Description of problem: When importing photo's using gthumb or gphoto2 -P the process is killed because of a buffer overflow (caused by the FORTIFY_SOURCE) Version-Release number of selected component (if applicable): gphoto2-2.1.5-8 How reproducible: Import photo's from a Ricoh G3 camera. Steps to Reproduce: 1. Attach Ricoh G3 camera 2. Run gphoto2 -P Actual results: [gijs@bruce test]% gphoto2 -P *** buffer overflow detected ***: gphoto2 terminated ======= Backtrace: ========= /lib/libc.so.6(__chk_fail+0x41)[0x1ef345] /lib/libc.so.6(__strcpy_chk+0x3f)[0x1ee9d7] /usr/lib/gphoto2/2.1.5/libgphoto2_ricoh_g3.so[0xa02db6] /usr/lib/libgphoto2.so.2(gp_filesystem_list_files+0x125)[0xb790a9] /usr/lib/libgphoto2.so.2(gp_camera_folder_list_files+0xec)[0xb7230b] gphoto2[0x804e13a] gphoto2[0x804e2cc] gphoto2[0x804e2cc] gphoto2[0x804e2cc] gphoto2[0x8051d41] /usr/lib/libpopt.so.0[0x5f6567] /usr/lib/libpopt.so.0(poptGetNextOpt+0x246)[0x5f7d80] gphoto2[0x80505cf] /lib/libc.so.6(__libc_start_main+0xc6)[0x125de6] gphoto2[0x804ad21] ======= Memory map: ======== 00111000-00235000 r-xp 00000000 03:01 4177923 /lib/libc-2.3.5.so 00235000-00237000 r-xp 00124000 03:01 4177923 /lib/libc-2.3.5.so 00237000-00239000 rwxp 00126000 03:01 4177923 /lib/libc-2.3.5.so 00239000-0023b000 rwxp 00239000 00:00 0 004dd000-004e6000 r-xp 00000000 03:01 4177929 /lib/libgcc_s-4.0.0-20050505.so .1 004e6000-004e7000 rwxp 00009000 03:01 4177929 /lib/libgcc_s-4.0.0-20050505.so .1 004e9000-00507000 r-xp 00000000 03:01 333045 /usr/lib/libjpeg.so.62.0.0 00507000-00508000 rwxp 0001d000 03:01 333045 /usr/lib/libjpeg.so.62.0.0 005f5000-005fc000 r-xp 00000000 03:01 330099 /usr/lib/libpopt.so.0.0.0 005fc000-005fd000 rwxp 00006000 03:01 330099 /usr/lib/libpopt.so.0.0.0 00929000-00943000 r-xp 00000000 03:01 750756 /lib/ld-2.3.5.so 00943000-00944000 r-xp 00019000 03:01 750756 /lib/ld-2.3.5.so 00944000-00945000 rwxp 0001a000 03:01 750756 /lib/ld-2.3.5.so 0097d000-0097e000 r-xp 0097d000 00:00 0 00995000-0099b000 r-xp 00000000 03:01 338350 /usr/lib/libgphoto2_port.so.0.5 .1 0099b000-0099c000 rwxp 00005000 03:01 338350 /usr/lib/libgphoto2_port.so.0.5 .1 00a00000-00a04000 r-xp 00000000 03:01 461267 /usr/lib/gphoto2/2.1.5/libgphot o2_ricoh_g3.so 00a04000-00a05000 rwxp 00003000 03:01 461267 /usr/lib/gphoto2/2.1.5/libgphot o2_ricoh_g3.so 00a73000-00a95000 r-xp 00000000 03:01 4177924 /lib/libm-2.3.5.so 00a95000-00a96000 r-xp 00021000 03:01 4177924 /lib/libm-2.3.5.so 00a96000-00a97000 rwxp 00022000 03:01 4177924 /lib/libm-2.3.5.so 00a99000-00a9b000 r-xp 00000000 03:01 4177925 /lib/libdl-2.3.5.so 00a9b000-00a9c000 r-xp 00001000 03:01 4177925 /lib/libdl-2.3.5.so 00a9c000-00a9d000 rwxp 00002000 03:01 4177925 /lib/libdl-2.3.5.so 00b20000-00b47000 r-xp 00000000 03:01 337001 /usr/lib/libreadline.so.5.0 00b47000-00b4b000 rwxp 00027000 03:01 337001 /usr/lib/libreadline.so.5.0 00b4b000-00b4c000 rwxp 00b4b000 00:00 0 00b69000-00b84000 r-xp 00000000 03:01 336435 /usr/lib/libgphoto2.so.2.0.3 00b84000-00b85000 rwxp 0001a000 03:01 336435 /usr/lib/libgphoto2.so.2.0.3 00b85000-00be5000 rwxp 00b85000 00:00 0 00cdd000-00ceb000 r-xp 00000000 03:01 4177926 /lib/libpthread-2.3.5.so 00ceb000-00cec000 r-xp 0000d000 03:01 4177926 /lib/libpthread-2.3.5.so 00cec000-00ced000 rwxp 0000e000 03:01 4177926 /lib/libpthread-2.3.5.so 00ced000-00cef000 rwxp 00ced000 00:00 0 00d72000-00d78000 r-xp 00000000 03:01 337530 /usr/lib/libusb-0.1.so.4.4.2 00d78000-00d7a000 rwxp 00005000 03:01 337530 /usr/lib/libusb-0.1.so.4.4.2 00f3b000-00f3e000 r-xp 00000000 03:01 494862 /usr/lib/gphoto2_port/0.5.1/lib gphoto2_port_usb.so 00f3e000-00f3f000 rwxp 00002000 03:01 494862 /usr/lib/gphoto2_port/0.5.1/lib gphoto2_port_usb.so 046ab000-046e9000 r-xp 00000000 03:01 336672 /usr/lib/libncurses.so.5.4 046e9000-046f2000 rwxp 0003d000 03:01 336672 /usr/lib/libncurses.so.5.4 047a7000-047c4000 r-xp 00000000 03:01 335257 /usr/lib/libexif.so.12.0.0 047c4000-047c9000 rwxp 0001c000 03:01 335257 /usr/lib/libexif.so.12.0.0 08048000-08058000 r-xp 00000000 03:01 334404 /usr/bin/gphoto2 08058000-08059000 rw-p 00010000 03:01 334404 /usr/bin/gphoto2 08059000-0805d000 rw-p 08059000 00:00 0 08481000-084c7000 rw-p 08481000 00:00 0 [heap] b7b4c000-b7bce000 rw-p b7b4c000 00:00 0 b7bce000-b7d13000 rw-p b7d87000 00:00 0 b7d42000-b7dc5000 rw-p b7d42000 00:00 0 b7dc5000-b7dcb000 r--s 00000000 03:01 398602 /usr/lib/gconv/gconv-modules.ca che b7dcb000-b7dcc000 rw-p b7dcb000 00:00 0 b7dcc000-b7fcc000 r--p 00000000 03:01 328884 /usr/lib/locale/locale-archive b7fcc000-b7fd0000 rw-p b7fcc000 00:00 0 bffcb000-bffe1000 rw-p bffcb000 00:00 0 [stack] zsh: abort gphoto2 -P Expected results: Imported photos. Additional info: After installing the debuginfo rpm I found out the error is caused by line 751 in camlibs/ricoh/g3.c: 749: strcpy(xfn, buf+n*32); 750: xfn[8] = '.'; 751: strcpy(xfn+9, buf+n*32+8); Replacing the 2 strcpy's with strncpy resolves the problem. See the attached patch.
Created attachment 114378 [details] Patch to fix the buffer overflow
Thanks!