Package: gtkboard
Version: 0.11pre0+cvs.2003.11.02-9+b1
Severity: grave
Tags: patch
Dear Maintainer,
The gtkboard always hangs up after selecting a game in Game menu.
It causes gtkboard completely useless.
And when it hangs up,the following message is shown in stdin,
' *** stack smashing detected ***: <unknown> terminated '
I report this problem, and I attach the patch to fix this problem.
In my Debian box, this patch works well.
Would you release a newer package applied to this patch?
FYI:
The root cause of this problem is the buffer overflow in
channel_process_input() in src/engine.c. The channel_process_input()
invokes g_io_channel_read; however, the type of the last argument of
g_io_channel should be 'gsize(unsigned long)',but it is 'int'.
It causes an overflow in the stack, and 'stack smashing' kills the
forked process. Then the parent process, which handles GUI, keeps
waiting for the response of the killed process forever, and it looks
hanging up.
Additionally, I happen to find a possibility of 1 bytes of buffer
overflow. The linbuf in channel_process_input() has 4096bytes, but
there is a possibility that '\0' puts in 4097th. This patch fixes it
also.
Finally, this problem comes from upstream. However, the site of
upstream says maintenance is over. So, I haven't reported upstream.
See. http://gtkboard.sourceforge.net/
Regards,
--
Takahide Nojima
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500,
'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.4.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=ja_JP.UTF-8, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8),
LANGUAGE=ja_JP.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages gtkboard depends on:
ii libatk1.0-0 2.34.1-1
ii libc6 2.29-8
ii libcairo2 1.16.0-4
ii libfontconfig1 2.13.1-2+b1
ii libfreetype6 2.10.1-2
ii libgdk-pixbuf2.0-0 2.40.0+dfsg-2
ii libglib2.0-0 2.62.4-1
ii libgtk2.0-0 2.24.32-4
ii libpango-1.0-0 1.42.4-8
ii libpangocairo-1.0-0 1.42.4-8
ii libpangoft2-1.0-0 1.42.4-8
ii libsdl-mixer1.2 1.2.12-16+b1
ii libsdl1.2debian 1.2.15+dfsg2-5
gtkboard recommends no packages.
gtkboard suggests no packages.
-- no debconf information
diff -u -N -r a/debian/changelog b/debian/changelog
--- a/debian/changelog 2018-07-29 19:02:29.000000000 +0900
+++ b/debian/changelog 2020-01-10 04:19:52.749057611 +0900
@@ -1,3 +1,13 @@
+gtkboard (0.11pre0+cvs.2003.11.02-10) UNRELEASED; urgency=medium
+
+ * Fix stack overflow in engine.c.
+ It has 2 overflows.
+ -The 'linebuf' have 4096 bytes,but '\0' puts in 4097th.
+ -The last argument of g_io_channel_read should be
+ 'unsigned long' not 'int'.
+
+ -- Takahide Nojima <nozzy123no...@gmail.com> Mon, 06 Jan 2020 02:01:42 +0900
+
gtkboard (0.11pre0+cvs.2003.11.02-9) unstable; urgency=medium
* recent list crash bug fix, thanks to Nelson Benítez León (closes: #820595)
diff -u -N -r a/debian/patches/fixed-stack-smash.patch b/debian/patches/fixed-stack-smash.patch
--- a/debian/patches/fixed-stack-smash.patch 1970-01-01 09:00:00.000000000 +0900
+++ b/debian/patches/fixed-stack-smash.patch 2020-01-10 03:09:20.792565886 +0900
@@ -0,0 +1,15 @@
+--- a/src/engine.c
++++ b/src/engine.c
+@@ -345,10 +345,10 @@
+
+ static gboolean channel_process_input ()
+ {
+- static char linebuf[4096];
++ static char linebuf[4096+1];
+ char *linep = linebuf;
+ char *line;
+- int bytes_read;
++ gsize bytes_read;
+ #if GLIB_MAJOR_VERSION > 1
+ // we need to call this again because we will get new events before returning
+ // from this function
diff -u -N -r a/debian/patches/series b/debian/patches/series
--- a/debian/patches/series 2018-07-29 19:02:29.000000000 +0900
+++ b/debian/patches/series 2020-01-06 02:07:43.243615139 +0900
@@ -1 +1,2 @@
debian-changes
+fixed-stack-smash.patch
