yabasic memory corruption in variable assignments
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
yabasic (Ubuntu) |
Fix Released
|
Low
|
Unassigned |
Bug Description
Binary package hint: yabasic
A user can corrupt memory, possibly executing code during yabasic's parsing of BASIC files. Using a large value when assigning variables will overflow a buffer and corrupt memory (looks like it could be a pointer on the stack).
Description: Ubuntu 9.04
Release: 9.04
Package: yabasic
Status: install ok installed
Priority: optional
Section: interpreters
Installed-Size: 844
Maintainer: Ubuntu MOTU Developers <email address hidden>
Architecture: i386
Version: 2.763-4
Depends: libc6 (>= 2.4), libice6 (>= 1:1.0.0), libncurses5 (>= 5.6+20071006-3), libsm6, libx11-6
Description: Yet Another BASIC interpreter
yabasic implements the most common and simple elements of the BASIC
language; it comes with for-loops and goto with while-loops and
procedures. yabasic does monochrome line graphics, and printing
comes with no extra effort. yabasic runs under Unix and Windows;
it is small (less than 200 KB) and free.
Original-
$ gdb /usr/bin/yabasic
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(no debugging symbols found)
(gdb) r /tmp/191.bas
Starting program: /usr/bin/yabasic /tmp/191.bas
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
Program received signal SIGSEGV, Segmentation fault.
0xb7e1407a in strcmp () from /lib/tls/
(gdb) i r
eax 0x4141412f 1094795567
ecx 0x99dfe38 161349176
edx 0x41414141 1094795585
ebx 0x99dfe38 161349176
esp 0xbfa9b76c 0xbfa9b76c
ebp 0xbfa9b7a8 0xbfa9b7a8
esi 0x41414141 1094795585
edi 0x0 0
eip 0xb7e1407a 0xb7e1407a <strcmp+10>
eflags 0x210246 [ PF ZF IF RF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
(gdb)
[191.bas]
fuzz = AAAAA..... x 512 (example value, probably not exact)
[/191.bas]
*** buffer overflow detected ***: yabasic terminated so.6(__ fortify_ fail+0x37) [0x7f73cff6a5f7 ] so.6[0x7f73cff6 95a0] so.6[0x7f73cff6 8457]
======= Backtrace: =========
/lib/libc.
/lib/libc.
/lib/libc.
yabasic[0x403920]
yabasic[0x41c56f]
yabasic[0x407097]
0x000000000040391b <dotify+139>: callq 0x403058 <__strcat_chk@plt>
from yyparse. Looks like:
char *
dotify (char *name, int addfun) /* add library name, if not already present */
{
static char buff[200];
if (!strchr (name, '.'))
{
strcpy (buff, currlib->s);
strcat (buff, ".");
strcat (buff, name);
...