Bug 376791

Hi, Jesse:

Version 2.6 is crashing for me on x86_64 (fedora 8):

icon@lucius:[~]$ atanks
Atomic Tanks Version 2.6 (-h for help)
Authors:        Tom Hudson (rewrite, additions, improvements)
                Stevante Software (original design)
                Kota543 Software (fixes and updates)
                Jesse Smith (additions, fixes and updates)

*** buffer overflow detected ***: atanks terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x32)[0x30684ea362]
/lib64/libc.so.6[0x30684e8a90]
/lib64/libc.so.6[0x30684e7ef9]
/lib64/libc.so.6(_IO_default_xsputn+0x94)[0x306846ec34]
/lib64/libc.so.6(_IO_vfprintf+0x3882)[0x3068446642]
/lib64/libc.so.6(__vsprintf_chk+0x9d)[0x30684e7f9d]
/lib64/libc.so.6(__sprintf_chk+0x80)[0x30684e7ee0]
atanks(_Z7optionsP10GLOBALDATAP11ENVIRONMENTP8MENUDESC+0x28f5)[0x426145]
atanks(main+0x93f)[0x42851f]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x306841e074]
atanks(__gxx_personality_v0+0xe9)[0x4087b9]

Would you like me to file a bug on SF?

Icon,

No need to file a bug report on Source Forge. Your comment here is good enough, 
thank you. Looking at the output above, it's a little hard to track down. I
don't have a 64-bit machine to test with so I was wondering if you could
use gdb to find which line in the source is causing the crash, please?

Thank you,
Jesse

Sure. I'm not that familiar with gdb, though. Here's what I get after "run" and
"bt" once it crashes:

(gdb) bt
#0  0x0000003068430ec5 in raise () from /lib64/libc.so.6
#1  0x0000003068432970 in abort () from /lib64/libc.so.6
#2  0x000000306846b0db in __libc_message () from /lib64/libc.so.6
#3  0x00000030684ea362 in __fortify_fail () from /lib64/libc.so.6
#4  0x00000030684e8a90 in __chk_fail () from /lib64/libc.so.6
#5  0x00000030684e7ef9 in _IO_str_chk_overflow () from /lib64/libc.so.6
#6  0x000000306846ec34 in _IO_default_xsputn_internal () from /lib64/libc.so.6
#7  0x0000003068446642 in vfprintf () from /lib64/libc.so.6
#8  0x00000030684e7f9d in __vsprintf_chk () from /lib64/libc.so.6
#9  0x00000030684e7ee0 in __sprintf_chk () from /lib64/libc.so.6
#10 0x0000000000426145 in options (global=0x638310, env=0xbee340, 
    menu=0x7a3a50) at /usr/include/bits/stdio2.h:35
#11 0x000000000042851f in main (argc=<value optimized out>, 
    argv=<value optimized out>) at atanks.cc:3592

Let me know if that is enough, or if you need more. I'm in #fedora-devel on
irc.freenode.org if you need a speedier turnaround.

Icon,

I think I found the problem. In the options() function there are
two declarations for variables call "buff". I think there is a buffer
over-flow, caused by "buff" not being long enough. If you open atanks.cc
and change line 838 to read

char buff[64];

Also, on line 1088 make the line read

char buff[64];


I think this will correct the problem.
If you have time, please try this and let me know if it works on your
64-but box.

Thanks!

I'm looking at 2.7 -- will let you know how it goes.

Looking good, I'm going to push it to fedora.

atanks-2.7-1.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update atanks'

atanks-2.7-1.fc7 has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update atanks'

atanks-2.7-1.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

atanks-2.7-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.