Bug#454212: megahal segfaults as soon as it's launched
> Confirmed using etch i386 (though an amd64 processor). Attached output
> of megahal and strace.
The attached patch fixes a stack corruption issue on 64-bit architectures
(reading 8 bytes into a 4-byte buffer) and an off-by-one sprintf overflow
in the error and status file name initialization code.
The stack corruption makes megahal reliably crash for me on amd64 every
time it tries to load a saved dictionary.
However, the original problem is on i386 and happens earlier in the
initialization code. I can't reproduce it myself, but I think it might
well be caused by the sprintf overflow. Note that Neil's strace in
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=27;filename=megahal.trace.log;att=1;bug=454212
has
open("/home/nmcgovern/.megahal/megahal.logi", O_WRONLY|O_APPEND|O_CREAT, 0666) = 3
and
-rw-r--r-- 1 nmcgovern users 380 2007-12-19 11:37 megahal.logi?
while the intended filename is "megahal.log". So there's definitely at
least some corruption happening here.
Could somebody (Neil?) try if the bug persists with this patch?
Cheers,
--
Niko Tyni ntyni@debian.org
diff --git a/megahal.c b/megahal.c
index 9d4b3ae..cfb1bbc 100644
--- a/megahal.c
+++ b/megahal.c
@@ -417,7 +417,7 @@ void megahal_initialize(void)
errorfp = stderr;
statusfp = stdout;
- filenamebuff = (char *) malloc (strlen (directory) + 12);
+ filenamebuff = (char *) malloc (strlen (directory) + strlen(SEP) + 12);
sprintf(filenamebuff, "%s%s%s", directory, SEP, errorfilename);
initialize_error(filenamebuff);
@@ -1384,7 +1384,7 @@ void save_dictionary(FILE *file, DICTIONARY *dictionary)
void load_dictionary(FILE *file, DICTIONARY *dictionary)
{
register int i;
- int size;
+ BYTE4 size;
fread(&size, sizeof(BYTE4), 1, file);
progress("Loading dictionary", 0, 1);
Reply to: