[Bug 250425] Re: zsnes crashes with buffer overflow on startup

Fri, 02 Jan 2009 11:11:26 -0800 

The problem is an interaction between the uncommon (to put it mildly)
way zsnes calls memcpy to restore its global state from the "regsbackup"
buffer, and _FORTIFY_SOURCE:

gcc -ggdb3 -pipe -I. -I/usr/local/include -I/usr/include -D__UNIXSDL__  
-I/usr/include/SDL -D_GNU_SOURCE=1 -D_REENTRANT  -DNO_DEBUGGER -D__LIBAO__ 
-D__OPENGL__ -march=i486 -O3 -fomit-frame-pointer -fprefetch-loop-arrays 
-fforce-addr -s -D__RELEASE__ -o initc.o -c initc.c
[...]
In function ‘memcpy’,                                                           
    inlined from ‘powercycle’ at initc.c:2624:                                  
/usr/include/bits/string3.h:52: warning: call to __builtin___memcpy_chk will 
always overflow destination buffer

The corresponding block of code is:

    sramsavedis = 0;
    memcpy(&sndrot, regsbackup, 3019);

And the declaration for the relevant variables, from the same file:

extern unsigned char NextLineCache, sramsavedis, sndrot,
regsbackup[3019];

The reason this strange memcpy call will always work correctly is that
the storage for sndrot and the rest of the state variables is allocated
in assembly (cpu/regs.inc, included from cpu/table.asm), in a way which
guarantees that all the correct variables will be sequential in memory,
with no padding (sndrot is just the first variable on that block).
However, gcc cannot know that; it sees instead an attempt to write 3019
bytes to a single byte-sized variable, which will obviously overflow
(and, in fact, overflowing is precisely the desired behaviour!).

The easiest way to fix this is to disable the extra security checks (via
-D_FORTIFY_SOURCE=0). There might be other places which use that unusual
"design pattern", so simply fixing that memcpy call might not be enough.

** Attachment added: "Disable _FORTIFY_SOURCE when building zsnes"
   http://launchpadlibrarian.net/20867159/zsnes-disable-fortify-source.patch

-- 
zsnes crashes with buffer overflow on startup
https://bugs.launchpad.net/bugs/250425
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to