First Last Prev Next    This bug is not in your last search results.
Bug 189146 - xvidtune crashes on startup due to gcc fortify
xvidtune crashes on startup due to gcc fortify
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: xorg-x11-server-utils (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: X/OpenGL Maintenance List
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-04-17 12:47 EDT by Frank Ch. Eigler
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-08-04 17:20:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Frank Ch. Eigler 2006-04-17 12:47:15 EDT 
Description of problem:
xvidtune crashes.  gcc fortify backtrace produced.

Version-Release number of selected component (if applicable):
xorg-x11-server-utils-1.0.1-1.2

How reproducible:
always

Steps to Reproduce:
1. run xvidtune
  
Actual results:
crash

Expected results:
no crash

Additional info:
glibc detects a buffer overflow in the sprintf.  A 10-byte buffer is not big
enough to contain a number that large.

(gdb) frame 11
#11 0x0804af70 in CreateTyp (form=0x8fc5100, findex=PixelClock, w1name=Variable
"w1name" is not available.
)
    at xvidtune.c:968
968             (void) sprintf(buf, "%6.2f", (float)AppRes.field[findex].val /
1000.0);
(gdb) l
963         Widget wids[3];
964         char buf[10];
965
966         wids[0] = XtCreateWidget (w1name, labelWidgetClass, form, NULL, 0);
967         if (findex >= PixelClock && findex <= VSyncRate)
968             (void) sprintf(buf, "%6.2f", (float)AppRes.field[findex].val /
1000.0);
969         else
970             (void) sprintf (buf, "%5d", AppRes.field[findex].val);
971         wids[1] = XtVaCreateWidget (w2name, labelWidgetClass,
972                     form, XtNlabel, buf, NULL);

(gdb) p buf
$5 = "1889173.9"    # note 9 bytes + \0 used; no space for second decimal place
Comment 1 Adam Jackson 2006-08-04 17:20:23 EDT 
Fixed in 7.1-4 and later.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.