Group :: Sistema/Bibliotecas
RPM: libsratom
Navegação
Main Changelog Spec Patches Sources Download Gear Bugs e FR Repocop
Patch: 0001-Fixed-sratom_test-false-negative.patch
Download
Download
From b7bf4ff64187616ac21895cd016d62017ac3b681 Mon Sep 17 00:00:00 2001
From: Alexey Sheplyakov <asheplyakov@basealt.ru>
Date: Fri, 14 Jul 2023 15:14:15 +0400
Subject: [PATCH] Fixed sratom_test false negative
At the moment sratom_test fails like this:
$ ./sratom_test
*** buffer overflow detected ***: terminated
Aborted
(gdb) bt
#0 0x00007ffff7e365dc in ?? () from /lib64/libc.so.6
#1 0x00007ffff7de8d32 in raise () from /lib64/libc.so.6
#2 0x00007ffff7dd24af in abort () from /lib64/libc.so.6
#3 0x00007ffff7dd322f in ?? () from /lib64/libc.so.6
#4 0x00007ffff7ec5a87 in __fortify_fail () from /lib64/libc.so.6
#5 0x00007ffff7ec4422 in __chk_fail () from /lib64/libc.so.6
#6 0x00007ffff7ec3ff5 in __snprintf_chk () from /lib64/libc.so.6
#7 0x000055555555ea63 in snprintf (__fmt=0x555555563bfb "%02X", __n=7, __s=0x55555556d9f2 "") at /usr/include/bits/stdio2.h:54
#8 sratom_write (sratom=sratom@entry=0x55555556a930, unmap=unmap@entry=0x7fffffffdce0, flags=<optimized out>, flags@entry=32, subject=subject@entry=0x7fffffffd5b0,
predicate=predicate@entry=0x7fffffffd670, type_urid=<optimized out>, size=3, body=0x7fffffffe288) at ../src/sratom.c:338
#9 0x000055555555ecf0 in sratom_write (sratom=sratom@entry=0x55555556a930, unmap=unmap@entry=0x7fffffffdce0, flags=<optimized out>, subject=subject@entry=0x7fffffffd830,
predicate=predicate@entry=0x7fffffffd8d0, type_urid=type_urid@entry=19, size=19, body=0x7fffffffe278) at ../src/sratom.c:362
#10 0x000055555555f71c in list_append (sratom=sratom@entry=0x55555556a930, unmap=unmap@entry=0x7fffffffdce0, flags=flags@entry=0x7fffffffd80c, s=s@entry=0x7fffffffd810,
p=p@entry=0x7fffffffd8d0, node=node@entry=0x7fffffffd830, size=19, type=19, body=0x7fffffffe278) at ../src/sratom.c:172
#11 0x000055555555f4a5 in sratom_write (sratom=sratom@entry=0x55555556a930, unmap=unmap@entry=0x7fffffffdce0, flags=<optimized out>, flags@entry=34, subject=subject@entry=0x7fffffffd9d0,
predicate=predicate@entry=0x7fffffffda90, type_urid=<optimized out>, size=56, body=0x7fffffffe270) at ../src/sratom.c:432
#12 0x000055555555e60b in sratom_write (sratom=sratom@entry=0x55555556a930, unmap=unmap@entry=0x7fffffffdce0, flags=<optimized out>, flags@entry=2, subject=subject@entry=0x7fffffffdd70,
predicate=predicate@entry=0x7fffffffdd90, type_urid=type_urid@entry=9, size=1000, body=0x7fffffffdf08) at ../src/sratom.c:417
#13 0x000055555555f92c in sratom_to_turtle (sratom=sratom@entry=0x55555556a930, unmap=unmap@entry=0x7fffffffdce0, base_uri=base_uri@entry=0x555555563383 "file:///tmp/base/",
subject=subject@entry=0x7fffffffdd70, predicate=predicate@entry=0x7fffffffdd90, type=9, size=1000, body=0x7fffffffdf08) at ../src/sratom.c:496
#14 0x000055555555a6f7 in test (env=env@entry=0x0, top_level=top_level@entry=false, pretty_numbers=pretty_numbers@entry=false) at ../tests/sratom_test.c:339
#15 0x000055555555a875 in test_env (env=env@entry=0x0) at ../tests/sratom_test.c:386
#16 0x00005555555585ba in main () at ../tests/sratom_test.c:403
(gdb) frame 7
#7 0x000055555555ea63 in snprintf (__fmt=0x555555563bfb "%02X", __n=7, __s=0x55555556d9f2 "") at /usr/include/bits/stdio2.h:54
54 return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
(gdb) list
49 # ifdef __va_arg_pack
50 __fortify_function int
51 __NTH (snprintf (char *__restrict __s, size_t __n,
52 const char *__restrict __fmt, ...))
53 {54 return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
55 __glibc_objsize (__s), __fmt,
56 __va_arg_pack ());
57 }
58 # elif !defined __cplusplus
The code in question (sratom.c:338, see frame 9) dumps the input byte by byte
(in hex format):
333 } else if (type_urid == sratom->midi_MidiEvent) {334 new_node = true;
335 datatype = serd_node_from_string(SERD_URI, USTR(LV2_MIDI__MidiEvent));
336 uint8_t* str = (uint8_t*)calloc(size * 2 + 1, 1);
337 for (uint32_t i = 0; i < size; ++i) {338 snprintf((char*)str + (2 * i), size * 2 + 1, "%02X",
339 (unsigned)*((const uint8_t*)body + i));
340 }
The problem is that the maximal number of bytes in sprintf is overestimated
(when i != 0): actually snprintf prints at most 3 bytes (2 hex digits and
possibly the terminating null), instead the code specifies the total length
of the dumped buffer (`size * 2 + 1`).
When i > 0 glibc's __snprintf_chk observes the destination buffer is
shorter than the `size * 2 + 1` (the total length of the dump) and
terminates the program.
To avoid the problem specify the correct n, which is 3 (2 hex digits
and possibly the terminating null).
---
src/sratom.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/sratom.c b/src/sratom.c
index 248906f..9cec78a 100644
--- a/src/sratom.c
+++ b/src/sratom.c
@@ -335,7 +335,9 @@ sratom_write(Sratom* sratom,
datatype = serd_node_from_string(SERD_URI, USTR(LV2_MIDI__MidiEvent));
uint8_t* str = (uint8_t*)calloc(size * 2 + 1, 1);
for (uint32_t i = 0; i < size; ++i) {- snprintf((char*)str + (2 * i), size * 2 + 1, "%02X",
+ snprintf((char*)str + (2 * i),
+ 3, /* 2 hex digits and possibly terminating null */
+ "%02X",
(unsigned)*((const uint8_t*)body + i));
}
object = serd_node_from_string(SERD_LITERAL, USTR(str));
--
2.33.8