Thanks for your prompt review! New patch attached, some comments inline. > The correct syntax for closing a bug report will be LP: #1173090.
Fixed. > -extern unsigned int soundcycleft, spc700read, timer2upd, xa, > PHnum2writesfxreg; > -extern unsigned int opcd, HIRQCycNext, oamaddr, curexecstate, nmiprevaddrl; > +extern unsigned int soundcycleft, timer2upd, xa, PHnum2writesfxreg; > +extern unsigned char spc700read[], xaread[], opcd[], oamread[]; > +extern unsigned int HIRQCycNext, oamaddr, curexecstate, nmiprevaddrl; > You turn some variables to arrays, but do not allocate memory anywhere — is that intentional? Yes. The basic bug that's triggering the buffer overflow detection is that zsnes declares a block of variables in assembly: NEWSYM oamaddr, dd 0 ; oam address NEWSYM bg1ptrx, dd 0 ; pointer to background1 NEWSYM bg2ptrx, dd 0 ; pointer to background2 NEWSYM bg3ptrx, dd 0 ; pointer to background3 NEWSYM bg4ptrx, dd 0 ; pointer to background4 ... And then declares the first in C: extern unsigned int ..., oamaddr, ...; And then, when loading a save file, attempts to read the entire block of variables using (effectively): fread(&oamaddr, 4, 14, fp); This normally works correctly, since the assembly definitions ensure that the variables are in fact contiguous in memory with "oamaddr". FORTIFY_SOURCE, however, reasonably determines that this code is doing a write of 4*14 bytes into an object of size 4, and aborts. My patch changes this by adding a new symbol -- oamread -- which the C code externs as an array, and then does the load into that. It's not the most elegant solution, but it's minimal and correct. > +export DEB_BUILD_OPTIONS=nostrip > Why? Oops! Left that in from debugging my builds. Removed. ** Patch added: "revised patch" https://bugs.launchpad.net/ubuntu/+source/zsnes/+bug/1173090/+attachment/3706133/+files/zsnes-fortify-source-load-2.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1173090 Title: Buffer overflow in ZSNES since update to raring To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/zsnes/+bug/1173090/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
