Bug 193915 - dvipdfm buffer overflow
dvipdfm buffer overflow
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: tetex (Show other bugs)
5
i686 Linux
medium Severity high
: ---
: ---
Assigned To: Jindrich Novy
David Lawrence
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-06-02 17:28 EDT by Creo
Modified: 2013-07-02 19:15 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-06-26 09:49:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
A sample .dvi file (208 bytes, application/octet-stream)
2006-06-15 18:32 EDT, Creo
no flags Details
dvipdfm backtrace (3.64 KB, text/plain)
2006-06-17 07:38 EDT, Creo
no flags Details
dvipdfm backtrace (3.53 KB, text/plain)
2006-06-18 05:10 EDT, Creo
no flags Details
Patch to fix the buffer overflow. (385 bytes, patch)
2006-06-18 08:54 EDT, Jindrich Novy
no flags Details | Diff

  None (edit)
Description Creo 2006-06-02 17:28:18 EDT
Description of problem:

The dvipdfm program produces an error *everytime* it is run on a .dvi file

Version-Release number of selected component (if applicable):

tetex 3.0.17 (fc5 default)
tetex 3.0.19 (fc5 update - from fedora repository as on june 3, 2006)

How reproducible:

Prepare a .dvi file and run 'dvipdfm' on it to get an error

Steps to Reproduce:
1. prepare a tex/latex file
2. run it through tex/latex to get .dvi file
3. dvipdfm tex/latex file
  
Actual results:

[user@localhost ~]$ dvipdfm test2.dvi

test2.dvi -> test2.pdf
[1]*** buffer overflow detected ***: dvipdfm terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0x710965]
/lib/libc.so.6(__vsprintf_chk+0x0)[0x7101e8]
/lib/libc.so.6(_IO_default_xsputn+0x9c)[0x6957e8]
/lib/libc.so.6(_IO_vfprintf+0xfb0)[0x6700a9]
/lib/libc.so.6(__vsprintf_chk+0xa1)[0x710289]
/lib/libc.so.6(__sprintf_chk+0x30)[0x7101dc]
dvipdfm[0x804e850]
dvipdfm[0x80629a8]
/lib/libc.so.6(__libc_start_main+0xdc)[0x64a7e4]
dvipdfm[0x8049b91]
======= Memory map: ========
00618000-00631000 r-xp 00000000 03:03 1525112    /lib/ld-2.4.so
00631000-00632000 r-xp 00018000 03:03 1525112    /lib/ld-2.4.so
00632000-00633000 rwxp 00019000 03:03 1525112    /lib/ld-2.4.so
00635000-00761000 r-xp 00000000 03:03 1525113    /lib/libc-2.4.so
00761000-00764000 r-xp 0012b000 03:03 1525113    /lib/libc-2.4.so
00764000-00765000 rwxp 0012e000 03:03 1525113    /lib/libc-2.4.so
00765000-00768000 rwxp 00765000 00:00 0
00797000-007a9000 r-xp 00000000 03:03 1907640    /usr/lib/libz.so.1.2.3
007a9000-007aa000 rwxp 00011000 03:03 1907640    /usr/lib/libz.so.1.2.3
0095d000-00984000 r-xp 00000000 03:03 1889025    /usr/lib/libpng12.so.0.1.2.8
00984000-00985000 rwxp 00026000 03:03 1889025    /usr/lib/libpng12.so.0.1.2.8
00a2c000-00a37000 r-xp 00000000 03:03 1525118    /lib/libgcc_s-4.1.0-20060304.so
                       .1
00a37000-00a38000 rwxp 0000a000 03:03 1525118    /lib/libgcc_s-4.1.0-20060304.so
                       .1
00a5e000-00a5f000 r-xp 00a5e000 00:00 0          [vdso]
00d8a000-00dad000 r-xp 00000000 03:03 1523577    /lib/libm-2.4.so
00dad000-00dae000 r-xp 00022000 03:03 1523577    /lib/libm-2.4.so
00dae000-00daf000 rwxp 00023000 03:03 1523577    /lib/libm-2.4.so
08048000-0808a000 r-xp 00000000 03:03 1886170    /usr/bin/dvipdfm
0808a000-0808d000 rw-p 00042000 03:03 1886170    /usr/bin/dvipdfm
0808d000-08095000 rw-p 0808d000 00:00 0
093b6000-09490000 rw-p 093b6000 00:00 0          [heap]
b7fc3000-b7fc5000 rw-p b7fc3000 00:00 0
b7fdb000-b7fdc000 rw-p b7fdb000 00:00 0
b7fdd000-b7fe0000 rw-p b7fdd000 00:00 0
bfccb000-bfce0000 rw-p bfccb000 00:00 0          [stack]
Aborted

Expected results:

A .pdf which is similar to the input .dvi file

Additional info:
Comment 1 Jindrich Novy 2006-06-03 07:04:21 EDT
Works for me:

$ dvipdfm file.dvi

file.dvi -> file.pdf
[1]
11445 bytes written

Could you attach a dvi file that makes dvipdfm crash?
Comment 2 Creo 2006-06-15 18:32:07 EDT
Created attachment 131009 [details]
A sample .dvi file

This is a simple .dvi file obtained by running TeX on a .tex file which
contains the following:

hi
\bye
Comment 3 Jindrich Novy 2006-06-16 01:02:39 EDT
Sorry, I'm still unable to reproduce it even if I installed tetex to a new clean
FC5 chroot and updated tetex to 3.0.19.fc5.

Could you please install:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/5/i386/debug/tetex-debuginfo-3.0-19.fc5.i386.rpm

and send me a backtrace including debug info?

I mean the output of:

gdb --args dvipdfm file.dvi
run
bt
Comment 4 Creo 2006-06-17 07:38:35 EDT
Created attachment 131095 [details]
dvipdfm backtrace

This is a backtrace on the test.dvi attached earlier

thank you for following this up :)
Comment 5 Creo 2006-06-17 07:42:04 EDT
whoops! the backtrace that i posted was NOT for
tetex-debuginfo-3.0-19.fc5.i386.rpm :(

will install the package with debuginfo and post the backtrace soon 
Comment 6 Creo 2006-06-18 05:10:32 EDT
Created attachment 131116 [details]
dvipdfm backtrace

This is a backtrace by running dvipdfm on test.dvi (mentioned earlier)

(note: 
[user@localhost ~]$ rpm -q tetex
tetex-3.0-19.fc5
[user@localhost ~]$ rpm -q tetex-debuginfo
tetex-debuginfo-3.0-19.fc5
)
Comment 7 Jindrich Novy 2006-06-18 08:54:17 EDT
Created attachment 131117 [details]
Patch to fix the buffer overflow.

Thanks, I can see it from the code now. It's an obvious sprintf buffer
overflow. The size of date_string should be larger of one byte.
Comment 8 Jindrich Novy 2006-06-24 15:06:49 EDT
The patch is now applied in devel tetex-3.0-26.
Comment 9 Creo 2006-06-27 16:18:07 EDT
thank you so much!

Note You need to log in before you can comment on or make changes to this bug.