Bug 507829 - disallowed constructs with gcc -D_FORTIFY_SOURCE=2
disallowed constructs with gcc -D_FORTIFY_SOURCE=2
Product: Fedora
Classification: Fedora
Component: hunspell (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Caolan McNamara
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks: 532481
  Show dependency treegraph
Reported: 2009-06-24 09:05 EDT by Yanko Kaneti
Modified: 2009-11-02 10:13 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 532481 (view as bug list)
Last Closed: 2009-11-02 10:13:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Yanko Kaneti 2009-06-24 09:05:55 EDT
+++ This bug was initially created as a clone of Bug #506952 +++

There is a problem with the hunspell code that gets flagged (with aborting) by the new fortify checks that gcc in rawhide does. Here are the last two comments from the xulrunner bug. The comments and the crash are for xulrunners private hunspell copy but they should apply to hunspell proper as well as there are no significant modifications from hunspell-1.2.8.

Note that the last hunspell build in rawhide is not done with the stricter gcc, but any potential rebuild would need this addressed.

fixed the startup crash for me but I get reproducible fortify fail opening this particular bugreport. (Logged in , hence with the comments box present and that hunspell stuff you can see below)

#3  0x0000003ccf6f7537 in *__GI___fortify_fail (
    msg=0x3ccf73436f "buffer overflow detected") at fortify_fail.c:32
#4  0x0000003ccf6f5590 in *__GI___chk_fail () at chk_fail.c:29
#5  0x00007ffff1537c12 in strcpy (__src=<value optimized out>, 
    __dest=<value optimized out>) at /usr/include/bits/string3.h:106
#6  HashMgr::add_word (__src=<value optimized out>, __dest=<value optimized out>)
    at hashmgr.cpp:191
#7  0x00007ffff1538313 in HashMgr::load_tables (this=0x324a430, 
    tpath=<value optimized out>, key=<value optimized out>) at hashmgr.cpp:527
#8  0x00007ffff1538473 in HashMgr::HashMgr (this=0x324a430, 
    tpath=0x7fffffff9360 "/usr/lib64/xulrunner-1.9.1/dictionaries/en_ZW.dic", 
    apath=<value optimized out>, key=0x0) at hashmgr.cpp:105
#9  0x00007ffff153cae5 in Hunspell::Hunspell (this=0x324a340, 
    affpath=0x3912d38 "/usr/lib64/xulrunner-1.9.1/dictionaries/en_ZW.aff", 
    dpath=0x7fffffff9360 "/usr/lib64/xulrunner-1.9.1/dictionaries/en_ZW.dic", key=0x0)
    at hunspell.cpp:87
#10 0x00007ffff1527ef2 in mozHunspell::SetDictionary (this=0x39d11d0, 
    aDictionary=<value optimized out>) at mozHunspell.cpp:157
#11 0x00007ffff151e737 in mozSpellChecker::SetCurrentDictionary (this=0x324a2b0, 
    aDictionary=@0x7fffffff9470) at mozSpellChecker.cpp:373
#12 0x00007ffff140afef in nsEditorSpellCheck::SetCurrentDictionary (
    this=<value optimized out>, aDictionary=<value optimized out>)
    at nsEditorSpellCheck.cpp:455
#13 0x00007ffff140c0e0 in nsEditorSpellCheck::InitSpellChecker (this=0x39d0e20, 
    aEditor=0x7ffff0dbeb3c, aEnableSelectionChecking=0) at nsEditorSpellCheck.cpp:212
#14 0x00007ffff1522fba in mozInlineSpellChecker::SetEnableRealTimeSpell (this=0x39cd190, 
    aEnabled=<value optimized out>) at mozInlineSpellChecker.cpp:726
#15 0x00007ffff116072e in nsEditor::SyncRealTimeSpell (this=0x2dcc390)
    at nsEditor.cpp:1341
#16 0x00007ffff115976b in nsEditor::PostCreate (this=0x228e) at nsEditor.cpp:246

--- Additional comment from jakub@redhat.com on 2009-06-24 08:18:40 EDT ---

struct hentry
  unsigned char blen; // word length in bytes
  unsigned char clen; // word length in characters (different for UTF-8 enc.)
  short    alen;      // length of affix flag vector
  unsigned short * astr;  // affix flag vector
  struct   hentry * next; // next word with same hash code
  struct   hentry * next_homonym; // next homonym word (with same hash code)
  char     var;       // variable fields (only for special pronounciation yet)
  char     word;      // variable-length word (8-bit or UTF-8 encoding)
    // variable-length hash record with word and optional fields
    struct hentry* hp = 
        (struct hentry *) malloc (sizeof(struct hentry) + wbl + descl);
    if (!hp) return 1;
    char * hpw = &(hp->word);
    strcpy(hpw, word);

That's intentionally not allowed with -D_FORTIFY_SOURCE=2, which doesn't allow crossing field boundaries for str*/stp* etc. functions (and still allows that for mem* etc.).  Change that to char word[1];, or char word[];, or char word[0].
In the latter two cases (flexible array member and zero length) you obviously need to check all the allocations, because sizeof(struct hentry) will decrease by 1, in the first case not.  Only arrays as last fields are flexible array members or handled as poor alternatives to flexible array members by gcc.
Comment 1 Caolan McNamara 2009-06-24 09:35:56 EDT
Comment 2 Caolan McNamara 2009-06-24 11:16:45 EDT
hunspell-1.2.8-6.fc12 should do the trick, in theory at least, hard to be certain given the busted state of my local rawhide setup
Comment 3 Yanko Kaneti 2009-06-24 12:09:03 EDT
Adapted to the mozilla copy it certainly helps firefox not crash. Thanks.
Comment 4 Deji Akingunola 2009-11-02 09:37:36 EST
I'm re-opening this bug because similar problem is preventing texmaker from starting. Here is what I get when I tried to run texmaker in gdb;
(gdb) bt
#0  0x00000031da433575 in raise (sig=<value optimized out>)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00000031da434d55 in abort () at abort.c:92
#2  0x00000031da470393 in __libc_message (do_abort=<value optimized out>, 
    fmt=<value optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:186
#3  0x00000031da4faae7 in __fortify_fail (msg=
    0x31da540fb5 "buffer overflow detected") at fortify_fail.c:32
#4  0x00000031da4f8a50 in __chk_fail () at chk_fail.c:29
#5  0x00000000004ff3fb in strcpy (__src=<value optimized out>, 
    __dest=<value optimized out>) at /usr/include/bits/string3.h:106
#6  HashMgr::add_word (__src=<value optimized out>, 
    __dest=<value optimized out>) at hunspell/hashmgr.cxx:138
#7  0x00000000004ffc5e in HashMgr::load_tables (this=0xb76dc0, 
    tpath=<value optimized out>, key=<value optimized out>)
    at hunspell/hashmgr.cxx:474
#8  0x00000000004ffe32 in HashMgr::HashMgr (this=0xb76dc0, tpath=
    0xbaabd8 "/usr/share/myspell/en_US.dic", apath=<value optimized out>, key=
    0x0) at hunspell/hashmgr.cxx:52
#9  0x000000000050535a in Hunspell::Hunspell (this=0xb8a2b0, affpath=
    0xb74e58 "/usr/share/myspell/en_US.aff", dpath=
    0xbaabd8 "/usr/share/myspell/en_US.dic", key=0x0)
    at hunspell/hunspell.cxx:35
#10 0x0000000000470e1e in Texmaker::Texmaker (this=0xb82810,
Comment 5 Caolan McNamara 2009-11-02 10:13:45 EST
texmaker has a copy of hunspell inside it, its that copy which is crashing, not the system version

Note You need to log in before you can comment on or make changes to this bug.