Bug 426068 - dvd+rw-format crashes inside wctomb
Summary: dvd+rw-format crashes inside wctomb
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: dvd+rw-tools
Version: rawhide
Hardware: All
OS: Linux
low
urgent
Target Milestone: ---
Assignee: Harald Hoyer
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 425918 429096 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-12-18 06:06 UTC by Jonathan Kamens
Modified: 2008-03-26 08:01 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-03-26 08:01:48 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
patch to fix buffer overflow in wctomb (371 bytes, patch)
2008-03-26 01:29 UTC, Jonathan Kamens 		no flags Details | Diff
View All

Description Jonathan Kamens 2007-12-18 06:06:25 UTC 
I've got current rawhide everything, including gcc-4.1.2-36, glibc-2.7.90-1,
dvd+rw-tools-7.0-8.fc9.

dvd+rw-format crashes for me on startup.  It's the child process that's
crashing.  Backtrace from the core file:


#0  0x0012d402 in __kernel_vsyscall ()
#1  0x0028e820 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2  0x00290121 in abort () at abort.c:88
#3  0x002c8ccb in __libc_message (do_abort=2, 
    fmt=0x392088 "*** %s ***: %s terminated\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
#4  0x00351768 in __fortify_fail (msg=0x392057 "buffer overflow detected")
    at fortify_fail.c:32
#5  0x0034fe10 in __chk_fail () at chk_fail.c:29
#6  0x003507ec in __wctomb_chk (s=0x8050688 "", wchar=177, buflen=0)
    at wctomb_chk.c:33
#7  0x08048ed6 in plusminus_locale () at /usr/include/bits/stdlib.h:94
#8  0x0804ae25 in main (argc=2, argv=0xbfc813f4) at dvd+rw-format.cpp:253
#9  0x0027b4a0 in __libc_start_main (main=0x804ad50 <main>, argc=2, 
    ubp_av=0xbfc813f4, init=0x804e580 <__libc_csu_init>, 
    fini=0x804e570 <__libc_csu_fini>, rtld_fini=0x11e9a0 <_dl_fini>, 
    stack_end=0xbfc813ec) at libc-start.c:220
#10 0x08048bf1 in _start ()

I've narrowed it down to the fact that it was built with _FORTIFY_SOURCE=2 and
wctomb is aborting because the cal to __builtin_object_size is returning 0.  I
do not understand the arcana of the compiler, __builtin_object_size or FORTIFY
here enough to understand which moving part isn't working properly.
Comment 1 Harald Hoyer 2008-01-08 09:13:51 UTC 
looks like a glibc bug
Comment 2 Jakub Jelinek 2008-01-08 09:28:25 UTC 
Nay.

extern "C" char *plusminus_locale()                                            
                                                 
{ static class __plusminus {                                                   
                                                 
    private:                                                                   
                                                 
        char str[4];                                                           
                                                 
    public:                                                                    
                                                 
        __plusminus()   {   setlocale(LC_CTYPE,ENV_LOCALE);                    
                                                 
                            int l = wctomb(str,(wchar_t)(unsigned char)'.');   
                                                 
                            if (l>0)    str[l]='\0';                           
                                                 
                            else        str[0]='.',str[1]='\0';                
                                                 
                        }                                                      
                                                 
        ~__plusminus()  { }                                                    
                                                 
        operator char*(){ return str; }                                        
                                                 
  } plusminus;                                                                 
                                                 
                                                                               
                                                 
  return plusminus;                                                            
                                                 
}

and see man wctomb:
The programmer must ensure that there is room for at  least  MB_CUR_MAX bytes at s.
For UTF-8 MB_CUR_MAX is 6, which is bigger than 4 and that's why glibc is
complaining.  If you don't want a VLA buffer, you can use MB_LEN_MAX (16 for
glibc), which is guaranteed to be >= MB_CUR_MAX for any supported locale.
Comment 3 Rex Dieter 2008-02-18 14:55:57 UTC 
*** Bug 429096 has been marked as a duplicate of this bug. ***
Comment 4 Rex Dieter 2008-02-18 14:56:04 UTC 
*** Bug 425918 has been marked as a duplicate of this bug. ***
Comment 5 Jonathan Kamens 2008-03-26 01:22:05 UTC 
It sort of sucks that this is still broken over three months after the bug
report was filed, when Jakub has explained how it can be easily fixed.
Comment 6 Jonathan Kamens 2008-03-26 01:29:29 UTC 
Created attachment 299085 [details]
patch to fix buffer overflow in wctomb

Here's a patch.
Comment 7 Harald Hoyer 2008-03-26 08:01:48 UTC 
sry, bug radar failed, built dvd+rw-tools-7.0-10 in rawhide
Note You need to log in before you can comment on or make changes to this bug.