor, nickc, tagoh |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | uim-1.8.6-17.fc26 uim-1.8.6-17.fc27 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-03-13 17:16:09 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Akira TAGOH
2018-02-27 08:29:14 UTC
There is nothing weird on it, you overflow an buffer. Before filing bugs try to your package with -fsanitize=address and/or -fsanitize=undefined. static MConverter *converter; static char buffer_for_converter[4096]; /* Currently, if preedit strings or candidate strings over this buffer size, they will simply ignore. */ ... static char * convert_mtext2str(MText *mtext) { mconv_rebind_buffer(converter, (unsigned char *)buffer_for_converter, sizeof(buffer_for_converter)); mconv_encode(converter, mtext); buffer_for_converter[converter->nbytes] = 0; return uim_strdup(buffer_for_converter); } So, you call first mconv_rebind_buffer which sets internal->bufsize to 4096, then try to encode something. If it is really long, it will encode at most that bufsize characters and set converter->nbytes to 4096. Then in buffer_for_converter[converter->nbytes] = 0; you overflow the buffer and because converter pointer happens to be adjacent with -O2 right after it, you overwrite the last significant byte of it. Guess either you need to pass sizeof(buffer_for_converter)-1 to mconv_rebind_buffer, so that there is a place for the terminating '\0', or that plus bump buffer_for_converter size to 4096+1. (In reply to Akira TAGOH from comment #0) > A process of uim-module-manager stopped running due to segfault. this seems > not happens when it is built against -O0 but -O1. however building with -O0 > and various -f* options which is supposed to be enabled according to the > wiki didn't help. That's expected, read https://gcc.gnu.org/wiki/FAQ#optimization-options If you use -O0 then no optimization happens, it doesn't matter if you use -f* options, -O0 means **NO** optimization. None. (In reply to Jakub Jelinek from comment #1) > Guess either you need to pass sizeof(buffer_for_converter)-1 to > mconv_rebind_buffer, so that there is a place for the terminating '\0', or > that plus bump buffer_for_converter size to 4096+1. Indeed that is. you're right. thanks for explanation and suggestion. uim-1.8.6-17.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2eacef32de uim-1.8.6-17.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0209bafc31 uim-1.8.6-17.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0209bafc31 uim-1.8.6-17.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2eacef32de uim-1.8.6-17.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. uim-1.8.6-17.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. |