libglib2.0-0 2.25.12-1ubuntu1 failed to install: *** buffer overflow detected ***: /usr/lib/glib-2.0/gio-querymodules terminated
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
glib2.0 (Debian) |
Fix Released
|
Unknown
|
|||
glib2.0 (Ubuntu) |
Fix Released
|
Critical
|
Unassigned | ||
Maverick |
Fix Released
|
Critical
|
Unassigned |
Bug Description
From a PPA build log:
http://
Setting up libglib2.0-0 (2.25.12-1ubuntu1) ...
*** buffer overflow detected ***: /usr/lib/
======= Backtrace: =========
/lib/libc.
/lib/libc.
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/lib/libc.
/usr/lib/
======= Memory map: ========
…
Aborted
dpkg: error processing libglib2.0-0 (--configure):
subprocess installed post-installation script returned error exit status 134
description: | updated |
Changed in glib2.0 (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → Critical |
Changed in glib2.0 (Debian): | |
status: | Unknown → New |
Changed in glib2.0 (Debian): | |
status: | New → Fix Released |
Occurs on i386, not amd64. Buildlog shows:
libtool: compile: gcc -DHAVE_CONFIG_H -I. -I/build/ buildd/ glib2.0- 2.25.12/ gobject -I.. -DG_LOG_ DOMAIN= \"GLib- GObject\ " -I/build/ buildd/ glib2.0- 2.25.12 -I/build/ buildd/ glib2.0- 2.25.12/ glib -I.. -DG_ENABLE_DEBUG -DG_THREADS_ MANDATORY -DG_DISABLE_ DEPRECATED -DGOBJECT_ COMPILATION -DG_DISABLE_ CONST_RETURNS -DG_DISABLE_ SINGLE_ INCLUDES -pthread -g -O2 -Wall -g -O2 -MT gtype.lo -MD -MP -MF .deps/gtype.Tpo -c /build/ buildd/ glib2.0- 2.25.12/ gobject/ gtype.c -fPIC -DPIC -o .libs/gtype.o string. h:642,
from /build/ buildd/ glib2.0- 2.25.12/ gobject/ gsignal. c:29: array_create' at /build/ buildd/ glib2.0- 2.25.12/ glib/gbsearchar ray.h:137, buildd/ glib2.0- 2.25.12/ gobject/ gsignal. c:775: bits/string3. h:86: warning: call to __builtin_ __memset_ chk will always overflow destination buffer
In file included from //usr/include/
In function 'memset',
inlined from 'g_bsearch_
inlined from 'g_signal_init' at /build/
//usr/include/
(http:// launchpadlibrar ian.net/ 53144885/ buildlog_ ubuntu- maverick- i386.glib2. 0_2.25. 12-1ubuntu1_ FULLYBUILT. txt.gz)
Function in question: UPPER_POWER2( n) (n) UPPER_POWER2( n) ((n) ? 1 << g_bit_storage ((n) - 1) : 0) ARRAY_NODES( barray) (((guint8*) (barray)) + sizeof (GBSearchArray)) array_create (const GBSearchConfig *bconfig)
/* --- implementation --- */
/* helper macro to cut down realloc()s */
#ifdef DISABLE_MEM_POOLS
#define G_BSEARCH_
#else /* !DISABLE_MEM_POOLS */
#define G_BSEARCH_
#endif /* !DISABLE_MEM_POOLS */
#define G_BSEARCH_
static inline GBSearchArray*
g_bsearch_
{
GBSearchArray *barray;
guint size;
g_return_ val_if_ fail (bconfig != NULL, NULL);
size = sizeof (GBSearchArray) + bconfig- >sizeof_ node; ARRAY_ALIGN_ POWER2) UPPER_POWER2 (size);
if (bconfig->flags & G_BSEARCH_
size = G_BSEARCH_
barray = (GBSearchArray *) g_malloc (size);
memset (barray, 0, sizeof (GBSearchArray));
return barray;
}
Looks safe, trying patch now that replaces g_malloc/memset with g_malloc0