Bug#295015: marked as done (xkbprint segfaults when )

To: Brice Goglin <Brice.Goglin@ens-lyon.org>
Subject: Bug#295015: marked as done (xkbprint segfaults when )
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sun, 15 Apr 2007 20:15:05 +0000
Message-id: <[🔎] handler.295015.D295015.11766679615468.ackdone@bugs.debian.org>
References: <46228704.4020107@ens-lyon.org> <BAY2-F1730A38535C3789D0892FDB680@phx.gbl>

Your message dated Sun, 15 Apr 2007 22:11:48 +0200
with message-id <46228704.4020107@ens-lyon.org>
and subject line Bug#295015: xkbprint segfaults when
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

To: submit@bugs.debian.org
Subject: xkbprint segfaults when
From: "Sebastian Rasmussen" <sebras@hotmail.com>
Date: Sun, 13 Feb 2005 00:47:37 +0100
Message-id: <BAY2-F1730A38535C3789D0892FDB680@phx.gbl>

Package: xbase-clients
Version: 4.3.0.dfsg.1-10

When trying to print the keymap for my current xkb settings I was faced with

a segfault as I ran xkbprint. The problem is that if the XkbSymbols settingin

/etc/X11/XF86Config-4 is too long a sprintf() overruns a preallocated buffer
used when writing part of the generated Postscript to an output file.

hostname% /usr/bin/X11/xkbprint :0.0
zsh: segmentation fault  /usr/bin/X11/xkbprint :0.0

The fix that requires the least amount of modification, to my knowledge,
mainly consists of replacing sprintf() with asprintf(), as can be seen in
the patch below. As asprintf() itself allocates a buffer of suitable size
there is no longer any risk of overrunning a too small preallocated buffer.

Note that not just the one buffer that resulted in the segfault was fixed,
but all the similarly used buffers in the same function were also modified.
Additionally I have  appended my debugging session and test of the
modified xkbprint.

Please notify me if the patch is in any way inappropriate or if further
information is required.

/ Sebastian Rasmussen

diff -Nruw xfree86_4.3.0.dfsg-1.10/xc/programs/xkbprint/psgeom.cxfree86_4.3.0.dfsg-1.10.patched/xc/programs/xkbprint/psgeom.c--- xfree86_4.3.0.dfsg-1.10/xc/programs/xkbprint/psgeom.c 2001-07-2517:05:25.000000000 +0200+++ xfree86_4.3.0.dfsg-1.10.patched/xc/programs/xkbprint/psgeom.c2005-02-13 00:25:25.000000000 +0100

@@ -807,18 +807,22 @@
           PSSetFont(out,state,FONT_LATIN1,14,False);
       }
       if (state->args->label==LABEL_SYMBOLS) {
-           char buf[40],*sName= NULL;
+           char *buf= NULL,*sName= NULL;
           Atom sAtom;

-           if (state->args->nLabelGroups==1)
-               sprintf(buf,"Group %d",state->args->baseLabelGroup+1);
-           else sprintf(buf,"Groups %d-%d",state->args->baseLabelGroup+1,
-               state->args->baseLabelGroup+state->args->nLabelGroups);
+           if (state->args->nLabelGroups==1) {

+ if (asprintf(&buf,"Group%d",state->args->baseLabelGroup+1)==-1)

+                   buf= NULL;
+           }

+ else if (asprintf(&buf,"Groups%d-%d",state->args->baseLabelGroup+1,

+               state->args->baseLabelGroup+state->args->nLabelGroups)==-1)
+               buf= NULL;

fprintf(out,"kbx kbdscalewidth 0 (%s) centeroffset popadd\n",buf);

           fprintf(out,"    kby kbdscaleheight add %d add\n",baseline);
           fprintf(out,"    moveto\n");
           fprintf(out,"1 -1 scale (%s) show 1 -1 scale\n",buf);
           baseline+= 16;
+           free(buf);

           if (xkb->names!=NULL)       sAtom= xkb->names->symbols;
           else                        sAtom= None;
@@ -827,12 +831,14 @@
           if (sName==NULL)
               sName= "(unknown)";

-           sprintf(buf,"Layout: %s",sName);
+           if (asprintf(&buf,"Layout: %s",sName)==-1)
+               buf= NULL;

fprintf(out,"kbx kbdscalewidth 0 (%s) centeroffset popadd\n",buf);

           fprintf(out,"    kby kbdscaleheight add %d add\n",baseline);
           fprintf(out,"    moveto\n");
           fprintf(out,"1 -1 scale (%s) show 1 -1 scale\n",buf);
           baseline+= 16;
+           free(buf);
       }
       if (name!=NULL) {

fprintf(out,"kbx kbdscalewidth 0 (%s) centeroffset popadd\n",name);

@@ -842,7 +848,7 @@
           baseline+= 16;
       }
       if (state->args->label==LABEL_KEYCODE) {
-           char buf[40],*sName= NULL;
+           char *buf= NULL,*sName= NULL;
           Atom sAtom;

           if (xkb->names!=NULL)       sAtom= xkb->names->keycodes;
@@ -852,12 +858,14 @@
           if (sName==NULL)
               sName= "(unknown)";

-           sprintf(buf,"Keycodes: %s",sName);
+           if (asprintf(&buf,"Keycodes: %s",sName)==-1)
+               buf= NULL;

fprintf(out,"kbx kbdscalewidth 0 (%s) centeroffset popadd\n",buf);

           fprintf(out,"    kby kbdscaleheight add %d add\n",baseline);
           fprintf(out,"    moveto\n");
           fprintf(out,"1 -1 scale (%s) show 1 -1 scale\n",buf);
           baseline+= 16;
+           free(buf);
       }
       if (state->args->copies>1) {
           for (p=1;p<state->args->copies;p++)
@@ -869,19 +877,23 @@
    }
    else {
       if ((!state->args->wantEPS)&&(state->args->label==LABEL_SYMBOLS)) {
-           char buf[40];
+           char *buf= NULL;
           baseline= 16;
           PSSetColor(out,state,state->black);
           PSSetFont(out,state,FONT_LATIN1,14,False);
-           if (state->args->nLabelGroups==1)
-               sprintf(buf,"Group %d",state->args->baseLabelGroup+1);
-           else sprintf(buf,"Groups %d-%d",state->args->baseLabelGroup+1,
-               state->args->baseLabelGroup+state->args->nLabelGroups+1);
+           if (state->args->nLabelGroups==1) {

+ if (asprintf(&buf,"Group%d",state->args->baseLabelGroup+1)==-1)

+                   buf= NULL;
+           }

+ else if (asprintf(&buf,"Groups%d-%d",state->args->baseLabelGroup+1,+state->args->baseLabelGroup+state->args->nLabelGroups+1)==-1)

+               buf= NULL;

fprintf(out,"kbx kbdscalewidth 0 (%s) centeroffset popadd\n",buf);

           fprintf(out,"    kby kbdscaleheight add %d add\n",baseline);
           fprintf(out,"    moveto\n");
           fprintf(out,"1 -1 scale (%s) show 1 -1 scale\n",buf);
           baseline+= 16;
+           free(buf);
       }
       fprintf(out,"restore\n");
       fprintf(out,"%% Done with keyboard %d\n",state->nPages+1);



hostname% /usr/bin/X11/xkbprint :0.0
zsh: segmentation fault  /usr/bin/X11/xkbprint :0.0
hostname% gdb --args /usr/bin/X11/xkbprint :0.0
(gdb) r
Starting program: /usr/X11R6/bin/xkbprint :0.0
(no debugging symbols found)

Program received signal SIGSEGV, Segmentation fault.
0x08002968 in ?? ()
(gdb)
hostname% file /usr/bin/X11/xkbprint

/usr/bin/X11/xkbprint: ELF 32-bit LSB executable, Intel 80386, version 1(SYSV), for GNU/Linux 2.2.0, dynamically linked (uses shared libs), stripped

hostname% file ./xkbprint

./xkbprint: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), forGNU/Linux 2.2.0, dynamically linked (uses shared libs), not stripped

hostname% gdb --args ./xkbprint :0.0
(gdb) r
Starting program: /tmp/xkbprint :0.0

Program received signal SIGSEGV, Segmentation fault.
0x4015fc2f in strlen () from /lib/libc.so.6
(gdb) bt
#0  0x4015fc2f in strlen () from /lib/libc.so.6
#1  0x401333a5 in vfprintf () from /lib/libc.so.6
#2  0x4013988f in fprintf () from /lib/libc.so.6

#3 0x0804cb2c in PSPageTrailer (out=0x80787f0, state=0xbffffb10) atpsgeom.c:838#4 0x0804fdd7 in GeometryToPostScript (out=0x80787f0, pResult=0xbffffb90,args=0x8071960) at psgeom.c:1785

#5  0x08051f12 in main (argc=2, argv=0xbffffc14) at xkbprint.c:740
(gdb) up
#1  0x401333a5 in vfprintf () from /lib/libc.so.6
(gdb) up
#2  0x4013988f in fprintf () from /lib/libc.so.6
(gdb) up

#3 0x0804cb2c in PSPageTrailer (out=0x80787f0, state=0xbffffb10) atpsgeom.c:838838 fprintf(out,"kbx kbdscalewidth 0 (%s) centeroffset popadd\n",name);

(gdb) print name
$1 = 0x8002968 <Address 0x8002968 out of bounds>
(gdb) break PSPageTrailer
Breakpoint 1 at 0x804c6d5: file psgeom.c, line 775.
(gdb) r

Starting program: /tmp/xkbprint :0.0

Breakpoint 1, PSPageTrailer (out=0x80787f0, state=0xbffffb10) atpsgeom.c:775

775         xkb= state->xkb;
(gdb) watch name
Hardware watchpoint 2: name
[...]
(gdb) c
Continuing.
Hardware watchpoint 2: name

Old value = 0x8072968 ""
New value = 0x8002968 <Address 0x8002968 out of bounds>
0x4014bffe in vsprintf () from /lib/libc.so.6
(gdb) bt
#0  0x4014bffe in vsprintf () from /lib/libc.so.6
#1  0x4013994d in sprintf () from /lib/libc.so.6

#2 0x0804caa5 in PSPageTrailer (out=0x80787f0, state=0xbffffb10) atpsgeom.c:830#3 0x0804fdd7 in GeometryToPostScript (out=0x80787f0, pResult=0xbffffb90,args=0x8071960) at psgeom.c:1785

#4  0x08051f12 in main (argc=2, argv=0xbffffc14) at xkbprint.c:740
(gdb) up
#1  0x4013994d in sprintf () from /lib/libc.so.6
(gdb) up

#2 0x0804caa5 in PSPageTrailer (out=0x80787f0, state=0xbffffb10) atpsgeom.c:830

830                 sprintf(buf,"Layout: %s",sName);
(gdb) print buf
$1 = "Layout: us(pc105)+altwin(meta_alt)+ct"
(gdb) reverse-search char.*buf
810                 char buf[40],*sName= NULL;
(gdb) q

[Applying patch and recompiling]

hostname% gdb --args ./xkbprint :0.0
(gdb) break psgeom.c:831
Breakpoint 1 at 0x804caca: file psgeom.c, line 831.
(gdb) r
Starting program: /tmp/xkbprint :0.0

Breakpoint 1, PSPageTrailer (out=0x8078830, state=0xbffffb10) atpsgeom.c:831

831                 asprintf(&buf,"Layout: %s",sName);
(gdb) n
(gdb) print buf

$1 = 0x807b1c0 "Layout:us(pc105)+altwin(meta_alt)+ctrl(nocaps)+compose(rwin)+group(switch)"

(gdb) c
Continuing.

Program exited normally.
(gdb) q

_________________________________________________________________

Express yourself instantly with MSN Messenger! Download today it's FREE!http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

--- End Message ---

--- Begin Message ---

To: Sebastian Rasmussen <sebras@hotmail.com>, 295015-done@bugs.debian.org
Subject: Re: Bug#295015: xkbprint segfaults when
From: Brice Goglin <Brice.Goglin@ens-lyon.org>
Date: Sun, 15 Apr 2007 22:11:48 +0200
Message-id: <46228704.4020107@ens-lyon.org>
In-reply-to: <[🔎] BAY139-F14CD1BAA95301CF5980CFBDB530@phx.gbl>
References: <[🔎] BAY139-F14CD1BAA95301CF5980CFBDB530@phx.gbl>

Sebastian Rasmussen wrote:
> I attempted to reproduce the bug with the packages that I currently
> have from Debian/testing, but failed to do so. Next I studied the
> relevant code in psgeom.c that I sent a patch for and it seems that
> somebody discovered the same flaw in that code and fixed it.

Ok good, I am closing this bug then.

> While attempting to reproduce the bug I may have found another
[...]
> The problem is probably that the setting ctrl(swapcaps) is truncated
> halfway through the setting to produce ctrl(swap. I believe that the
> trailng parenthesis fails to end the string as likely was assumed when
> developing the code. Do you want me to create a new bug report on this
> issue or is it better to handle this within this bug report?

Since the symptoms of this bug are different, I would rather not discuss
it here. I suggest you open a new bug, or directly report it upstream at
bugzilla.freedesktop.org (since I will have to forward the Debian bug
there anyway).

Thanks,
Brice

--- End Message ---

Reply to:

Prev by Date: Bug#406061: "X: user not authorized to run the X server, aborting"
Next by Date: Bug#418953: xserver-xorg: Xorg sporadically segfaults at system startup
Previous by thread: [bts-link] source package libxau
Next by thread: Bug#418953: xserver-xorg: Xorg sporadically segfaults at system startup
Index(es):
- Date
- Thread