Bug 157739 - [PATCH] Buffer overflow when importing photos from Ricoh camera
[PATCH] Buffer overflow when importing photos from Ricoh camera
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: gphoto2 (Show other bugs)
rawhide
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Tim Waugh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-05-14 08:05 EDT by Gijs Hollestelle
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: 2.1.5-9
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-05-14 08:22:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch to fix the buffer overflow (462 bytes, patch)
2005-05-14 08:05 EDT, Gijs Hollestelle
no flags Details | Diff

  None (edit)
Description Gijs Hollestelle 2005-05-14 08:05:08 EDT
Description of problem:
When importing photo's using gthumb or gphoto2 -P the process is killed because
of a buffer overflow (caused by the FORTIFY_SOURCE)

Version-Release number of selected component (if applicable):
gphoto2-2.1.5-8

How reproducible:
Import photo's from a Ricoh G3 camera.

Steps to Reproduce:
1. Attach Ricoh G3 camera
2. Run gphoto2 -P

Actual results:

[gijs@bruce test]% gphoto2 -P
*** buffer overflow detected ***: gphoto2 terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0x1ef345]
/lib/libc.so.6(__strcpy_chk+0x3f)[0x1ee9d7]
/usr/lib/gphoto2/2.1.5/libgphoto2_ricoh_g3.so[0xa02db6]
/usr/lib/libgphoto2.so.2(gp_filesystem_list_files+0x125)[0xb790a9]
/usr/lib/libgphoto2.so.2(gp_camera_folder_list_files+0xec)[0xb7230b]
gphoto2[0x804e13a]
gphoto2[0x804e2cc]
gphoto2[0x804e2cc]
gphoto2[0x804e2cc]
gphoto2[0x8051d41]
/usr/lib/libpopt.so.0[0x5f6567]
/usr/lib/libpopt.so.0(poptGetNextOpt+0x246)[0x5f7d80]
gphoto2[0x80505cf]
/lib/libc.so.6(__libc_start_main+0xc6)[0x125de6]
gphoto2[0x804ad21]
======= Memory map: ========
00111000-00235000 r-xp 00000000 03:01 4177923    /lib/libc-2.3.5.so
00235000-00237000 r-xp 00124000 03:01 4177923    /lib/libc-2.3.5.so
00237000-00239000 rwxp 00126000 03:01 4177923    /lib/libc-2.3.5.so
00239000-0023b000 rwxp 00239000 00:00 0
004dd000-004e6000 r-xp 00000000 03:01 4177929    /lib/libgcc_s-4.0.0-20050505.so .1
004e6000-004e7000 rwxp 00009000 03:01 4177929    /lib/libgcc_s-4.0.0-20050505.so .1
004e9000-00507000 r-xp 00000000 03:01 333045     /usr/lib/libjpeg.so.62.0.0
00507000-00508000 rwxp 0001d000 03:01 333045     /usr/lib/libjpeg.so.62.0.0
005f5000-005fc000 r-xp 00000000 03:01 330099     /usr/lib/libpopt.so.0.0.0
005fc000-005fd000 rwxp 00006000 03:01 330099     /usr/lib/libpopt.so.0.0.0
00929000-00943000 r-xp 00000000 03:01 750756     /lib/ld-2.3.5.so
00943000-00944000 r-xp 00019000 03:01 750756     /lib/ld-2.3.5.so
00944000-00945000 rwxp 0001a000 03:01 750756     /lib/ld-2.3.5.so
0097d000-0097e000 r-xp 0097d000 00:00 0
00995000-0099b000 r-xp 00000000 03:01 338350     /usr/lib/libgphoto2_port.so.0.5 .1
0099b000-0099c000 rwxp 00005000 03:01 338350     /usr/lib/libgphoto2_port.so.0.5 .1
00a00000-00a04000 r-xp 00000000 03:01 461267     /usr/lib/gphoto2/2.1.5/libgphot
o2_ricoh_g3.so
00a04000-00a05000 rwxp 00003000 03:01 461267     /usr/lib/gphoto2/2.1.5/libgphot
o2_ricoh_g3.so
00a73000-00a95000 r-xp 00000000 03:01 4177924    /lib/libm-2.3.5.so
00a95000-00a96000 r-xp 00021000 03:01 4177924    /lib/libm-2.3.5.so
00a96000-00a97000 rwxp 00022000 03:01 4177924    /lib/libm-2.3.5.so
00a99000-00a9b000 r-xp 00000000 03:01 4177925    /lib/libdl-2.3.5.so
00a9b000-00a9c000 r-xp 00001000 03:01 4177925    /lib/libdl-2.3.5.so
00a9c000-00a9d000 rwxp 00002000 03:01 4177925    /lib/libdl-2.3.5.so
00b20000-00b47000 r-xp 00000000 03:01 337001     /usr/lib/libreadline.so.5.0
00b47000-00b4b000 rwxp 00027000 03:01 337001     /usr/lib/libreadline.so.5.0
00b4b000-00b4c000 rwxp 00b4b000 00:00 0
00b69000-00b84000 r-xp 00000000 03:01 336435     /usr/lib/libgphoto2.so.2.0.3
00b84000-00b85000 rwxp 0001a000 03:01 336435     /usr/lib/libgphoto2.so.2.0.3
00b85000-00be5000 rwxp 00b85000 00:00 0
00cdd000-00ceb000 r-xp 00000000 03:01 4177926    /lib/libpthread-2.3.5.so
00ceb000-00cec000 r-xp 0000d000 03:01 4177926    /lib/libpthread-2.3.5.so
00cec000-00ced000 rwxp 0000e000 03:01 4177926    /lib/libpthread-2.3.5.so
00ced000-00cef000 rwxp 00ced000 00:00 0
00d72000-00d78000 r-xp 00000000 03:01 337530     /usr/lib/libusb-0.1.so.4.4.2
00d78000-00d7a000 rwxp 00005000 03:01 337530     /usr/lib/libusb-0.1.so.4.4.2
00f3b000-00f3e000 r-xp 00000000 03:01 494862     /usr/lib/gphoto2_port/0.5.1/lib
gphoto2_port_usb.so
00f3e000-00f3f000 rwxp 00002000 03:01 494862     /usr/lib/gphoto2_port/0.5.1/lib
gphoto2_port_usb.so
046ab000-046e9000 r-xp 00000000 03:01 336672     /usr/lib/libncurses.so.5.4
046e9000-046f2000 rwxp 0003d000 03:01 336672     /usr/lib/libncurses.so.5.4
047a7000-047c4000 r-xp 00000000 03:01 335257     /usr/lib/libexif.so.12.0.0
047c4000-047c9000 rwxp 0001c000 03:01 335257     /usr/lib/libexif.so.12.0.0
08048000-08058000 r-xp 00000000 03:01 334404     /usr/bin/gphoto2
08058000-08059000 rw-p 00010000 03:01 334404     /usr/bin/gphoto2
08059000-0805d000 rw-p 08059000 00:00 0
08481000-084c7000 rw-p 08481000 00:00 0          [heap]
b7b4c000-b7bce000 rw-p b7b4c000 00:00 0
b7bce000-b7d13000 rw-p b7d87000 00:00 0
b7d42000-b7dc5000 rw-p b7d42000 00:00 0
b7dc5000-b7dcb000 r--s 00000000 03:01 398602     /usr/lib/gconv/gconv-modules.ca che
b7dcb000-b7dcc000 rw-p b7dcb000 00:00 0
b7dcc000-b7fcc000 r--p 00000000 03:01 328884     /usr/lib/locale/locale-archive
b7fcc000-b7fd0000 rw-p b7fcc000 00:00 0
bffcb000-bffe1000 rw-p bffcb000 00:00 0          [stack]
zsh: abort      gphoto2 -P

Expected results:
Imported photos.

Additional info:
After installing the debuginfo rpm I found out the error is caused by line 751
in camlibs/ricoh/g3.c:
749:                            strcpy(xfn, buf+n*32);
750:                            xfn[8] = '.';
751:                            strcpy(xfn+9, buf+n*32+8);

Replacing the 2 strcpy's with strncpy resolves the problem. See the attached patch.
Comment 1 Gijs Hollestelle 2005-05-14 08:05:08 EDT
Created attachment 114378 [details]
Patch to fix the buffer overflow
Comment 2 Tim Waugh 2005-05-14 08:22:59 EDT
Thanks!

Note You need to log in before you can comment on or make changes to this bug.