Ubuntu
libcdk5 package

Stack smashing in libcdk5 calendar applet

Bug #290624 reported by Phil Pemberton
4
Affects Status Importance Assigned to Milestone
libcdk5 (Debian)
Fix Released
Unknown
libcdk5 (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: libcdk5

Ubuntu release: 8.04.1
Source Package: libcdk5 5.0.20060507-1
What I expected to happen: I expected the Calendar widget, and calendar_ex example program to work correctly.
What actually happened: glibc Stack Smashing alert and SIGABORT.

I compiled the demo applications that were included in CDK 5.0.20060507-1 (after some modifications to the Makefile), and the calendar example failed to run. In fact, instead of running, it produced the following backtrace output:

*** stack smashing detected ***: ./calendar_ex terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7ecc138]
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x0)[0xb7ecc0f0]
/usr/lib/libcdk.so.5[0xb7f96314]
/usr/lib/libcdk.so.5[0xb7f75ccd]
./calendar_ex[0x8048dc6]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe0)[0xb7df5450]
./calendar_ex[0x8048a01]
======= Memory map: ========
08048000-0804a000 r-xp 00000000 08:02 452935 /home/philpem/Projects/cdk_tests/calendar_ex
0804a000-0804b000 rw-p 00001000 08:02 452935 /home/philpem/Projects/cdk_tests/calendar_ex
0804b000-0806c000 rw-p 0804b000 00:00 0 [heap]
b7c62000-b7c6c000 r-xp 00000000 08:02 827445 /lib/libgcc_s.so.1
b7c6c000-b7c6d000 rw-p 0000a000 08:02 827445 /lib/libgcc_s.so.1
b7c81000-b7cba000 rw-p b7c81000 00:00 0
b7cba000-b7cf9000 r--p 00000000 08:02 1740016 /usr/lib/locale/en_GB.utf8/LC_CTYPE
b7cf9000-b7dda000 r--p 00000000 08:02 1740015 /usr/lib/locale/en_GB.utf8/LC_COLLATE
b7dda000-b7ddb000 rw-p b7dda000 00:00 0
b7ddb000-b7ddd000 r-xp 00000000 08:02 844839 /lib/tls/i686/cmov/libdl-2.7.so
b7ddd000-b7ddf000 rw-p 00001000 08:02 844839 /lib/tls/i686/cmov/libdl-2.7.so
b7ddf000-b7f28000 r-xp 00000000 08:02 844835 /lib/tls/i686/cmov/libc-2.7.so
b7f28000-b7f29000 r--p 00149000 08:02 844835 /lib/tls/i686/cmov/libc-2.7.so
b7f29000-b7f2b000 rw-p 0014a000 08:02 844835 /lib/tls/i686/cmov/libc-2.7.so
b7f2b000-b7f2f000 rw-p b7f2b000 00:00 0
b7f2f000-b7f5c000 r-xp 00000000 08:02 827473 /lib/libncurses.so.5.6
b7f5c000-b7f5f000 rw-p 0002c000 08:02 827473 /lib/libncurses.so.5.6
b7f5f000-b7f98000 r-xp 00000000 08:02 1714974 /usr/lib/libcdk.so.5.0
b7f98000-b7f9a000 rw-p 00038000 08:02 1714974 /usr/lib/libcdk.so.5.0
b7f9d000-b7f9e000 r--p 00000000 08:02 1740021 /usr/lib/locale/en_GB.utf8/LC_NUMERIC
b7f9e000-b7f9f000 r--p 00000000 08:02 1738503 /usr/lib/locale/en_GB.utf8/LC_TIME
b7f9f000-b7fa0000 r--p 00000000 08:02 1739018 /usr/lib/locale/en_GB.utf8/LC_MONETARY
b7fa0000-b7fa1000 r--p 00000000 08:02 1753138 /usr/lib/locale/en_GB.utf8/LC_MESSAGES/SYS_LC_MESSAGES
b7fa1000-b7fa2000 r--p 00000000 08:02 1740022 /usr/lib/locale/en_GB.utf8/LC_PAPER
b7fa2000-b7fa3000 r--p 00000000 08:02 1739965 /usr/lib/locale/en_GB.utf8/LC_NAME
b7fa3000-b7fa4000 r--p 00000000 08:02 1739013 /usr/lib/locale/en_GB.utf8/LC_ADDRESS
b7fa4000-b7fa5000 r--p 00000000 08:02 1738989 /usr/lib/locale/en_GB.utf8/LC_TELEPHONE
b7fa5000-b7fa6000 r--p 00000000 08:02 1740018 /usr/lib/locale/en_GB.utf8/LC_MEASUREMENT
b7fa6000-b7fad000 r--s 00000000 08:02 1723071 /usr/lib/gconv/gconv-modules.cache
b7fad000-b7fae000 r--p 00000000 08:02 1738496 /usr/lib/locale/en_GB.utf8/LC_IDENTIFICATION
b7fae000-b7fb0000 rw-p b7fae000 00:00 0
b7fb0000-b7fb1000 r-xp b7fb0000 00:00 0 [vdso]
b7fb1000-b7fcb000 r-xp 00000000 08:02 927069 /lib/ld-2.7.so
b7fcb000-b7fcd000 rw-p 00019000 08:02 927069 /lib/ld-2.7.so
bfb5e000-bfb73000 rw-p bffeb000 00:00 0 [stack]
Aborted

Due to the lack of debug symbols in the release libraries, I recompiled libcdk with CFLAGS="-g -ggdb", then relinked calendar_ex against the new static library:
CFLAGS="-g -ggdb" bash ./configure
make
make cdkshlib
mkdir -p /tmp/cdkdebug
cp libcdk.* /tmp/cdkdebug

Then to rebuild calendar_ex (the -DExitProgram is a modification that removes the need for cdk_test.h -- I search/replaced all instances of <cdk_test.h> with <cdk/cdk.h> in the example .c source files):
gcc -Wall -g -ggdb -DHAVE_CONFIG_H -I../include -I./../include -I. -D_GNU_SOURCE -DExitProgram=exit calendar_ex.c -o calendar_ex -L.. -lcdk -lncurses -L/tmp/cdkdebug

After running the app again through gdb, it still crashed. The backtrace pointed to an error in the function "drawCDKCalendarField" in calendar.c. It seems the underlying issue is that a statically-allocated string is being declared, and being overrun by the sprintf at line 498. Temp is declared on line 462, as a char[10].

The sprintf creates a string containing the month name and day number, separated by a space, and with a trailing comma. That means that if the day number is between 1 and 9, the length of the final string will be strlen(monthname)+3, or strlen(monthname)+4 for a 2-digit day (excluding the trailing null). As the variable is allocated as 10 bytes, then the month name can be no longer than 5 characters (noting the trailing null). Therefore, this code will only work properly if the date to display is some time in March, April, May, June or July.

To fix this bug, I increased the length of the temp[] char-array (line 462) to 14 bytes. This is based on:
- September is the month with the longest name (9 characters)
- Maximum of 2 digits for the day number
- 2 bytes for the space and trailing comma
- 1 byte for the trailing null
= 14 bytes.

A patch that resolves this bug is attached.

Related branches

lp:ubuntu/natty/libcdk5
Revision history for this message
Phil Pemberton (philpem) wrote :
Revision history for this message
Phil Pemberton (philpem) wrote :

This was also reported in Debian #452401 last year by Ron Murray: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=452401

Nearly a year later, the bug is still listed as open, unfixed...

Bug Watch Updater (bug-watch-updater)
Changed in libcdk5:
status: Unknown → New
Bug Watch Updater (bug-watch-updater)
Changed in libcdk5 (Debian):
status: New → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libcdk5 - 5.0.20060507-3

---------------
libcdk5 (5.0.20060507-3) unstable; urgency=low

  * QA Upload.
  * Policy 3.9.1 (see Lintian cleaning below) and debian/compat 8
  * Lintian cleaning
    - ${misc:Depends} added to libcdk5 and libcdk5-dev
    - fixed make clean call: [ ! -f Makefile ] || $(MAKE) distclean
    - debian/compat 7
    - replaced ${Source-Version} with ${binary:Version} in debian/control
    - dh_prep used in rules instead of dh_clean -k
  * Removed static patching of config.guess config.sub, removed those files,
    they will be copied from autotools-dev package in debian/rules
  * removed the following lines from debian/libcdk5-dev.install
    (dh_install throws error if you try to install files from an empty dir,
    and these files were not present in the previous Debian build)
    - usr/lib/pkgconfig/*
    - usr/lib/*.la
    - usr/share/pkgconfig/*
  * Added missing headers and example files (Closes: #500161, LP: #565526)
    - debian/patches/missing_header_examples.patch
    - debian/libcdk5-dev.examples added: include/cdk_test.h, examples/.,
      demos/
  * Fixed segfault in calendar.c (Closes: #452401, LP: #290624)
    - debian/patches/cal_segfault.patch
  * debian/patches/libcdk5_man_cdk_display_examples_fix.diff
    - The examples in the cdk_display(3) man page are incorrect
      (wrong colors, segfault) (Closes: #593283)
 -- Scott Howard <email address hidden> Thu, 10 Feb 2011 19:50:32 -0500

Changed in libcdk5 (Ubuntu):
status: New → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in libcdk5 (Debian):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.