The buffer for printing large negative values is one byte too small as
can be seen below when trying to print LONG_MIN:
$ printf "%lld" $[0x8000000000000000] | wc -c
20
The number already needs 20 bytes, plus the '\0' terminator makes it 21
bytes. This results in a buffer overflow that gets detected by the
_FORTIFY_SOURCE logic and, in turn, ends up in an abort(3) call.
Resize the buffer to 22 bytes to have yet another spare byte.
Signed-off-by: Mathias Krause <minipli@xxxxxxxxxxxxxx>
---
This commit should probably be backported to, at least, the
trace-cmd-stable-v2.6 branch as I ran into the issue there by using the
stock Debian/testing version of trace-cmd, trying to do a 'trace-cmd report'
on a large trace file.
---
lib/traceevent/event-parse.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/traceevent/event-parse.c b/lib/traceevent/event-parse.c
index 6f7f4be3c4ea..a8a4366d51cc 100644
--- a/lib/traceevent/event-parse.c
+++ b/lib/traceevent/event-parse.c
@@ -2457,7 +2457,7 @@ static int arg_num_eval(struct tep_print_arg *arg, long long *val)
static char *arg_eval (struct tep_print_arg *arg)
{
long long val;
- static char buf[20];
+ static char buf[22];
switch (arg->type) {
case TEP_PRINT_ATOM:
--
2.20.1
|