On Tue, Dec 11, 2007 at 09:57:57PM +0100, Hans de Goede wrote: > Hi, > > I just received a bug report with a backtrace generated by glibc attached: > https://bugzilla.redhat.com/attachment.cgi?id=284591 > > Looks like a real bug however the reported desn't know exactly what he did > to trigger this, so now I want to convert the backtrace glibc generated > into one with filenames and line numbers for the addresses of the xfig > stack frames. > > Can anyone tell me how to do this? The following seems to work.... # yum --enablerepo=development-debuginfo install xfig-debuginfo # gdb /usr/bin/xfig-plain (gdb) list *0x4a3909 0x4a3909 is in reset_topruler (/usr/include/bits/stdio2.h:34). 29 30 #ifdef __va_arg_pack 31 __extern_always_inline int 32 __NTH (sprintf (char *__restrict __s, __const char *__restrict __fmt, ...)) 33 { 34 return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1, 35 __bos (__s), __fmt, __va_arg_pack ()); 36 } 37 #elif !defined __cplusplus 38 # define sprintf(str, ...) \ So the code is a sprintf call from the reset_topruler method. Looking at that method, we can see an likely candidate: (gdb) list reset_topruler 1160 /* Note: For reset_top/sideruler to work properly, the value of skip should be 1161 * such that (skip/ruler_unit) is an integer or (ruler_unit/skip) is an integer. 1162 */ 1163 1164 void reset_topruler(void) 1165 { 1166 register int i,k; 1167 register tick_info* tk; 1168 register Pixmap p = topruler_pm; 1169 char number[6]; (gdb) list + 1170 int X0,len; 1171 int tickmod, tickskip; 1172 1173 /* top ruler, adjustments for digits are kludges based on 6x13 char */ 1174 XFillRectangle(tool_d, p, tr_erase_gc, 0, 0, TOPRULER_WD, TOPRULER_HT); 1175 1176 /* set the number of pixels to skip between labels and precision for float */ 1177 get_skip_prec(); 1178 1179 X0 = BACKX(0); (gdb) list + 1180 X0 -= (X0 % skip); 1181 tickmod = (int) round(ruler_unit/appres.userscale); 1182 if (tickmod == 0) 1183 tickmod = 1; 1184 1185 /* see how big a label is to adjust spacing, if necessary */ 1186 sprintf(number, "%d%s", (X0+(int)((TOPRULER_WD/zoomscale)))/tickmod, cur_fig_units); 1187 len = XTextWidth(roman_font, number, strlen(number)); 1188 while (skipx < (len + 5)/zoomscale) { 1189 skip *= 2; Line 1186 is printing a string into a fixed length buffer with no checking. A clear buffer overflow candidate there if the combo of the ruler size & the figure units are longer than 5 characters :-( Regards, Dan. -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=| -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
