Joey,

On Sat, Apr 23, 2005 at 10:50:15AM +0200, Christian T. Steigies wrote:
> Package: f2c
> Version: 20020621-3.2
> Severity: serious
> Justification: segfaults on m68k which causes r-base build to fail (and 
> probably others as well)

> On m68k, r-base and a few other packages need f2c to build. The latest
> release of R fails to build on m68k with f2c segfaulting:

> http://buildd.debian.org/fetch.php?&pkg=r-base&ver=2.1.0-1&arch=m68k&stamp=1114147840&file=log&as=raw

> I assume this is dues to a bug in f2c, since with the f2c that was installed
> in the successful built, ch2inv.f can be compiled, whereas with the f2c that
> is currently in incoming, it can not.

> [EMAIL PROTECTED]:/data/gleep/r-base-2.1.0/src/appl>strace f2c  < ch2inv.f
> execve("/usr/bin/f2c", ["f2c"], [/* 36 vars */]) = 0
> uname({sys="Linux", node="aahz", ...})  = 0
> brk(0)                                  = 0x800352e4
> access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or 
> directory)
> open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or 
> directory)
> open("/etc/ld.so.cache", O_RDONLY)      = 3
> fstat64(3, {st_mode=020151000000, st_size=104135777062912, ...}) = 0
> old_mmap(NULL, 24246, PROT_READ, MAP_PRIVATE, 3, 0) = 0xc0013000
> close(3)                                = 0
> access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or 
> directory)
> open("/lib/libc.so.6", O_RDONLY)        = 3
> read(3, "\177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\4\0\0\0\1\0\1\317"..., 512) = 
> 512
> fstat64(3, {st_mode=020151000000, st_size=4214067292016640, ...}) = 0
> old_mmap(NULL, 992864, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xc0019000
> old_mmap(0xc0103000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3,
> 0xe8000) = 0xc0103000
> old_mmap(0xc0109000, 9824, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xc0109000
> close(3)                                = 0
> munmap(0xc0013000, 24246)               = 0
> brk(0)                                  = 0x800352e4
> brk(0x800562e4)                         = 0x800562e4
> brk(0)                                  = 0x800562e4
> brk(0x80057000)                         = 0x80057000
> --- SIGSEGV (Segmentation fault) ---
> +++ killed by SIGSEGV +++

This looks like a pretty serious regression in the latest security NMU of
f2c.  The code now reads:

char *c_functions       = "c_functions";
char *coutput           = "c_output";
char *initfname         = "raw_data";
char *initbname         = "raw_data.b";
char *blkdfname         = "block_data";
char *p1_file           = "p1_file";
char *p1_bakfile        = "p1_file.BAK";
char *sortfname         = "init_file";
char *proto_fname       = "proto_file";

[...]

 void
set_tmp_names(Void)
{
#ifdef MSDOS
[...]
#else
        sprintf(c_functions, "%s/f2c_func_XXXXXX", tmpdir);
        sprintf(initfname,   "%s/f2c_rc_XXXXXX", tmpdir);
        sprintf(initbname,   "%s/f2c_rc.b_XXXXXX", tmpdir);
        sprintf(blkdfname,   "%s/f2c_blkd_XXXXXX", tmpdir);
        sprintf(p1_file,     "%s/f2c_p1f_XXXXXX", tmpdir);
        sprintf(p1_bakfile,  "%s/f2c_p1fb_XXXXXX", tmpdir);
        sprintf(sortfname,   "%s/f2c_sort_XXXXXX", tmpdir);
#endif
[...]
}

which is an obvious overflow condition.

AFAICT, the initialization of these strings is completely inappropriate, and
should be replaced with a sensibly-sized buffer, followed by the use of
snprintf() instead of sprintf().  Would you (or Dan McMahill, if that's
where this patch came from) care to fix this up, or would you like me to
prepare a patch?

Thanks,
-- 
Steve Langasek
postmodern programmer

Attachment: signature.asc
Description: Digital signature

Reply via email to