Bug#986623: tuxmath: Segfaults on startup

Bernhard Übelacker Tue, 20 Apr 2021 11:39:43 -0700

Dear Maintainer,
I tried to have a look at this crash and
got this backtrace [1].


It looks like there is a disaggreement about the size of the blits structure,
one inside tuxmath and one inside libt4k-common0:
    tuxmath-2.0.3/src/titlescreen.h:65:#define MAX_UPDATES                     
180
    tuxmath-2.0.3/src/titlescreen.c:58:} blits[MAX_UPDATES];
    t4kcommon-0.1.1/src/t4k_sdl.c:954:#define MAX_UPDATES 512
    t4kcommon-0.1.1/src/t4k_sdl.c:966:} blits[MAX_UPDATES];

Because of this libt4k-common0 accesses memory behind the 180
records of the blits structure from tuxmath.

Attached patch just renames the global variable blits to tmblits.
A package tuxmath built with this patch does not show this crash.

I found no exact match in upstream bug trackers,
but I guess [2] is about this bug.

Currently I see no direct connection to #933346.

Kind regards,
Bernhard


[1]
    (gdb) bt
    #0  0x00007f063879a972 in T4K_AddRect (src=src@entry=0x7ffede50c468, 
dst=dst@entry=0x7ffede50c468) at t4k_sdl.c:1034
    #1  0x00007f063879acb3 in T4K_TransWipe (newbkg=0x55bd0b680520, 
type=<optimized out>, type@entry=RANDOM_WIPE, segments=segments@entry=5, 
duration=duration@entry=20) at t4k_sdl.c:824
    #2  0x000055bd0893b23f in TitleScreen () at titlescreen.c:245
    #3  0x000055bd08938bee in main (argc=<optimized out>, argv=<optimized out>) 
at tuxmath.c:41

    https://sources.debian.org/src/t4kcommon/0.1.1-10/src/t4k_sdl.c/#L1034


[2]
    https://github.com/tux4kids/tuxmath/issues/16

# single-use Bullseye/testing amd64 qemu VM 2021-04-20

echo "set enable-bracketed-paste off" >> /etc/inputrc; bash

apt update

# to speedup testing
mv /etc/manpath.config /etc/manpath.config.renamed
apt install libeatmydata1
export LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libeatmydata.so

apt dist-upgrade
apt install systemd-coredump mc gdb rr lightdm xserver-xorg jwm fakeroot 
tuxmath \
        tuxmath-dbgsym libt4k-common0-dbgsym

apt build-dep tuxmath libt4k-common0


mkdir /home/benutzer/source/tuxmath/orig -p
cd    /home/benutzer/source/tuxmath/orig
apt source tuxmath
cd

mkdir /home/benutzer/source/libt4k-common0/orig -p
cd    /home/benutzer/source/libt4k-common0/orig
apt source libt4k-common0
cd







benutzer@debian:~$ export DISPLAY=:0
benutzer@debian:~$ tuxmath
Initializing Tux4Kids-Common 0.1.1
ALSA lib pcm.c:8545:(snd_pcm_recover) underrun occurred
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
Speicherzugriffsfehler (Speicherabzug geschrieben)



root@debian:~# coredumpctl list
TIME                            PID   UID   GID SIG COREFILE  EXE
Tue 2021-04-20 15:45:51 CEST    644  1000  1000  11 present   
/usr/lib/tuxmath/tuxmath

root@debian:~# coredumpctl gdb 644
           PID: 644 (tuxmath)
           UID: 1000 (benutzer)
           GID: 1000 (benutzer)
        Signal: 11 (SEGV)
     Timestamp: Tue 2021-04-20 15:45:50 CEST (38s ago)
  Command Line: tuxmath
    Executable: /usr/lib/tuxmath/tuxmath
 Control Group: /user.slice/user-1000.slice/session-5.scope
          Unit: session-5.scope
         Slice: user-1000.slice
       Session: 5
     Owner UID: 1000 (benutzer)
       Boot ID: 27f9ae5d40034f8484e4d155de897ba4
    Machine ID: 33f18f39d2a9438eb75b0ed52848afcd
      Hostname: debian
       Storage: 
/var/lib/systemd/coredump/core.tuxmath.1000.27f9ae5d40034f8484e4d155de897ba4.644.1618926350000000.zst
       Message: Process 644 (tuxmath) of user 1000 dumped core.
                
                Stack trace of thread 644:
                #0  0x00007f063879a972 T4K_AddRect (libt4k_common.so.0 + 0xe972)
                #1  0x00007f063879acb3 T4K_TransWipe (libt4k_common.so.0 + 
0xecb3)
                #2  0x000055bd0893b23f n/a (tuxmath + 0x923f)
                #3  0x000055bd08938bee main (tuxmath + 0x6bee)
                #4  0x00007f06385c9d0a __libc_start_main (libc.so.6 + 0x26d0a)
                #5  0x000055bd08938c2a n/a (tuxmath + 0x6c2a)
                
...
Core was generated by `tuxmath'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f063879a972 in T4K_AddRect () from 
/lib/x86_64-linux-gnu/libt4k_common.so.0
[Current thread is 1 (Thread 0x7f0632edfe80 (LWP 644))]
(gdb) set width 0
(gdb) set pagination off
(gdb) bt
#0  0x00007f063879a972 in T4K_AddRect () from 
/lib/x86_64-linux-gnu/libt4k_common.so.0
#1  0x00007f063879acb3 in T4K_TransWipe () from 
/lib/x86_64-linux-gnu/libt4k_common.so.0
#2  0x000055bd0893b23f in ?? ()
#3  0x000055bd08938bee in main ()


(gdb) bt
#0  0x00007f063879a972 in T4K_AddRect (src=src@entry=0x7ffede50c468, 
dst=dst@entry=0x7ffede50c468) at t4k_sdl.c:1034
#1  0x00007f063879acb3 in T4K_TransWipe (newbkg=0x55bd0b680520, type=<optimized 
out>, type@entry=RANDOM_WIPE, segments=segments@entry=5, 
duration=duration@entry=20) at t4k_sdl.c:824
#2  0x000055bd0893b23f in TitleScreen () at titlescreen.c:245
#3  0x000055bd08938bee in main (argc=<optimized out>, argv=<optimized out>) at 
tuxmath.c:41

(gdb) display/i $pc
1: x/i $pc
=> 0x7f063879a972 <T4K_AddRect+82>:     mov    %r8w,(%rdx)
(gdb) print/x $rdx
$8 = 0xff38ffffff

(gdb) print src
$1 = (SDL_Rect *) 0x7ffede50c468
(gdb) print *src
$2 = {x = 0, y = 0, w = 0, h = 0}

(gdb) print numupdates
$5 = 181
(gdb) print blits[numupdates-1]
$6 = {src = 0xffff0000ff60, srcrect = 0xff38ffffff, dstrect = 0x80808038600000, 
type = 0 '\000'}
(gdb) print &blits[numupdates-1]
$7 = (struct blit *) 0x55bd08991c40 <bright_green>

https://sources.debian.org/src/t4kcommon/0.1.1-10/src/t4k_sdl.c/#L1034












benutzer@debian:~$ rr record tuxmath
rr: Saving execution to trace directory 
`/home/benutzer/.local/share/rr/tuxmath-0'.
Initializing Tux4Kids-Common 0.1.1
shared memfd open() failed: Die angeforderte Funktion ist nicht implementiert
ALSA lib conf.c:4197:(snd_config_update_r) cannot access file 
/usr/share/alsa/alsa.conf
ALSA lib pcm.c:2660:(snd_pcm_open_noupdate) Unknown PCM default

Warning: I could not set up audio for 44100 Hz 16-bit stereo.
The Simple DirectMedia error that occured was:
No available audio device

libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
Speicherzugriffsfehler



rr replay tuxmath-0
set width 0
set pagination off
directory /home/benutzer/source/libt4k-common0/orig/t4kcommon-0.1.1/src
directory /home/benutzer/source/tuxmath/orig/tuxmath-2.0.3/src
display/i $pc
cont


Thread 1 received signal SIGSEGV, Segmentation fault.
0x00007f915af0a972 in T4K_AddRect (src=src@entry=0x7ffdca881a58, 
dst=dst@entry=0x7ffdca881a58) at t4k_sdl.c:1034
1034    t4k_sdl.c: Datei oder Verzeichnis nicht gefunden.
1: x/i $pc
=> 0x7f915af0a972 <T4K_AddRect+82>:     mov    %r8w,(%rdx)
(rr) bt
#0  0x00007f915af0a972 in T4K_AddRect (src=src@entry=0x7ffdca881a58, 
dst=dst@entry=0x7ffdca881a58) at t4k_sdl.c:1034
#1  0x00007f915af0ae34 in T4K_TransWipe (newbkg=0x55886d2f9340, type=<optimized 
out>, type@entry=RANDOM_WIPE, segments=segments@entry=5, 
duration=duration@entry=20) at t4k_sdl.c:902
#2  0x0000558869a9023f in TitleScreen () at titlescreen.c:245
#3  0x0000558869a8dbee in main (argc=<optimized out>, argv=<optimized out>) at 
tuxmath.c:41



./tuxmath/orig/tuxmath-2.0.3/src/titlescreen.h:65:#define MAX_UPDATES           
          180
./libt4k-common0/orig/t4kcommon-0.1.1/src/t4k_sdl.c:954:#define MAX_UPDATES 512

Bug#986623: tuxmath: Segfaults on startup

Reply via email to