[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#454212: megahal segfaults as soon as it's launched

> Confirmed using etch i386 (though an amd64 processor). Attached output
> of megahal and strace.

The attached patch fixes a stack corruption issue on 64-bit architectures
(reading 8 bytes into a 4-byte buffer) and an off-by-one sprintf overflow
in the error and status file name initialization code.

The stack corruption makes megahal reliably crash for me on amd64 every
time it tries to load a saved dictionary.

However, the original problem is on i386 and happens earlier in the
initialization code. I can't reproduce it myself, but I think it might
well be caused by the sprintf overflow. Note that Neil's strace in



 open("/home/nmcgovern/.megahal/megahal.logi", O_WRONLY|O_APPEND|O_CREAT, 0666) = 3


-rw-r--r--  1 nmcgovern users  380 2007-12-19 11:37 megahal.logi?

while the intended filename is "megahal.log". So there's definitely at
least some corruption happening here.

Could somebody (Neil?) try if the bug persists with this patch?

Niko Tyni   ntyni@debian.org
diff --git a/megahal.c b/megahal.c
index 9d4b3ae..cfb1bbc 100644
--- a/megahal.c
+++ b/megahal.c
@@ -417,7 +417,7 @@ void megahal_initialize(void)
     errorfp = stderr;
     statusfp = stdout;
-    filenamebuff = (char *) malloc (strlen (directory) + 12);
+    filenamebuff = (char *) malloc (strlen (directory) + strlen(SEP) + 12);
     sprintf(filenamebuff, "%s%s%s", directory, SEP, errorfilename);
@@ -1384,7 +1384,7 @@ void save_dictionary(FILE *file, DICTIONARY *dictionary)
 void load_dictionary(FILE *file, DICTIONARY *dictionary)
     register int i;
-    int size;
+    BYTE4 size;
     fread(&size, sizeof(BYTE4), 1, file);
     progress("Loading dictionary", 0, 1);

Reply to: