crash due to buffer overflow in acc_tabs.c

Bug #978183 reported by Sławomir Nizio on 2012-04-10
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Cuneiform for Linux
Undecided
Unassigned
cuneiform (Ubuntu)
Undecided
Unassigned

Bug Description

cuneiform -l pol file.png
I don't know how much it's related to the other bugs so filing as new one. This happens if -l pol is specified and with -O... option passed to compiler (gcc 4.6.2; tested with -O2). I'm also attaching my patch which works around the problem and shows where it is.
If anyone has some improvements to it, that's appreciated.

Also attempts to fix a condition looks wrong.

*** buffer overflow detected ***: cuneiform terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x45)[0xb74f9e15]
/lib/libc.so.6(+0xe3cf7)[0xb74f7cf7]
/lib/libc.so.6(+0xe2fdd)[0xb74f6fdd]
/usr/lib/librstr.so.0(+0x12c09)[0xb6fd8c09]
/usr/lib/librstr.so.0(+0x786c9)[0xb703e6c9]
/usr/lib/librstr.so.0(+0xacc04)[0xb7072c04]
/usr/lib/librstr.so.0(RSTR_SetOptions+0x153)[0xb7075803]
/usr/lib/libcuneiform.so.0(+0xb69b)[0xb770f69b]
/usr/lib/libcuneiform.so.0(+0xbf5d)[0xb770ff5d]
/usr/lib/libcuneiform.so.0(PUMA_XFinalRecognition+0xfc)[0xb7711ecc]
cuneiform[0x804af09]
/lib/libc.so.6(__libc_start_main+0xf3)[0xb742ce03]
cuneiform[0x804a651]
======= Memory map: ========
08048000-0804c000 r-xp 00000000 08:02 950958 /usr/bin/cuneiform
0804c000-0804d000 r--p 00003000 08:02 950958 /usr/bin/cuneiform
0804d000-0804e000 rw-p 00004000 08:02 950958 /usr/bin/cuneiform
089b4000-08b9d000 rw-p 00000000 00:00 0 [heap]
b5f37000-b62fb000 rw-p 00000000 00:00 0
b62fb000-b632b000 r-xp 00000000 08:02 970900 /usr/lib/libpng15.so.15.9.0
b632b000-b632c000 r--p 0002f000 08:02 970900 /usr/lib/libpng15.so.15.9.0
b632c000-b632d000 rw-p 00030000 08:02 970900 /usr/lib/libpng15.so.15.9.0
b6353000-b6377000 r-xp 00000000 08:02 837199 /usr/lib/ImageMagick-6.7.4/modules-Q16/coders/png.so
b6377000-b6378000 r--p 00023000 08:02 837199 /usr/lib/ImageMagick-6.7.4/modules-Q16/coders/png.so
b6378000-b6379000 rw-p 00024000 08:02 837199 /usr/lib/ImageMagick-6.7.4/modules-Q16/coders/png.so
b6379000-b637e000 rw-p 00000000 00:00 0
b637e000-b6385000 r-xp 00000000 08:02 951118 /usr/lib/libr3532.so.1.1.0
b6385000-b6386000 r--p 00006000 08:02 951118 /usr/lib/libr3532.so.1.1.0
b6386000-b6387000 rw-p 00007000 08:02 951118 /usr/lib/libr3532.so.1.1.0
b6387000-b638a000 rw-p 00000000 00:00 0
b638a000-b638b000 r-xp 00000000 08:02 951060 /usr/lib/libcpu32.so.1.1.0
b638b000-b638c000 r--p 00000000 08:02 951060 /usr/lib/libcpu32.so.1.1.0
b638c000-b638d000 rw-p 00001000 08:02 951060 /usr/lib/libcpu32.so.1.1.0
b638d000-b638e000 rw-p 00000000 00:00 0
b638e000-b638f000 r-xp 00000000 08:02 951107 /usr/lib/libmmx32.so.1.1.0
b638f000-b6390000 r--p 00000000 08:02 951107 /usr/lib/libmmx32.so.1.1.0
b6390000-b6391000 rw-p 00001000 08:02 951107 /usr/lib/libmmx32.so.1.1.0
b6391000-b63d1000 rw-p 00000000 00:00 0
b63d1000-b63e5000 r-xp 00000000 08:02 951168 /usr/lib/librlings.so.1.1.0
b63e5000-b63e6000 r--p 00013000 08:02 951168 /usr/lib/librlings.so.1.1.0
b63e6000-b63e7000 rw-p 00014000 08:02 951168 /usr/lib/librlings.so.1.1.0
b63e7000-b63f9000 rw-p 00000000 00:00 0
b63f9000-b6413000 r-xp 00000000 08:02 951078 /usr/lib/libdif32.so.1.1.0
b6413000-b6414000 r--p 00019000 08:02 951078 /usr/lib/libdif32.so.1.1.0
b6414000-b6418000 rw-p 0001a000 08:02 951078 /usr/lib/libdif32.so.1.1.0
b6418000-b641b000 rw-p 00000000 00:00 0
b641b000-b641f000 r-xp 00000000 08:02 954452 /lib/libuuid.so.1.3.0
b641f000-b6420000 r--p 00003000 08:02 954452 /lib/libuuid.so.1.3.0
b6420000-b6421000 rw-p 00004000 08:02 954452 /lib/libuuid.so.1.3.0
b6421000-b6422000 rw-p 00000000 00:00 0
b6422000-b6443000 r-xp 00000000 08:02 836334 /usr/lib/liblzma.so.5.0.3
b6443000-b6444000 r--p 00020000 08:02 836334 /usr/lib/liblzma.so.5.0.3
b6444000-b6445000 rw-p 00021000 08:02 836334 /usr/lib/liblzma.so.5.0.3
b6445000-b645f000 r-xp 00000000 08:02 951091 /usr/lib/libleo32.so.1.1.0
b645f000-b6460000 r--p 00019000 08:02 951091 /usr/lib/libleo32.so.1.1.0
b6460000-b6461000 rw-p 0001a000 08:02 951091 /usr/lib/libleo32.so.1.1.0
b6461000-b6466000 rw-p 00000000 00:00 0
b6466000-b646d000 r-xp 00000000 08:02 951294 /usr/lib/librsadd.so.1.1.0
b646d000-b646e000 r--p 00006000 08:02 951294 /usr/lib/librsadd.so.1.1.0
b646e000-b646f000 rw-p 00007000 08:02 951294 /usr/lib/librsadd.so.1.1.0
b646f000-b648d000 r-xp 00000000 08:02 951121 /usr/lib/librbal.so.1.1.0
b648d000-b648e000 r--p 0001d000 08:02 951121 /usr/lib/librbal.so.1.1.0
b648e000-b648f000 rw-p 0001e000 08:02 951121 /usr/lib/librbal.so.1.1.0
b648f000-b6490000 rw-p 00000000 00:00 0
b6490000-b649e000 r-xp 00000000 08:02 951114 /usr/lib/libpass2.so.1.1.0
b649e000-b649f000 r--p 0000e000 08:02 951114 /usr/lib/libpass2.so.1.1.0
b649f000-b64a0000 rw-p 0000f000 08:02 951114 /usr/lib/libpass2.so.1.1.0
b64a0000-b64a4000 rw-p 00000000 00:00 0
b64a4000-b64a8000 r-xp 00000000 08:02 951111 /usr/lib/libmsk32.so.1.1.0
b64a8000-b64a9000 r--p 00003000 08:02 951111 /usr/lib/libmsk32.so.1.1.0
b64a9000-b64aa000 rw-p 00004000 08:02 951111 /usr/lib/libmsk32.so.1.1.0
b64aa000-b64eb000 rw-p 00000000 00:00 0
b64eb000-b6516000 r-xp 00000000 08:02 951088 /usr/lib/libfon32.so.1.1.0
b6516000-b6517000 r--p 0002a000 08:02 951088 /usr/lib/libfon32.so.1.1.0
b6517000-b6519000 rw-p 0002b000 08:02 951088 /usr/lib/libfon32.so.1.1.0
b6519000-b6538000 rw-p 00000000 00:00 0
b6538000-b6540000 r-xp 00000000 08:02 951072 /usr/lib/libctb32.so.1.1.0
b6540000-b6541000 r--p 00008000 08:02 951072 /usr/lib/libctb32.so.1.1.0
b6541000-b6542000 rw-p 00009000 08:02 951072 /usr/lib/libctb32.so.1.1.0
b6542000-b6553000 rw-p 00000000 00:00 0
b6553000-b6563000 r-xp 00000000 08:02 951317 /usr/lib/libstd32.so.1.1.0
b6563000-b6564000 r--p 0000f000 08:02 951317 /usr/lib/libstd32.so.1.1.0
b6564000-b6565000 rw-p 00010000 08:02 951317 /usr/lib/libstd32.so.1.1.0
b6565000-b6569000 rw-p 00000000 00:00 0
b6569000-b657d000 r-xp 00000000 08:02 951165 /usr/lib/librling.so.1.1.0
b657d000-b657e000 r--p 00013000 08:02 951165 /usr/lib/librling.so.1.1.0
b657e000-b657f000 rw-p 00014000 08:02 951165 /usr/lib/librling.so.1.1.0
b657f000-b6592000 rw-p 00000000 00:00 0
b6592000-b659c000 r-xp 00000000 08:02 951314 /usr/lib/libsmetric.so.1.1.0
b659c000-b659d000 r--p 00009000 08:02 951314 /usr/lib/libsmetric.so.1.1.0
b659d000-b659e000 rw-p 0000a000 08:02 951314 /usr/lib/libsmetric.so.1.1.0
b659e000-b65ac000 r-xp 00000000 08:02 951136 /usr/lib/librcutp.so.1.1.0
b65ac000-b65ad000 r--p 0000d000 08:02 951136 /usr/lib/librcutp.so.1.1.0
b65ad000-b65af000 rw-p 0000e000 08:02 951136 /usr/lib/librcutp.so.1.1.0
b65af000-b65cf000 rw-p 00000000 00:00 0
b65cf000-b65d3000 r-xp 00000000 08:02 951101 /usr/lib/libloc32.so.1.1.0
b65d3000-b65d4000 r--p 00003000 08:02 951101 /usr/lib/libloc32.so.1.1.0
b65d4000-b65d5000 rw-p 00004000 08:02 951101 /usr/lib/libloc32.so.1.1.0

Sławomir Nizio (snizio) wrote :
Sławomir Nizio (snizio) wrote :

This is another approach, but I didn't test or used it.

Sławomir Nizio (snizio) wrote :
Gleb Peregud (gleber-p) wrote :

I can confirm this bug

The attachment "cuneiform-overflows.patch" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cuneiform - 1.1.0+dfsg-6

---------------
cuneiform (1.1.0+dfsg-6) unstable; urgency=medium

  [ Andreas Beckmann ]
  * QA upload.
  * Incorporate changes from Ubuntu.
  * gcc-6.patch: New, fix more FTBFS issues with GCC 6.
  * typos.patch: New, fix typos.

  [ Bhavani Shankar ]
  * Fix double FTBFS with unsigned char and GCC 6. (LP: #791305)
    (Closes: #787207, #837360)
  * Incorporate patch to fix buffer overflow during crash. Thanks
    Sławomir Nizio. Hopefully fix (LP: #978183), (LP: #593409), (LP: #791864),
    (LP: #996309). (Closes: #781354)

 -- Andreas Beckmann <email address hidden> Sun, 23 Apr 2017 14:02:07 +0200

Changed in cuneiform (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers