Bug#651421: cuneiform: buffer overflow on some pages

Schrober Mon, 30 Apr 2012 13:21:15 -0700

On Thursday 08 December 2011 14:58:28 you wrote:
> Package: cuneiform
> Version: 1.1.0+dfsg-2
> Severity: normal
> 
> Dear Maintainer,
> 
> cuneiform notifies about a buffer overflow on some - but not all -
> pages. Try this:
> 
> wget -O /tmp/cuneiform-bug.png \
> http://users.minet.uni-jena.de/~erik/test/cuneiform-bug.png && \
> cuneiform -l ger -f text -o bla.txt /tmp/cuneiform-bug.png
> 
> With this text-only page, cuniform prints a backtrace and a memory map:
> 
>  Cuneiform for Linux 1.1.0
>  *** buffer overflow detected ***: cuneiform terminated
>  ======= Backtrace: =========
>  /lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7f9b0d7dfad7]
>  /lib/x86_64-linux-gnu/libc.so.6(+0xe8990)[0x7f9b0d7de990]
>  /usr/lib/x86_64-linux-gnu/cuneiform/libfon32.so.0(+0x20dd2)[0x7f9b05997dd2]
> [...]
> 
> (abridged, because you can reproduce it by yourself)
> 
> No output text file is generated then, but a temporary directory with
> some data files.


I played around with the package and could only find a workaround for me (see 
attachement for the debian packet patch).

It seems that it only fails when -D_FORTIFY_SOURCE=2 is set and optimization 
is enabled.

The way to reproduce it and get some debugging output:

# apt-get install cuneiform-common
# dget http://snapshot.debian.org/archive/debian/20120424T214447Z/pool/non-
free/c/cuneiform/cuneiform_1.1.0%2Bdfsg-4.dsc
# mkdir cuneiform-1.1.0+dfsg/build
# cd cuneiform-1.1.0+dfsg/build
# cmake \
-DCMAKE_C_FLAGS="-D_FORTIFY_SOURCE=2 -O1" \
-DCMAKE_CXX_FLAGS="-D_FORTIFY_SOURCE=2 -O1" \
-DCMAKE_BUILD_TYPE=debug -DCMAKE_INSTALL_PREFIX=/usr  ..
# make
# wget -O /tmp/cuneiform-bug.png \
 http://users.minet.uni-jena.de/~erik/test/cuneiform-bug.png
# convert /tmp/cuneiform-bug.png /tmp/cuneiform-bug.bmp
# valgrind  ./cuneiform -l ger -f text -o bla.txt /tmp/cuneiform-bug.bmp

**5154** *** memcpy_chk: buffer overflow detected ***: program terminated
==5154==    at 0x402BE0C: ??? (in /usr/lib/valgrind/vgpreload_memcheck-amd64-
linux.so)
==5154==    by 0x402EB8A: __memcpy_chk (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5154==    by 0x50BA458: MoveUpDownBitmap2 (string3.h:52)
==5154==    by 0x50BA62C: Razmaz2 (p2_thick.c:309)
==5154==    by 0x50AB1C3: FONRecog2Glue (dist_bou.c:1920)
==5154==    by 0x4FDC170: RerecogInRect (p2_proc.c:1834)
==5154==    by 0x4FDC457: GlueRerecog (p2_proc.c:1954)
==5154==    by 0x4FDE436: p2_processWord (p2_proc.c:560)
==5154==    by 0x4FDF57E: p2_proc (p2_proc.c:1270)
==5154==    by 0x4EB1028: pass3 (pass3.c:776)
==5154==    by 0x4EC22BD: RSTRRecognizeMain (rcm.c:1688)
==5154==    by 0x4EC2571: RSTRRecognize (rcm.c:1370)

thanks,
Franz

diff -Nru cuneiform-1.1.0+dfsg/debian/compat cuneiform-1.1.0+dfsg/debian/compat
--- cuneiform-1.1.0+dfsg/debian/compat	2011-11-09 19:19:32.000000000 +0100
+++ cuneiform-1.1.0+dfsg/debian/compat	2012-04-30 21:38:47.000000000 +0200
@@ -1 +1 @@
-8
+9
diff -Nru cuneiform-1.1.0+dfsg/debian/control cuneiform-1.1.0+dfsg/debian/control
--- cuneiform-1.1.0+dfsg/debian/control	2012-04-24 00:12:22.000000000 +0200
+++ cuneiform-1.1.0+dfsg/debian/control	2012-04-30 21:39:13.000000000 +0200
@@ -2,7 +2,7 @@
 Section: non-free/graphics
 Priority: optional
 Maintainer: Jakub Wilk <jw...@debian.org>
-Build-Depends: debhelper (>= 8.1.3), dpkg-dev (>= 1.16), cmake (>= 2.8.2),
+Build-Depends: debhelper (>= 9.20120417), dpkg-dev (>= 1.16), cmake (>= 2.8.2),
   libgraphicsmagick++1-dev, pkg-config
 Standards-Version: 3.9.3
 Homepage: http://launchpad.net/cuneiform-linux/
diff -Nru cuneiform-1.1.0+dfsg/debian/rules cuneiform-1.1.0+dfsg/debian/rules
--- cuneiform-1.1.0+dfsg/debian/rules	2012-04-23 23:54:34.000000000 +0200
+++ cuneiform-1.1.0+dfsg/debian/rules	2012-04-30 21:45:24.000000000 +0200
@@ -1,22 +1,26 @@
 #!/usr/bin/make -f
 
+export DEB_BUILD_MAINT_OPTIONS=hardening=+all,-pie
+export DEB_CFLAGS_MAINT_APPEND=-O0
+export DEB_CXXFLAGS_MAINT_APPEND=-O0
+export DEB_LDFLAGS_MAINT_APPEND=-Wl,--as-needed
+
 here = $(dir $(firstword $(MAKEFILE_LIST)))/..
 upstream_version = $(shell cd $(here) && dpkg-parsechangelog | sed -n -r -e '/^Version: ([0-9.]+)([+]dfsg).*/ { s//\1/; p; q; }')
 
 DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)
 
-CFLAGS = $(shell dpkg-buildflags --get CFLAGS) $(shell dpkg-buildflags --get CPPFLAGS)
-CXXFLAGS = $(shell dpkg-buildflags --get CXXFLAGS) $(shell dpkg-buildflags --get CPPFLAGS)
-LDFLAGS = $(shell dpkg-buildflags --get LDFLAGS) -Wl,--as-needed
+DPKG_EXPORT_BUILDFLAGS = 1
+include /usr/share/dpkg/buildflags.mk
 
 cmake_options = \
 	-DCMAKE_INSTALL_PREFIX=/usr \
 	-DCMAKE_VERBOSE_MAKEFILE=ON \
 	-DCMAKE_BUILD_TYPE=relwithdebinfo \
-	-DCMAKE_C_FLAGS_RELWITHDEBINFO="$(CFLAGS)" \
-	-DCMAKE_CXX_FLAGS_RELWITHDEBINFO="$(CXXFLAGS)" \
-	-DCMAKE_SHARED_LINKER_FLAGS_RELWITHDEBINFO="$(LDFLAGS)" \
-	-DCMAKE_EXE_LINKER_FLAGS_RELWITHDEBINFO="$(LDFLAGS)" \
+	-DCMAKE_C_FLAGS="$(CFLAGS)" \
+	-DCMAKE_CXX_FLAGS="$(CXXFLAGS)" \
+	-DCMAKE_SHARED_LINKER_FLAGS="$(LDFLAGS)" \
+	-DCMAKE_EXE_LINKER_FLAGS="$(LDFLAGS)" \
 	-DCMAKE_INSTALL_RPATH=/usr/lib/$(DEB_HOST_MULTIARCH)/cuneiform
 
 parallel = -j$(or $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS))),1)

Bug#651421: cuneiform: buffer overflow on some pages

Reply via email to