Bug 426068
| Summary: | dvd+rw-format crashes inside wctomb | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jonathan Kamens <h1k6zn2m> | ||||
| Component: | dvd+rw-tools | Assignee: | Harald Hoyer <harald> | ||||
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | urgent | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | rawhide | CC: | adrin.jalali, antonio.montagnani, harald, rdieter | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2008-03-26 08:01:48 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
looks like a glibc bug Nay.
extern "C" char *plusminus_locale()
{ static class __plusminus {
private:
char str[4];
public:
__plusminus() { setlocale(LC_CTYPE,ENV_LOCALE);
int l = wctomb(str,(wchar_t)(unsigned char)'.');
if (l>0) str[l]='\0';
else str[0]='.',str[1]='\0';
}
~__plusminus() { }
operator char*(){ return str; }
} plusminus;
return plusminus;
}
and see man wctomb:
The programmer must ensure that there is room for at least MB_CUR_MAX bytes at s.
For UTF-8 MB_CUR_MAX is 6, which is bigger than 4 and that's why glibc is
complaining. If you don't want a VLA buffer, you can use MB_LEN_MAX (16 for
glibc), which is guaranteed to be >= MB_CUR_MAX for any supported locale.
*** Bug 429096 has been marked as a duplicate of this bug. *** *** Bug 425918 has been marked as a duplicate of this bug. *** It sort of sucks that this is still broken over three months after the bug report was filed, when Jakub has explained how it can be easily fixed. Created attachment 299085 [details]
patch to fix buffer overflow in wctomb
Here's a patch.
sry, bug radar failed, built dvd+rw-tools-7.0-10 in rawhide |
I've got current rawhide everything, including gcc-4.1.2-36, glibc-2.7.90-1, dvd+rw-tools-7.0-8.fc9. dvd+rw-format crashes for me on startup. It's the child process that's crashing. Backtrace from the core file: #0 0x0012d402 in __kernel_vsyscall () #1 0x0028e820 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #2 0x00290121 in abort () at abort.c:88 #3 0x002c8ccb in __libc_message (do_abort=2, fmt=0x392088 "*** %s ***: %s terminated\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:170 #4 0x00351768 in __fortify_fail (msg=0x392057 "buffer overflow detected") at fortify_fail.c:32 #5 0x0034fe10 in __chk_fail () at chk_fail.c:29 #6 0x003507ec in __wctomb_chk (s=0x8050688 "", wchar=177, buflen=0) at wctomb_chk.c:33 #7 0x08048ed6 in plusminus_locale () at /usr/include/bits/stdlib.h:94 #8 0x0804ae25 in main (argc=2, argv=0xbfc813f4) at dvd+rw-format.cpp:253 #9 0x0027b4a0 in __libc_start_main (main=0x804ad50 <main>, argc=2, ubp_av=0xbfc813f4, init=0x804e580 <__libc_csu_init>, fini=0x804e570 <__libc_csu_fini>, rtld_fini=0x11e9a0 <_dl_fini>, stack_end=0xbfc813ec) at libc-start.c:220 #10 0x08048bf1 in _start () I've narrowed it down to the fact that it was built with _FORTIFY_SOURCE=2 and wctomb is aborting because the cal to __builtin_object_size is returning 0. I do not understand the arcana of the compiler, __builtin_object_size or FORTIFY here enough to understand which moving part isn't working properly.