Bug#860106: Abort on long file names

Tue, 11 Apr 2017 07:29:51 -0700 

Package: gv
Version: 1:3.7.4-1+b1
Severity: important

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It appears that when run on files with a long name, gv aborts. The file
name here should be ~150 bytes, well under the maximum (255 on ext4).

*** buffer overflow detected ***: gv terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7f0feab27bcb]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7f0feabb00b7]
/lib/x86_64-linux-gnu/libc.so.6(+0xf71f0)[0x7f0feabae1f0]
/lib/x86_64-linux-gnu/libc.so.6(+0xf6552)[0x7f0feabad552]
gv(+0x2c595)[0x55f60b964595]
gv(+0x3a00e)[0x55f60b97200e]
gv(+0x2ba18)[0x55f60b963a18]
gv(+0x30a1d)[0x55f60b968a1d]
gv(+0x18d07)[0x55f60b950d07]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7f0feaad72b1]
gv(+0x19c3a)[0x55f60b951c3a]


I got a better backtrack running under valgrind:

**30866** *** strcpy_chk: buffer overflow detected ***: program terminated
==30866==    at 0x4C2E7AC: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6818)
==30866==    by 0x4C32F0E: __strcpy_chk (vg_replace_strmem.c:1439)
==30866==    by 0x134594: strcpy (string3.h:110)
==30866==    by 0x134594: file_getTmpFilename (file.c:148)
==30866==    by 0x14200D: psscan (ps.c:553)
==30866==    by 0x133A17: doc_scanFile (doc_misc.c:79)
==30866==    by 0x138A1C: setup_ghostview (misc.c:915)
==30866==    by 0x120D06: main (main.c:1238)


And even better with gdb:

#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:58
        set = {__val = {0, 3472328296227680304, 3467824696768081952, 
3991990709698103840, 3975887029563254374, 3991990507837744742, 
8083248238249914416, 3472328296227680288, 2319406834570502192, 
7378697628689244208, 3256155514234889783, 7378645952437315127, 
3255383588231721057, 3472328296227676272, 3472339291342909488, 
2314885530818457632}}
        pid =
        tid =
#1  0x00007ffff692f40a in __GI_abort () at abort.c:89
        save_stage = 2
        act = {__sigaction_handler = {sa_handler = 0x2020202020202020, 
sa_sigaction = 0x2020202020202020}, sa_mask = {__val = {7795484802351636512, 
3917909816998060649, 3276497845987585332, 3615656491663847015, 
3966104962340237870, 7306639833582429798, 7378697426660503600, 
3472328529065424742, 3472310978873881120, 3467824696600309808, 
729636054439574064, 7234582441407964727, 7378645706714656869, 
3472387902693336678, 3467895053655089200, 140737488342064}}, sa_flags = 57, 
sa_restorer = 0x7fffffffcc30}
        sigs = {__val = {32, 0 }}
#2  0x00007ffff696bbd0 in __libc_message (do_abort=do_abort@entry=2, 
fmt=fmt@entry=0x7ffff6a5f19f "*** %s ***: %s terminated\n") at 
../sysdeps/posix/libc_fatal.c:175
        ap = {{gp_offset = 32, fp_offset = 32767, overflow_arg_area = 
0x7fffffffcc40, reg_save_area = 0x7fffffffcbd0}}
        fd = 5
        on_2 =
        list =
        nlist =
        cp =
        written =
#3  0x00007ffff69f40b7 in __GI___fortify_fail (msg=msg@entry=0x7ffff6a5f136 "buffer 
overflow detected") at fortify_fail.c:30
No locals.
#4  0x00007ffff69f21f0 in __GI___chk_fail () at chk_fail.c:28
No locals.
#5  0x00007ffff69f1552 in __strcpy_chk (dest=0x7fffffffcda0 "", src=0x555555833790 
"/home/anthony/Filing/.git/annex/objects/9j/jF/SHA512E-s335147--6ea0bee9e192016ff621417aaac619dc04cb10a712703848b719a35961ae9e9f1979ebe06485eb9e2070b0d67c3cfe9ffae3ac1af760fe45a0c8f3a4a68c167d.pdf/SHA5"...,
 destlen=256) at strcpy_chk.c:30
        len =
#6  0x0000555555580595 in strcpy (__src=0x555555833790 
"/home/anthony/Filing/.git/annex/objects/9j/jF/SHA512E-s335147--6ea0bee9e192016ff621417aaac619dc04cb10a712703848b719a35961ae9e9f1979ebe06485eb9e2070b0d67c3cfe9ffae3ac1af760fe45a0c8f3a4a68c167d.pdf/SHA5"...,
 __dest=0x7fffffffcda0 "") at /usr/include/x86_64-linux-gnu/bits/string3.h:110
No locals.
#7  file_getTmpFilename (baseDirectory=0x5555557eea70 "/tmp/", baseDirectory@entry=0x0, 
baseFilename=baseFilename@entry=0x555555833790 
"/home/anthony/Filing/.git/annex/objects/9j/jF/SHA512E-s335147--6ea0bee9e192016ff621417aaac619dc04cb10a712703848b719a35961ae9e9f1979ebe06485eb9e2070b0d67c3cfe9ffae3ac1af760fe45a0c8f3a4a68c167d.pdf/SHA5"...,
 filed=filed@entry=0x0) at file.c:148
        tempFilename = 
"h\341\377\367\377\177\000\000\300\314\377\377\377\177\000\000\062lUUUU\000\000\250\275\360\273\000\000\000\000\377\377\377\377\000\000\000\000k\213\071\376\000\000\000\000\370x\220\366\377\177\000\000\350\071\374\367\377\177\000\000`_\220\366\377\177\000\000\350\071\374\367\377\177\000\000\377\377\377\377\000\000\000\000\060\020\000\000\000\000\000\000
 
'\220\366\377\177\000\000\350\071\374\367\377\177\000\000\b\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000c\000\000\000o",
 '\000' , 
"\020\025|UUU\000\000c\337YUUU\000\000\020I\203UUU\000\000\000*\203UUU\000\000\220\067\203UUU\000\000\004\000\000\000\000\000\000\000"...
        tmpNameBuf = '\000' , '-' , 'P' , '\000' , "\377\377\000\377\377\377\377\377\377\377", 
'\000' , "\020\000\000\000\000\000\000\000\002", '\000' , 
"p\000\000\000\020I\203UUU\000\000\000\000\000\000\000\000\000\000w\000\000\000|\000\000\000\003\000\000\000\000\000\000\000\000;\311\366\377\177\000\000\020I\203UUU\000\000"...
        tmpName =
        tmpExt =
        pos =
        len = 4
#8  0x000055555558e00e in psscan (fileP=0x5555557ca7a8 , filename=0x555555833620 
"/home/anthony/Filing/.git/annex/objects/9j/jF/SHA512E-s335147--6ea0bee9e192016ff621417aaac619dc04cb10a712703848b719a35961ae9e9f1979ebe06485eb9e2070b0d67c3cfe9ffae3ac1af760fe45a0c8f3a4a68c167d.pdf/SHA5"...,
 filename_raw=0x555555833790 
"/home/anthony/Filing/.git/annex/objects/9j/jF/SHA512E-s335147--6ea0bee9e192016ff621417aaac619dc04cb10a712703848b719a35961ae9e9f1979ebe06485eb9e2070b0d67c3cfe9ffae3ac1af760fe45a0c8f3a4a68c167d.pdf/SHA5"...,
 filename_dscP=0x5555557ca250 , cmd_scan_pdf=cmd_scan_pdf@entry=0x555555832410 "gs -P- -dSAFER 
-dDELAYSAFER -dNODISPLAY -dQUIET -sPDFname=%s -sDSCname=%s %s pdf2dsc.ps -c quit", 
filename_uncP=filename_uncP@entry=0x5555557ca418 , cmd_uncompress=0x0, scanstyle=1, gv_gs_safeDir=1) at 
ps.c:553
        retval = 0x0
        tempfile = 0x0
        filename_dsc =
        dscpos =
        cmd = 
"H\006\374\367\377\177\000\000\026\000\000\000\000\000\000\000\060\321\377\377\000\000\000\000p\320\377\377\377\177\000\000@\321\377\377",
 '\000' , "\300\344\377\367\377\177\000\000@\321\377\377\377\177\000\000\000\000\000\000\000\000\000\000\001", '\000' , 
"h\321\377\377\377\177\000\000q.\336\367\377\177\000\000\004", '\000' , "\001", '\000' , 
"\001\000\000\000\000\000\000\000h\341\377\367\377\177\000\000[\000\000\000n", '\000' , 
"\300\344\377\367\377\177\000\000\260\320\377\377\377\177\000\000\000"...
        old_umask =
        tmp_filename =
        tmpfd =
        tmp_fd = -145879120
        quoted_filename =
        quoted_filename_dsc =
        pdfpos =
        s = 
"\200\001|UUU\000\000\320\322\377\377\377\177\000\000\260\322\377\377\377\177\000\000\000\321\335U\f:\351\211\060\003\203UUU\000\000\000\000\000\000\000\000\000\000\060\003\203UUU\000\000\260\063\200UUU\000\000\200\001|UUU\000\000\320\322\377\377\377\177\000\000\260\322\377\377\377\177\000\000
 PP\367\377\177\000\000", '\377' , 
"\000\000\000\000\000\000\000\000\377\377\377\377\377\377\377", '\000' , 
"#\004\000\000\000\000\000\000\254\322\377\377\377\177\000\000\320\322\377\377\377\177\000\000\000\321\335U\f:\351\211\060\003\203UUU\000\000\060\003\203UUU\000\000\320\322\377\377\377\177\000\000"...
        file =
        doc =
        bb_set = 0
        pages_set = 0
        page_order_set = 0
        orientation_set = 0
        page_bb_set = 0
        page_media_set = 0
        preread =
        i = 32767
        p =
        maxpages = 0
        nextpage = 1
        thispage =
        ignore = 0
        label =
        line = 0x555555834910 "%PDF-1.4\n"
        position = 0
        beginsection =
        line_len = 9
        section_len =
        next_char = 0x7ffff74e0fb0 ""
        cp =
        dmp =
        fd = 0x555555832a00
        respect_eof = 0
        ignore_dsc = 0
        b = "%PD"
#9  0x000055555557fa18 in doc_scanFile (fPP=, docP=0x5555557ca1e0 , filename=, filename_raw=, 
filename_dscP=, cmd_scan_pdf=cmd_scan_pdf@entry=0x555555832410 "gs -P- -dSAFER -dDELAYSAFER 
-dNODISPLAY -dQUIET -sPDFname=%s -sDSCname=%s %s pdf2dsc.ps -c quit", 
filename_uncP=0x5555557ca418 , cmd_uncompress=0x5555558036b0 "gzip -d -c %s > %s", 
scanstyle=1, gv_gs_safeDir=1) at doc_misc.c:79
        d = 0x0
        i =
        ret = 0
#10 0x0000555555584a1d in setup_ghostview () at misc.c:915
        tmp = 0x555555832410 "gs -P- -dSAFER -dDELAYSAFER -dNODISPLAY -dQUIET 
-sPDFname=%s -sDSCname=%s %s pdf2dsc.ps -c quit"
        src = 0x555555803566 ""
        dest =
        spaceFound =
        args = {{name = 0xffffffff00000000 , value = -1}, {name = 0x0, value = 
0}, {name = 0x0, value = 0}, {name = 0x0, value = 0}, {name = 0x0, value = 0}, 
{name = 0xffffffff00000000 , value = -1}, {name = 0x0, value = 0}, {name = 0x0, 
value = 0}, {name = 0x0, value = 93824992500720}, {name = 0x0, value = 
140737330208454}}
        n =
        oldtoc_entry_length = 0
        toc_length =
        tocp =
        bitmap =
        label =
#11 0x000055555556cd07 in main (argc=, argv=0x7fffffffe1f8) at main.c:1238
        cont_child = {0x5555558134c0, 0x55555581d8c0, 0x55555581f240, 
0x555555820720, 0x555555821810, 0x555555821ad0, 0x555555821f60, 0x555555824120, 
0x555555824a70, 0x555555825620, 0x555555825c30, 0x555555825ee0, 0x555555826190, 
0x555555827450, 0x5555558276c0, 0x555555827930, 0x555555827ba0, 0x555555827e10, 
0x555555828080, 0x555555828310, 0x555555828600, 0x555555828a20, 0x555555828e30, 
0x555555829500, 0x55555582a290, 0x55555582f310, 0x55555582f680, 0x7ffff7de2124 
, 0x1, 0x3, 0x7ffff7ffe700, 0x7ffff7ffa1a8, 0x7ffff7ffa2b0, 0x7ffff7de2963 , 
0x3, 0x7ffff7ffa2b0, 0x7ffff7ffe700, 0x7fffffffdc78, 0x7fffffffdc74, 
0x7fffffffdf28, 0x7ffff6a5dc15, 0x7ffff7de2124 , 0x7fffffffdc78, 0x1eb, 
0x7ffff7fc39e8, 0x7ffff68fed90, 0x7ffff690c038, 0x7ffff7de2963 , 0x1eb, 
0x7ffff690c038}
        cont_child_num = 27
        maximum_width =
        maximum_height =
        n = 9
        dim_forced =
        args = {{name = 0x55555559b98b "interpreter", value = 93824994961200}, {name = 0x55555559b983 "safeDir", value = 1}, {name = 0x55555559c6b7 "safer", value = 1}, {name = 0x55555559c706 
"quiet", value = 1}, {name = 0x5555555b50c3 "infoVerbose", value = 1}, {name = 0x5555555b508e "useBackingPixmap", value = 1}, {name = 0x5555555b514d "arguments", value = 93824995046992}, 
{name = 0x55555559b92d "lxdpi", value = 53957}, {name = 0x55555559b93f "lydpi", value = 53914}, {name = 0x7fffffffd9d0 "\216P[UUU", value = 140737351943412}, {name = 0x7ffff7bb5370 "\001", 
value = 140737351934175}, {name = 0x7ffff7fc43c0 "", value = 140737353890280}, {name = 0x0, value = 0}, {name = 0x0, value = 140737354098848}, {name = 0x7ffff7fc19e0 "", value = 140737353890280}, {name = 0x0, 
value = 140737488346912}, {name = 0x7fffffffdf1f "", value = 140737488345708}, {name = 0x0, value = -1088421888}, {name = 0xdf30666b7c96d8 , value = 140737354093776}, {name = 0x7fffffffdbd0 "\003", value = 
140737349753005}}
        number =
        c =
quit


- -- System Information:
Debian Release: 9.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 
'testing'), (500, 'stable'), (130, 'unstable'), (120, 'experimental'), (1, 
'experimental-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.6.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages gv depends on:
ii  ghostscript-x  9.20~dfsg-2
ii  libc6          2.24-9
ii  libx11-6       2:1.6.4-3
ii  libxinerama1   2:1.1.3-1+b3
ii  libxmu6        2:1.1.2-2
ii  libxt6         1:1.1.5-1
ii  xaw3dg         1.5+E-18.2

Versions of packages gv recommends:
ii  xaw3dg  1.5+E-18.2

gv suggests no packages.

- -- no debconf information

Reply via email to