http://plf.zarb.org/bugzilla/show_bug.cgi?id=187
Summary: Buffer overflow in 2008.0 screws up saving states.
Product: fceu
Version: 0.98.12
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: package
AssignedTo: [EMAIL PROTECTED]
ReportedBy: [EMAIL PROTECTED]
In 2008.0, fceu crashes with a buffer overflow when you save a state.
Full Backtrace.
*** buffer overflow detected ***: /usr/bin/fceu terminated
======= Backtrace: =========
/lib/i686/libc.so.6(__chk_fail+0x41)[0x4ce5ce51]
/usr/bin/fceu[0x805bafc]
======= Memory map: ========
08048000-080eb000 r-xp 00000000 03:06 215804 /usr/bin/fceu
080eb000-080f4000 rwxp 000a3000 03:06 215804 /usr/bin/fceu
080f4000-08298000 rwxp 080f4000 00:00 0 [heap]
4c3ab000-4c3c4000 r-xp 00000000 03:05 568974 /lib/ld-2.6.1.so
4c3c4000-4c3c5000 r-xp 00018000 03:05 568974 /lib/ld-2.6.1.so
4c3c5000-4c3c6000 rwxp 00019000 03:05 568974 /lib/ld-2.6.1.so
4ccee000-4ccf6000 r-xp 00000000 03:06 2094530 /usr/lib/libXrender.so.1.3.0
4ccf6000-4ccf7000 rwxp 00007000 03:06 2094530 /usr/lib/libXrender.so.1.3.0
4ccfe000-4cd04000 r-xp 00000000 03:06 2094533 /usr/lib/libXrandr.so.2.1.0
4cd04000-4cd05000 rwxp 00005000 03:06 2094533 /usr/lib/libXrandr.so.2.1.0
4cd4c000-4cd50000 r-xp 00000000 03:06 2094535 /usr/lib/libXfixes.so.3.1.0
4cd50000-4cd51000 rwxp 00003000 03:06 2094535 /usr/lib/libXfixes.so.3.1.0
4cd53000-4cd5c000 r-xp 00000000 03:06 2094536 /usr/lib/libXcursor.so.1.0.2
4cd5c000-4cd5d000 rwxp 00008000 03:06 2094536 /usr/lib/libXcursor.so.1.0.2
4cd7a000-4ceb4000 r-xp 00000000 03:05 617742 /lib/i686/libc-2.6.1.so
4ceb4000-4ceb5000 r-xp 00139000 03:05 617742 /lib/i686/libc-2.6.1.so
4ceb5000-4ceb7000 rwxp 0013a000 03:05 617742 /lib/i686/libc-2.6.1.so
4ceb7000-4ceba000 rwxp 4ceb7000 00:00 0
4cebc000-4cedf000 r-xp 00000000 03:05 617766 /lib/i686/libm-2.6.1.so
4cedf000-4cee1000 rwxp 00023000 03:05 617766 /lib/i686/libm-2.6.1.so
4cee3000-4cee5000 r-xp 00000000 03:05 569174 /lib/libdl-2.6.1.so
4cee5000-4cee7000 rwxp 00001000 03:05 569174 /lib/libdl-2.6.1.so
4cee9000-4cefb000 r-xp 00000000 03:05 569225 /lib/libz.so.1.2.3
4cefb000-4cefc000 rwxp 00011000 03:05 569225 /lib/libz.so.1.2.3
4cefe000-4cf11000 r-xp 00000000 03:05 617767 /lib/i686/libpthread-2.6.1.so
4cf11000-4cf13000 rwxp 00012000 03:05 617767 /lib/i686/libpthread-2.6.1.so
4cf13000-4cf15000 rwxp 4cf13000 00:00 0
4cf17000-4cf1c000 r-xp 00000000 03:06 2094527 /usr/lib/libXdmcp.so.6.0.0
4cf1c000-4cf1d000 rwxp 00004000 03:06 2094527 /usr/lib/libXdmcp.so.6.0.0
4cf1f000-4cf21000 r-xp 00000000 03:06 2094525 /usr/lib/libXau.so.6.0.0
4cf21000-4cf22000 rwxp 00001000 03:06 2094525 /usr/lib/libXau.so.6.0.0
4cf24000-4d023000 r-xp 00000000 03:06 2094529 /usr/lib/libX11.so.6.2.0
4d023000-4d027000 rwxp 000fe000 03:06 2094529 /usr/lib/libX11.so.6.2.0
4d029000-4d037000 r-xp 00000000 03:06 2094531 /usr/lib/libXext.so.6.4.0
4d037000-4d038000 rwxp 0000e000 03:06 2094531 /usr/lib/libXext.so.6.4.0
4d03a000-4d050000 r-xp 00000000 03:06 2094542 /usr/lib/libICE.so.6.3.0
4d050000-4d051000 rwxp 00015000 03:06 2094542 /usr/lib/libICE.so.6.3.0
4d051000-4d053000 rwxp 4d051000 00:00 0
4d055000-4d05c000 r-xp 00000000 03:06 2094543 /usr/lib/libSM.so.6.0.0
4d05c000-4d05d000 rwxp 00007000 03:06 2094543 /usr/lib/libSM.so.6.0.0
4d05f000-4d06a000 r-xp 00000000 03:05 569301 /lib/libgcc_s-4.2.2.so.1
4d06a000-4d06b000 rwxp 0000a000 03:05 569301 /lib/libgcc_s-4.2.2.so.1
4d5ff000-4d653000 r-xp 00000000 03:06 2094611 /usr/lib/libXt.so.6.0.0
4d653000-4d657000 rwxp 00053000 03:06 2094611 /usr/lib/libXt.so.6.0.0
4dd56000-4dd5e000 r-xp 00000000 03:06 2094557 /usr/lib/libesd.so.0.2.38
4dd5e000-4dd5f000 rwxp 00007000 03:06 2094557 /usr/lib/libesd.so.0.2.38
4dd61000-4dd8b000 r-xp 00000000 03:06 278149 /usr/lib/libaudiofile.so.0.0.2
4dd8b000-4dd8e000 rwxp 00029000 03:06 278149 /usr/lib/libaudiofile.so.0.0.2
4e831000-4e876000 r-xp 00000000 03:05 569370 /lib/libncurses.so.5.6
4e876000-4e879000 rwxp 00044000 03:05 569370 /lib/libncurses.so.5.6
4eda0000-4eda5000 r-xp 00000000 03:06 284555 /usr/lib/libXxf86dga.so.1.0.0
4eda5000-4eda6000 rwxp 00004000 03:06 284555 /usr/lib/libXxf86dga.so.1.0.0
4eda8000-4ee53000 r-xp 00000000 03:06 278728 /usr/lib/libslang.so.2.1.1
4ee53000-4ee63000 rwxp 000ab000 03:06 278728 /usr/lib/libslang.so.2.1.1
4ee63000-4ee83000 rwxp 4ee63000 00:00 0
4ee85000-4ee97000 r-xp 00000000 03:06 290187
/usr/lib/libdirect-1.0.so.0.0.0
4ee97000-4ee98000 rwxp 00012000 03:06 290187
/usr/lib/libdirect-1.0.so.0.0.0
4ee9a000-4eeb1000 r-xp 00000000 03:06 285019 /usr/lib/libaudio.so.2.4
4eeb1000-4eeb2000 rwxp 00016000 03:06 285019 /usr/lib/libaudio.so.2.4
4eeb4000-4ef1f000 r-xp 00000000 03:06 278911
/usr/lib/libdirectfb-1.0.so.0.0.0
4ef1f000-4ef21000 rwxp 0006b000 03:06 278911
/usr/lib/libdirectfb-1.0.so.0.0.0
4ef23000-4ef3b000 r-xp 00000000 03:06 287757 /usr/lib/libaa.so.1.0.4
4ef3b000-4ef3d000 rwxp 00018000 03:06 287757 /usr/lib/libaa.so.1.0.4
4ef3d000-4ef3e000 rwxp 4ef3d000 00:00 0
4ef40000-4efc2000 r-xp 00000000 03:06 283930 /usr/lib/libggi.so.2.0.2
4efc2000-4efc8000 rwxp 00081000 03:06 283930 /usr/lib/libggi.so.2.0.2
4efc8000-4efdd000 rwxp 4efc8000 00:00 0
4efdf000-4efe7000 r-xp 00000000 03:06 281994 /usr/lib/libgg.so.1.0.0
4efe7000-4efe9000 rwxp 00007000 03:06 281994 /usr/lib/libgg.so.1.0.0
4efe9000-4efea000 rwxp 4efe9000 00:
Program received signal SIGABRT, Aborted.
[Switching to Thread -1208883520 (LWP 20424)]
0xffffe410 in __kernel_vsyscall ()
(gdb) bt full
#0 0xffffe410 in __kernel_vsyscall ()
No symbol table info available.
#1 0x4cda2ec5 in raise () from /lib/i686/libc.so.6
_nl_category_name_idxs = "\v +\000\0243\000?HP[hw"
_nl_msg_cat_cntr = 2
#2 0x4cda4921 in abort () from /lib/i686/libc.so.6
_nl_category_name_idxs = "\v +\000\0243\000?HP[hw"
_nl_msg_cat_cntr = 2
#3 0x4cdd983c in __libc_message (do_abort=2, fmt=0x4ce9ee60 "*** buffer
overflow detected ***: %s terminated\n")
at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
ap = 0xbf83de1c "hO%\bhO%\b"
ap_copy = 0xbf83de18 "A\002\204¿hO%\bhO%\b"
fd = 12
list = <value optimized out>
nlist = 3
cp = <value optimized out>
written = 6
#4 0x4ce5ce51 in __chk_fail () from /lib/i686/libc.so.6
databases = {{name = "aliases\000\000", dbp = 0x4ceb94bc}, {name =
"ethers\000\000\000", dbp = 0x4ceb94ac}, {name = "group\000\000\000\000",
dbp = 0x4ceb94a0}, {name = "hosts\000\000\000\000", dbp = 0x4ceb9498},
{name = "netgroup\000", dbp = 0x4ceb94b4}, {name = "networks\000",
dbp = 0x4ceb949c}, {name = "passwd\000\000\000", dbp = 0x4ceb94a4}, {name =
"protocols", dbp = 0x4ceb9490}, {name = "publickey", dbp = 0x4ceb94b8}, {
name = "rpc\000\000\000\000\000\000", dbp = 0x4ceb94a8}, {name =
"services\000", dbp = 0x4ceb9494}, {name = "shadow\000\000\000", dbp =
0x4ceb94b0}}
service_table = (name_database *) 0x0
__elf_set___libc_subfreeres_element_free_mem__ = (const void *)
0x4ce87b20
lock = 0
_nl_category_name_idxs = "\v +\000\0243\000?HP[hw"
#5 0x0805bafc in FCEUSS_SaveFP (st=0x8254f68) at state.c:234
totalsize = 0
header = "FCS", '\0' <repeats 12 times>
#6 0x0805bd1e in FCEUSS_Save (fname=0x0) at state.c:279
st = (FILE *) 0x8254f68
fn = 0x8264200
"ÈP%\bPqëLsterz/.fceultra/fcs/METROID.f6c11224bd83f5a79e281b1aa8944bc6.fc2P"
#7 0x080d5325 in FCEUD_UpdateInput () at drivers/pc/input.c:182
x = <value optimized out>
t = <value optimized out>
#8 0x080d5abc in DoFun () at drivers/pc/main.c:341
gfx = (uint8 *) 0x8266b38 '\217' <repeats 200 times>...
---Type <return> to continue, or q <return> to quit---
sound = (int32 *) 0x8234340
ssize = 798
fskipc = 0
#9 0x080d606b in CLImain (argc=2, argv=0xbf83e8a4) at drivers/pc/main.c:384
ret = <value optimized out>
#10 0x080d6296 in main (argc=2, argv=0xbf83e8a4) at drivers/pc/sdl.c:392
ret = <value optimized out>
#11 0x4cd8ff90 in __libc_start_main (main=0x80d61d0 <main>, argc=2,
ubp_av=0xbf83e8a4, init=0x80d8210 <__libc_csu_init>, fini=0x80d8200
<__libc_csu_fini>,
rtld_fini=0x4c3b8e80 <_dl_fini>, stack_end=0xbf83e89c) at libc-start.c:222
result = <value optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {1290493940, 1279020224, 0,
-1081874312, 1761121727, -556368295}, mask_was_saved = 0}}, priv = {pad = {
0x0, 0x0, 0x4c3bdb40, 0x4cd8febd}, data = {prev = 0x0, cleanup = 0x0,
canceltype = 1278991168}}}
not_first_call = <value optimized out>
#12 0x08049de1 in _start ()
No symbol table info available.
--
Configure bugmail: http://plf.zarb.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
_______________________________________________
PLF-discuss mailing list
[email protected]
https://www.zarb.org/mailman/listinfo/plf-discuss
