tags 374708 upstream patch
thanks
Le Tuesday 20 June 2006 à 22:11:41, Ludovic Rousseau a écrit:
> A mail from cron:
>
> /etc/cron.daily/man-db:
> *** glibc detected *** free(): invalid next size (fast): 0x080decf8 ***
> /etc/cron.daily/man-db: line 33: 3644 Aborted
> start-stop-daemon+--start --pidfile /dev/null --startas /usr/bin/mandb
> --oknodo --chuid man -- --no-purge --quiet
> run-parts: /etc/cron.daily/man-db exited with return code 134
The bug is classic: off-by-one buffer overflow.
The function make_content() in libdb/db_lookup.c calculates the size
needed for cont.dptr but forget to include the final NUL byte.
Please apply this proposed patch.
diff -r --unified=10 man-db-2.4.3/libdb/db_lookup.c
man-db-2.4.3.new/libdb/db_lookup.c
--- man-db-2.4.3/libdb/db_lookup.c 2003-11-16 19:46:47.000000000 +0100
+++ man-db-2.4.3.new/libdb/db_lookup.c 2006-07-01 13:40:12.000000000 +0200
@@ -254,21 +254,21 @@
in->whatis = dash + 1;
cont.dsize = strlen (dash_if_unset (in->name)) +
strlen (in->ext) +
strlen (in->sec) +
/* strlen (in->_st_mtime) */ + 11 +
/* strlen (in->id) */ + 1 +
strlen (in->pointer) +
strlen (in->filter) +
strlen (in->comp) +
- strlen (in->whatis) + 8;
+ strlen (in->whatis) + 8 +1;
cont.dptr = (char *) xmalloc (cont.dsize);
#ifdef ANSI_SPRINTF
cont.dsize = 1 + sprintf (cont.dptr,
"%s\t%s\t%s\t%ld\t%c\t%s\t%s\t%s\t%s",
dash_if_unset (in->name),
in->ext,
in->sec,
in->_st_mtime,
in->id,
in->pointer,
--
Dr. Ludovic Rousseau [EMAIL PROTECTED]
-- Normaliser Unix c'est comme pasteuriser le camembert, L.R. --
