Bug 5687 - Buffer overrun inside gnome libraries
Summary: Buffer overrun inside gnome libraries
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: gnome-libs (Show other bugs)
(Show other bugs)
Version: 6.0
Hardware: i386 Linux
medium
medium
Target Milestone: ---
Assignee: Elliot Lee
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 1999-10-07 16:54 UTC by rjb
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 1999-11-17 21:54:21 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description rjb 1999-10-07 16:54:33 UTC 
There is a buffer overrun inside the gnome libraries which
appears to be related to the hashing of metadata.db
I have a long backtrace and an even longer strace of an
instance of gmc getting a SEGV.  They are too long
for here but are available at:

http://www.dcs.gla.ac.uk/~rjb/gnome/

The function g_concat_dir_and_file is being called
with overlapping string arguments.

I would be inclined to hypothesise that this may be the
cause of lots of the "works for me" bug reports listed
against gnome.

This is with 6.0 plus all current updates applied:
gnome-core-devel-1.0.7-2
gnome-games-devel-1.0.2-11
gnome-libs-1.0.10-2
gnome-audio-1.0.0-6
gnome-audio-extra-1.0.0-6
gnome-games-1.0.2-11
gnome-linuxconf-0.22-1
gnome-media-1.0.1-3
gnome-objc-1.0.2-4
gnome-objc-devel-1.0.2-4
gnome-pim-1.0.7-2
gnome-pim-devel-1.0.7-2
gnome-users-guide-1.0.5-4rh
gnome-utils-1.0.1-6
pygnome-1.0.1-2
switchdesk-gnome-1.7.0-1
gnome-core-1.0.7-2
gnome-libs-devel-1.0.10-2

I have a core dump too if anyone wants it.
Comment 1 Bill Nottingham 1999-10-07 18:05:59 UTC 
How can we reproduce this?
Comment 2 rjb 1999-10-07 18:12:59 UTC 
I can't reproduce it to order yet -- the best I get is to let one
hundred undergraduates at it and wait...
I am currently trying to get one acount which has seemed quite
prone to repeat it to do so.
Comment 3 Elliot Lee 1999-10-20 16:56:59 UTC 
You are using NFS home directories, correct?

I have heard someone else report a problem like this a long time ago,
but I don't know how to reproduce it. Can you give an 'ls -ld
/users/students3/level3/barnwelc/elc' and see what it looks like?

Also note that many file manager bugs have been fixed since the 6.0
updates - if you're feeling slightly adventurous,
http://www.gnome.org/start/ would get you newer versions of the GNOME
packages.
Comment 4 rjb 1999-10-20 17:29:59 UTC 
I provided notting@redhat.com with a tar file which can be unpacked
in order to reproduce the error. Perhaps you can contact him for it
or email me if he's lost it.  Regarding barnwelc/elc/ note that the
strcat is appending a pointer to the elc of barnwelc to barnwelc --
thats why it crashes!
Comment 5 Elliot Lee 1999-11-02 18:09:59 UTC 
notting doesn't have the tarball any more, and Federico and I looked
at the mc code that does the loop without seeing any possibility of
the reported problem happening. I'm not sure what to do with this bug
report.
Comment 6 rjb 1999-11-02 18:13:59 UTC 
tarball provided to sopwith.
Comment 7 Elliot Lee 1999-11-17 21:54:59 UTC 
Further e-mail conversation indicated this problem was due to using an extremely
old version of Gnome.
Note You need to log in before you can comment on or make changes to this bug.