I am a victim of abuse.. a person put my email in much mailing list... PLEASE UNSUBSCRIBE ME!!!!
Guia Artistica www.guiaartistica.com.ar -----Mensaje original----- De: Kalle Olavi Niemitalo [mailto:[EMAIL PROTECTED] Enviado el: Lunes, 09 de Abril de 2007 08:16 a.m. Para: Debian Bug Tracking System Asunto: Bug#418360: tcc_load_dll reads past end of buffer, causes linker segfault Package: tcc Version: 0.9.23-2 Severity: normal Tags: patch I have reflowed some of the long lines below. $ cat dummy.c int main () { return 0; } $ tcc -c dummy.c $ ls -l dummy.o -rw-rw-r-- 1 Kalle Kalle 484 2007-04-09 13:31 dummy.o $ tcc dummy.o -lgnutls -lguile Segmentation fault (core dumped) $ tcc dummy.c /usr/lib/libgnutls.so.13.0.4 /usr/lib/libguile.so.12.3.0 Segmentation fault (core dumped) $ dpkg --search /usr/lib/libgnutls.so.13.0.4 /usr/lib/libguile.so.12.3.0 libgnutls13: /usr/lib/libgnutls.so.13.0.4 guile-1.6-libs: /usr/lib/libguile.so.12.3.0 $ gdb --args /var/tmp/Kalle/debian/tcc-0.9.23/tcc dummy.o -lgnutls -lguile GNU gdb 6.5-debian Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i486-linux-gnu"...Using host libthread_db library "/lib/tls/libthread_db.so.1". (gdb) run Starting program: /var/tmp/Kalle/debian/tcc-0.9.23/tcc dummy.o -lgnutls -lguile Program received signal SIGSEGV, Segmentation fault. 0xb7e10c10 in strcmp () from /lib/tls/libc.so.6 (gdb) backtrace #0 0xb7e10c10 in strcmp () from /lib/tls/libc.so.6 #1 0x0806285a in tcc_load_dll (s1=0x8076008, fd=7, filename=0xbf7fc4e4 "/usr/lib/libguile-ltdl.so.1", level=1) at tccelf.c:2189 #2 0x08063e98 in tcc_add_file_internal (s1=0x8076008, filename=0xbf7fc4e4 "/usr/lib/libguile-ltdl.so.1", flags=2) at tcc.c:9931 #3 0x0806401f in tcc_add_dll (s=0x8076008, filename=0x80a5e5e "libguile-ltdl.so.1", flags=2) at tcc.c:9991 #4 0x08062888 in tcc_load_dll (s1=0x8076008, fd=6, filename=0xbf7fca54 "/usr/lib/libguile.so", level=0) at tccelf.c:2192 #5 0x08063e98 in tcc_add_file_internal (s1=0x8076008, filename=0xbf7fca54 "/usr/lib/libguile.so", flags=0) at tcc.c:9931 #6 0x0806401f in tcc_add_dll (s=0x8076008, filename=0xbf7fce84 "libguile.so", flags=0) at tcc.c:9991 #7 0x080640a6 in tcc_add_library (s=0x8076008, libraryname=0xbf7ff92e "guile") at tcc.c:10010 #8 0x08064e58 in main (argc=4, argv=0xbf7fd794) at tcc.c:10647 (gdb) frame 1 #1 0x0806285a in tcc_load_dll (s1=0x8076008, fd=7, filename=0xbf7fc4e4 "/usr/lib/libguile-ltdl.so.1", level=1) at tccelf.c:2189 2189 if (!strcmp(name, dllref->name)) (gdb) info local ehdr = {e_ident = "\177ELF\001\001\001\000\000\000\000\000\000\000\000", e_type = 3, e_machine = 3, e_version = 1, e_entry = 3920, e_phoff = 52, e_shoff = 23220, e_flags = 0, e_ehsize = 52, e_phentsize = 32, e_phnum = 4, e_shentsize = 40, e_shnum = 22, e_shstrndx = 21} shdr = (Elf32_Shdr *) 0x808f570 sh = (Elf32_Shdr *) 0x808f8e0 sh1 = (Elf32_Shdr *) 0x808f5e8 i = 0 nb_syms = 77 nb_dts = 29 sym_bind = 1 ret = 0 sym = (Elf32_Sym *) 0x808fdb8 dynsym = (Elf32_Sym *) 0x808f8e8 dt = (Elf32_Dyn *) 0x8085b10 dynamic = (Elf32_Dyn *) 0x8085a20 dynstr = (unsigned char *) 0x80857d8 "" name = 0x6c6ac144 <Address 0x6c6ac144 out of bounds> soname = 0x80859de "libguile-ltdl.so.1" p = 0xbf7fc4ec "/libguile-ltdl.so.1" dllref = (DLLReference *) 0x8086af8 (gdb) print/x [EMAIL PROTECTED] $1 = {{d_tag = 0x1, d_un = {d_val = 0x1b1, d_ptr = 0x1b1}}, {d_tag = 0x1, d_un = {d_val = 0x1bc, d_ptr = 0x1bc}}, {d_tag = 0x1, d_un = {d_val = 0x1cc, d_ptr = 0x1cc}}, {d_tag = 0x1, d_un = {d_val = 0x1da, d_ptr = 0x1da}}, {d_tag = 0x1, d_un = {d_val = 0x1e4, d_ptr = 0x1e4}}, {d_tag = 0xe, d_un = {d_val = 0x206, d_ptr = 0x206}}, {d_tag = 0xc, d_un = {d_val = 0xd34, d_ptr = 0xd34}}, {d_tag = 0xd, d_un = {d_val = 0x5130, d_ptr = 0x5130}}, {d_tag = 0x4, d_un = {d_val = 0xb4, d_ptr = 0xb4}}, {d_tag = 0x5, d_un = {d_val = 0x7cc, d_ptr = 0x7cc}}, {d_tag = 0x6, d_un = {d_val = 0x2fc, d_ptr = 0x2fc}}, {d_tag = 0xa, d_un = {d_val = 0x243, d_ptr = 0x243}}, {d_tag = 0xb, d_un = {d_val = 0x10, d_ptr = 0x10}}, {d_tag = 0x3, d_un = {d_val = 0x6980, d_ptr = 0x6980}}, {d_tag = 0x2, d_un = {d_val = 0xf8, d_ptr = 0xf8}}, {d_tag = 0x14, d_un = {d_val = 0x11, d_ptr = 0x11}}, {d_tag = 0x17, d_un = {d_val = 0xc3c, d_ptr = 0xc3c}}, {d_tag = 0x11, d_un = {d_val = 0xb2c, d_ptr = 0xb2c}}, {d_tag = 0x12, d_un = {d_val = 0x110, d_ptr = 0x110}}, {d_tag = 0x13, d_un = {d_val = 0x8, d_ptr = 0x8}}, {d_tag = 0x6ffffffe, d_un = {d_val = 0xaac, d_ptr = 0xaac}}, {d_tag = 0x6fffffff, d_un = {d_val = 0x2, d_ptr = 0x2}}, {d_tag = 0x6ffffff0, d_un = {d_val = 0xa10, d_ptr = 0xa10}}, {d_tag = 0x6ffffffa, d_un = {d_val = 0x1c, d_ptr = 0x1c}}, {d_tag = 0x0, d_un = {d_val = 0x0, d_ptr = 0x0}}, {d_tag = 0x0, d_un = {d_val = 0x0, d_ptr = 0x0}}, {d_tag = 0x0, d_un = {d_val = 0x0, d_ptr = 0x0}}, {d_tag = 0x0, d_un = {d_val = 0x0, d_ptr = 0x0}}, {d_tag = 0x0, d_un = {d_val = 0x0, d_ptr = 0x0}}} (gdb) print dt - dynamic $2 = 30 (gdb) quit The program is running. Exit anyway? (y or n) y $ Obviously, dt == dynamic + i was intended, but the inner loop messes this up by using the same loop variable. --- tccelf.c.~1~ 2005-06-18 01:09:15.000000000 +0300 +++ tccelf.c 2007-04-09 14:03:33.000000000 +0300 @@ -2095,7 +2095,7 @@ static int tcc_load_dll(TCCState *s1, in { Elf32_Ehdr ehdr; Elf32_Shdr *shdr, *sh, *sh1; - int i, nb_syms, nb_dts, sym_bind, ret; + int i, j, nb_syms, nb_dts, sym_bind, ret; Elf32_Sym *sym, *dynsym; Elf32_Dyn *dt, *dynamic; unsigned char *dynstr; @@ -2184,8 +2184,8 @@ static int tcc_load_dll(TCCState *s1, in switch(dt->d_tag) { case DT_NEEDED: name = dynstr + dt->d_un.d_val; - for(i = 0; i < s1->nb_loaded_dlls; i++) { - dllref = s1->loaded_dlls[i]; + for(j = 0; j < s1->nb_loaded_dlls; j++) { + dllref = s1->loaded_dlls[j]; if (!strcmp(name, dllref->name)) goto already_loaded; } -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/dash Kernel: Linux 2.6.12-1-k7 Locale: LANG=fi_FI.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages tcc depends on: ii libc6 2.3.6-7 GNU C Library: Shared libraries Versions of packages tcc recommends: ii libc6-dev [libc-dev] 2.3.6-7 GNU C Library: Development Librari -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
