Daniel P. Berrange wrote:
On Tue, Dec 11, 2007 at 09:57:57PM +0100, Hans de Goede wrote:
Hi,
I just received a bug report with a backtrace generated by glibc attached:
https://bugzilla.redhat.com/attachment.cgi?id=284591
Looks like a real bug however the reported desn't know exactly what he did
to trigger this, so now I want to convert the backtrace glibc generated
into one with filenames and line numbers for the addresses of the xfig
stack frames.
Can anyone tell me how to do this?
The following seems to work....
# yum --enablerepo=development-debuginfo install xfig-debuginfo
# gdb /usr/bin/xfig-plain
(gdb) list *0x4a3909
0x4a3909 is in reset_topruler (/usr/include/bits/stdio2.h:34).
29
30 #ifdef __va_arg_pack
31 __extern_always_inline int
32 __NTH (sprintf (char *__restrict __s, __const char *__restrict __fmt, ...))
33 {
34 return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1,
35 __bos (__s), __fmt, __va_arg_pack ());
36 }
37 #elif !defined __cplusplus
38 # define sprintf(str, ...) \
So the code is a sprintf call from the reset_topruler method.
Looking at that method, we can see an likely candidate:
(gdb) list reset_topruler
1160 /* Note: For reset_top/sideruler to work properly, the value of skip should be
1161 * such that (skip/ruler_unit) is an integer or (ruler_unit/skip) is an integer.
1162 */
1163
1164 void reset_topruler(void)
1165 {
1166 register int i,k;
1167 register tick_info* tk;
1168 register Pixmap p = topruler_pm;
1169 char number[6];
(gdb) list +
1170 int X0,len;
1171 int tickmod, tickskip;
1172
1173 /* top ruler, adjustments for digits are kludges based on 6x13 char */
1174 XFillRectangle(tool_d, p, tr_erase_gc, 0, 0, TOPRULER_WD, TOPRULER_HT);
1175
1176 /* set the number of pixels to skip between labels and precision for float */
1177 get_skip_prec();
1178
1179 X0 = BACKX(0);
(gdb) list +
1180 X0 -= (X0 % skip);
1181 tickmod = (int) round(ruler_unit/appres.userscale);
1182 if (tickmod == 0)
1183 tickmod = 1;
1184
1185 /* see how big a label is to adjust spacing, if necessary */
1186 sprintf(number, "%d%s", (X0+(int)((TOPRULER_WD/zoomscale)))/tickmod, cur_fig_units);
1187 len = XTextWidth(roman_font, number, strlen(number));
1188 while (skipx < (len + 5)/zoomscale) {
1189 skip *= 2;
Line 1186 is printing a string into a fixed length buffer with no
checking. A clear buffer overflow candidate there if the combo of
the ruler size & the figure units are longer than 5 characters :-(
Regards,
Dan.
Many thanks!
A fixed version is building now :)
Regards,
Hans
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
