Stack smashing in libcdk5 calendar applet
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libcdk5 (Debian) |
Fix Released
|
Unknown
|
|||
libcdk5 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: libcdk5
Ubuntu release: 8.04.1
Source Package: libcdk5 5.0.20060507-1
What I expected to happen: I expected the Calendar widget, and calendar_ex example program to work correctly.
What actually happened: glibc Stack Smashing alert and SIGABORT.
I compiled the demo applications that were included in CDK 5.0.20060507-1 (after some modifications to the Makefile), and the calendar example failed to run. In fact, instead of running, it produced the following backtrace output:
*** stack smashing detected ***: ./calendar_ex terminated
======= Backtrace: =========
/lib/tls/
/lib/tls/
/usr/lib/
/usr/lib/
./calendar_
/lib/tls/
./calendar_
======= Memory map: ========
08048000-0804a000 r-xp 00000000 08:02 452935 /home/philpem/
0804a000-0804b000 rw-p 00001000 08:02 452935 /home/philpem/
0804b000-0806c000 rw-p 0804b000 00:00 0 [heap]
b7c62000-b7c6c000 r-xp 00000000 08:02 827445 /lib/libgcc_s.so.1
b7c6c000-b7c6d000 rw-p 0000a000 08:02 827445 /lib/libgcc_s.so.1
b7c81000-b7cba000 rw-p b7c81000 00:00 0
b7cba000-b7cf9000 r--p 00000000 08:02 1740016 /usr/lib/
b7cf9000-b7dda000 r--p 00000000 08:02 1740015 /usr/lib/
b7dda000-b7ddb000 rw-p b7dda000 00:00 0
b7ddb000-b7ddd000 r-xp 00000000 08:02 844839 /lib/tls/
b7ddd000-b7ddf000 rw-p 00001000 08:02 844839 /lib/tls/
b7ddf000-b7f28000 r-xp 00000000 08:02 844835 /lib/tls/
b7f28000-b7f29000 r--p 00149000 08:02 844835 /lib/tls/
b7f29000-b7f2b000 rw-p 0014a000 08:02 844835 /lib/tls/
b7f2b000-b7f2f000 rw-p b7f2b000 00:00 0
b7f2f000-b7f5c000 r-xp 00000000 08:02 827473 /lib/libncurses
b7f5c000-b7f5f000 rw-p 0002c000 08:02 827473 /lib/libncurses
b7f5f000-b7f98000 r-xp 00000000 08:02 1714974 /usr/lib/
b7f98000-b7f9a000 rw-p 00038000 08:02 1714974 /usr/lib/
b7f9d000-b7f9e000 r--p 00000000 08:02 1740021 /usr/lib/
b7f9e000-b7f9f000 r--p 00000000 08:02 1738503 /usr/lib/
b7f9f000-b7fa0000 r--p 00000000 08:02 1739018 /usr/lib/
b7fa0000-b7fa1000 r--p 00000000 08:02 1753138 /usr/lib/
b7fa1000-b7fa2000 r--p 00000000 08:02 1740022 /usr/lib/
b7fa2000-b7fa3000 r--p 00000000 08:02 1739965 /usr/lib/
b7fa3000-b7fa4000 r--p 00000000 08:02 1739013 /usr/lib/
b7fa4000-b7fa5000 r--p 00000000 08:02 1738989 /usr/lib/
b7fa5000-b7fa6000 r--p 00000000 08:02 1740018 /usr/lib/
b7fa6000-b7fad000 r--s 00000000 08:02 1723071 /usr/lib/
b7fad000-b7fae000 r--p 00000000 08:02 1738496 /usr/lib/
b7fae000-b7fb0000 rw-p b7fae000 00:00 0
b7fb0000-b7fb1000 r-xp b7fb0000 00:00 0 [vdso]
b7fb1000-b7fcb000 r-xp 00000000 08:02 927069 /lib/ld-2.7.so
b7fcb000-b7fcd000 rw-p 00019000 08:02 927069 /lib/ld-2.7.so
bfb5e000-bfb73000 rw-p bffeb000 00:00 0 [stack]
Aborted
Due to the lack of debug symbols in the release libraries, I recompiled libcdk with CFLAGS="-g -ggdb", then relinked calendar_ex against the new static library:
CFLAGS="-g -ggdb" bash ./configure
make
make cdkshlib
mkdir -p /tmp/cdkdebug
cp libcdk.* /tmp/cdkdebug
Then to rebuild calendar_ex (the -DExitProgram is a modification that removes the need for cdk_test.h -- I search/replaced all instances of <cdk_test.h> with <cdk/cdk.h> in the example .c source files):
gcc -Wall -g -ggdb -DHAVE_CONFIG_H -I../include -I./../include -I. -D_GNU_SOURCE -DExitProgram=exit calendar_ex.c -o calendar_ex -L.. -lcdk -lncurses -L/tmp/cdkdebug
After running the app again through gdb, it still crashed. The backtrace pointed to an error in the function "drawCDKCalenda
The sprintf creates a string containing the month name and day number, separated by a space, and with a trailing comma. That means that if the day number is between 1 and 9, the length of the final string will be strlen(
To fix this bug, I increased the length of the temp[] char-array (line 462) to 14 bytes. This is based on:
- September is the month with the longest name (9 characters)
- Maximum of 2 digits for the day number
- 2 bytes for the space and trailing comma
- 1 byte for the trailing null
= 14 bytes.
A patch that resolves this bug is attached.
Related branches
Changed in libcdk5: | |
status: | Unknown → New |
Changed in libcdk5 (Debian): | |
status: | New → Confirmed |
Changed in libcdk5 (Debian): | |
status: | Confirmed → Fix Released |
This was also reported in Debian #452401 last year by Ron Murray: http:// bugs.debian. org/cgi- bin/bugreport. cgi?bug= 452401
Nearly a year later, the bug is still listed as open, unfixed...