Bug 426068 - dvd+rw-format crashes inside wctomb
dvd+rw-format crashes inside wctomb
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: dvd+rw-tools (Show other bugs)
rawhide
All Linux
low Severity urgent
: ---
: ---
Assigned To: Harald Hoyer
Fedora Extras Quality Assurance
:
: 425918 429096 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-12-18 01:06 EST by Jonathan Kamens
Modified: 2008-03-26 04:01 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-03-26 04:01:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch to fix buffer overflow in wctomb (371 bytes, patch)
2008-03-25 21:29 EDT, Jonathan Kamens
no flags Details | Diff

  None (edit)
Description Jonathan Kamens 2007-12-18 01:06:25 EST
I've got current rawhide everything, including gcc-4.1.2-36, glibc-2.7.90-1,
dvd+rw-tools-7.0-8.fc9.

dvd+rw-format crashes for me on startup.  It's the child process that's
crashing.  Backtrace from the core file:


#0  0x0012d402 in __kernel_vsyscall ()
#1  0x0028e820 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2  0x00290121 in abort () at abort.c:88
#3  0x002c8ccb in __libc_message (do_abort=2, 
    fmt=0x392088 "*** %s ***: %s terminated\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
#4  0x00351768 in __fortify_fail (msg=0x392057 "buffer overflow detected")
    at fortify_fail.c:32
#5  0x0034fe10 in __chk_fail () at chk_fail.c:29
#6  0x003507ec in __wctomb_chk (s=0x8050688 "", wchar=177, buflen=0)
    at wctomb_chk.c:33
#7  0x08048ed6 in plusminus_locale () at /usr/include/bits/stdlib.h:94
#8  0x0804ae25 in main (argc=2, argv=0xbfc813f4) at dvd+rw-format.cpp:253
#9  0x0027b4a0 in __libc_start_main (main=0x804ad50 <main>, argc=2, 
    ubp_av=0xbfc813f4, init=0x804e580 <__libc_csu_init>, 
    fini=0x804e570 <__libc_csu_fini>, rtld_fini=0x11e9a0 <_dl_fini>, 
    stack_end=0xbfc813ec) at libc-start.c:220
#10 0x08048bf1 in _start ()

I've narrowed it down to the fact that it was built with _FORTIFY_SOURCE=2 and
wctomb is aborting because the cal to __builtin_object_size is returning 0.  I
do not understand the arcana of the compiler, __builtin_object_size or FORTIFY
here enough to understand which moving part isn't working properly.
Comment 1 Harald Hoyer 2008-01-08 04:13:51 EST
looks like a glibc bug
Comment 2 Jakub Jelinek 2008-01-08 04:28:25 EST
Nay.

extern "C" char *plusminus_locale()                                            
                                                 
{ static class __plusminus {                                                   
                                                 
    private:                                                                   
                                                 
        char str[4];                                                           
                                                 
    public:                                                                    
                                                 
        __plusminus()   {   setlocale(LC_CTYPE,ENV_LOCALE);                    
                                                 
                            int l = wctomb(str,(wchar_t)(unsigned char)'.');   
                                                 
                            if (l>0)    str[l]='\0';                           
                                                 
                            else        str[0]='.',str[1]='\0';                
                                                 
                        }                                                      
                                                 
        ~__plusminus()  { }                                                    
                                                 
        operator char*(){ return str; }                                        
                                                 
  } plusminus;                                                                 
                                                 
                                                                               
                                                 
  return plusminus;                                                            
                                                 
}

and see man wctomb:
The programmer must ensure that there is room for at  least  MB_CUR_MAX bytes at s.
For UTF-8 MB_CUR_MAX is 6, which is bigger than 4 and that's why glibc is
complaining.  If you don't want a VLA buffer, you can use MB_LEN_MAX (16 for
glibc), which is guaranteed to be >= MB_CUR_MAX for any supported locale.
Comment 3 Rex Dieter 2008-02-18 09:55:57 EST
*** Bug 429096 has been marked as a duplicate of this bug. ***
Comment 4 Rex Dieter 2008-02-18 09:56:04 EST
*** Bug 425918 has been marked as a duplicate of this bug. ***
Comment 5 Jonathan Kamens 2008-03-25 21:22:05 EDT
It sort of sucks that this is still broken over three months after the bug
report was filed, when Jakub has explained how it can be easily fixed.
Comment 6 Jonathan Kamens 2008-03-25 21:29:29 EDT
Created attachment 299085 [details]
patch to fix buffer overflow in wctomb

Here's a patch.
Comment 7 Harald Hoyer 2008-03-26 04:01:48 EDT
sry, bug radar failed, built dvd+rw-tools-7.0-10 in rawhide

Note You need to log in before you can comment on or make changes to this bug.