Hi!
On Thu, 2010-02-11 at 12:10:21 +0000, SevenMachines wrote:
> Package: xfstt
> Version: 1.7-6
> Severity: important
> Tags: patch
> User: [email protected]
> Usertags: origin-ubuntu lucid ubuntu-patch
>
> xfstt.cc:ttySyncAll can cause buffer overruns due to misuse of
> struct TTFNHeader, i.e
Not really, but see below.
> src/xfstt.cc:
> strncpy(info.magic, "TTFNINFO", 8);
>
> but,
> src/xfstt.h:
> typedef struct {
> char magic[4]; // == TTFN
> char type[4]; // == INFO or NAME
> u16_t version;
> u16_t key;
> u32_t crc;
> //TTFNdata ttfn[];
> } TTFNheader;
>
> so should,
> src/xfstt.cc:
> - strncpy(info.magic, "TTFNINFO", 8);
Well, even if I can agree this is not the best style (I just inherited
the code like this upstream), it's perfectly legal from a C++ point of
view. That's why the fwrite is done on the structure pointer, so that
it write the whole contents to the file, for example.
> + strncpy(info.magic, "TTFN", 4);
> + strncpy(info.type, "INFO", 4);
The reason there's an abort in Ubuntu is due to the bounds checks from
fortify compiler support used there, it's ironic though that fortify
should prevent crashes but in this case it produced one for code that
is perfectly fine. :)
> *** /tmp/tmpj1S3b4
> In Ubuntu, we've applied the attached patch to achieve the following:
>
> * src/xfstt.cc:
> - don't copy TTFNINFO into TTFNHeader's magic variable, it should be
> broken into TTFN for magic and INFO for type. thanks to PCC (LP:#433146)
>
>
> We thought you might be interested in doing the same.
Anyway, as the code looks cleaner and it avoids an abort with fortify,
I'll be applying this upstream and preparing a new release.
thanks,
guillem
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
