Ubuntu
dmg2img package

dmg2img crashed with SIGSEGV in convert_char8()

Bug #546154 reported by TJ on 2010-03-24

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	dmg2img (Ubuntu)	Fix Released	Medium	Unassigned

Bug Description

Binary package hint: dmg2img

This occurs on Lucid i386 when trying to convert a .dmg CD image.

Because of bug #546108 "No symbols in dbgsym package" I had to rebuild the package locally, adding "-g" to CFLAGS and removing the "-s" from the link in Makefile.

This report therefore contains a complete stack-trace which isn't possible using the Ubuntu -dbgsym package.

ProblemType: Crash
Architecture: i386
Date: Wed Mar 24 16:23:15 2010
DistroRelease: Ubuntu 10.04
ExecutablePath: /usr/bin/dmg2img
Package: dmg2img 1.6.1-1 [modified: usr/bin/dmg2img usr/bin/vfdecrypt]
ProcCmdline: dmg2img -d Mac\ OS\ X\ Install\ Disc\ 1.dmg MacOSX10.4-install-CD1.img
ProcEnviron:
SHELL=/bin/bash
LANG=en_GB.utf8
ProcVersionSignature: Ubuntu 2.6.32-17.26-generic 2.6.32.10+drm33.1
SegvAnalysis:
Segfault happened at: 0x8048d5a <convert_char8+10>: movzbl 0x4(%ecx),%ebx
PC (0x08048d5a) ok
source "0x4(%ecx)" (0x0000001c) not located in a known VMA region (needed readable region)!
destination "%ebx" ok
SegvReason: reading NULL VMA
Signal: 11
SourcePackage: dmg2img
StacktraceTop:
convert_char8 (c=0x18 <Address 0x18 out of bounds>)
main (argc=4, argv=0xbfbf5a54) at dmg2img.c:560
Title: dmg2img crashed with SIGSEGV in convert_char8()
Uname: Linux 2.6.32-17-generic i686
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare

Tags:

Related branches

lp:ubuntu/lucid/dmg2img

Revision history for this message

TJ (tj) wrote on 2010-03-24:

CoreDump.gz Edit (25.2 KiB, application/x-gzip)
Dependencies.txt Edit (555 bytes, text/plain; charset="utf-8")
Disassembly.txt Edit (839 bytes, text/plain; charset="utf-8")
ProcMaps.txt Edit (1.4 KiB, text/plain; charset="utf-8")
ProcStatus.txt Edit (777 bytes, text/plain; charset="utf-8")
Registers.txt Edit (458 bytes, text/plain; charset="utf-8")
Stacktrace.txt Edit (1.5 KiB, text/plain; charset="utf-8")
ThreadStacktrace.txt Edit (1.6 KiB, text/plain; charset="utf-8")

visibility:

private → public

Revision history for this message

TJ (tj) wrote on 2010-03-24:

The problem is in dmg2img.c, around line 560:

if (convert_char8((unsigned char *)parts[1].Data + 24) != 0)

Looking at the backtrace, gdb shows that 0x18 is passed to convert_char8():

#0 0x08048d5a in convert_char8 (c=0x18 <Address 0x18 out of bounds>) at dmg2img.h:80

0x18 == 24 decimal, the value added to parts[1].Data.

Therefore I sumise the pointer in parts[1].Data is unexpectedly 0, and isn't checked for.

Revision history for this message

TJ (tj) wrote on 2010-03-24:

Although the code path shows this, running with -V (extra verbose) mode shows that the failure is when parsing the BT_TERM block:

...
[9] 75.00%
offset = 360 block_type = 0x7ffffffe
0x7ffffffe (in_addr=0 in_size=0 out_addr=673062912 out_size=0) comment +end
[10] 83.33%
offset = 400 block_type = 0x00000002
null bytes (out_size=0)
[11] 91.67%
offset = 440 block_type = 0xffffffff
Segmentation fault (core dumped)

From dmg2img.h:

#define BT_TERM 0xffffffff

Revision history for this message

TJ (tj) wrote on 2010-03-24:

Right now I'm using the attached patch to work around the issue, although at this point I do not know if this is the correct solution, or if the resulting image is 'good'.

TJ (tj) on 2010-03-25

Changed in dmg2img (Ubuntu):
status:	New → Triaged
importance:	Undecided → Medium

Revision history for this message

TJ (tj) wrote on 2010-03-25:

Process TERM blocks correctly and flush debug log (from upstream 1.6.2) Edit (1.1 KiB, text/plain)

I reported this to the upstream project and they have applied a bug-fix and released version 1.6.2 that fixes this. Unfortunately for us the new 1.6.2 source package also includes a template debian/ directory with example files and incomplete entries for the key files like control.

Therefore I don't think it is feasible to simply refresh from upstream as it stands right now. I'm emailing the upstream author with this concern with the hope they might drop the incomplete debian/ packaging for now.

In the meantime I'm attaching a patch containing the source-code fix for this issue.

Revision history for this message

TJ (tj) wrote on 2010-03-25:

Debdiff for Lucid Edit (2.1 KiB, text/plain)

Fixes incorrect handling of terminator blocks that results in segmentation faults. Backported from upstream 1.6.2.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2010-03-25:

This bug was fixed in the package dmg2img - 1.6.1-1ubuntu1

---------------
dmg2img (1.6.1-1ubuntu1) lucid; urgency=low

  * debian/rules: Add simple patchsys to CDBS packaging
  * Fix segmentation fault caused by incorrect terminator block handling
     - backported from upstream 1.6.2 (LP: #546154)
-- TJ <email address hidden> Thu, 25 Mar 2010 05:00:00 +0000

Changed in dmg2img (Ubuntu):
status:	Triaged → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntudmg2img package

dmg2img crashed with SIGSEGV in convert_char8()

Bug Description

Related branches

Other bug subscribers

Patches

Bug attachments

Remote bug watches

Ubuntu
dmg2img package