Bug#716363: [Mayhem] Bug report on libsvm-tools: svm-scale crashes with exit status 139
Hey, Sorry about the link not working anymore. The extra data was also attached to the bug report luckily. You can download it at https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;msg=5;bug=716363;filename=svm-scale-report.tar.bz2 . Best, Alex On Tue, Nov 24, 2015 at 10:07 PM, Chen-Tse Tsaiwrote: > Hi, > > Thanks for reporting the bug. Since the link of your script is not > available now, I couldn't reproduce the bug. Could you please provide it > again? > > Thanks, > Chen-Tse > > >
Bug#715977: Gopher bug 715977
Hey John The report is actually attached to the bug report (gopher-report.tar.bz2). We should have removed the URL from the report. Sorry about the confusion. Best, Alex On Thu, Nov 12, 2015 at 12:46 PM, John Goerzenwrote: > Hello Alexandre, > > I am attempting to fix the bug you reported. However, the information > needed to do so is in a site under forallsecure.com that is no longer > responding. Can you get me the information some other way? > > Thanks, > > John >
Bug#715959: [Mayhem] Bug report on hdf5-tools: gif2h5 crashes with exit status 139
Hi, The program crashes with an invalid GIF, which you can find under ./crash/file_DA.symb. After looking at the code, the problem seems to be in the main loop of Gif2Mem in gif2mem.c. The loop keeps going as long as the block identifier is unknown. After many iterations, the memory dereference *MemGif segfaults. Since MemGif is incremented at each iteration, it eventually points to unmapped memory. One solution is to pass the MemGif buffer size as an argument to Gif2mem, and to check that reads are within bounds at each loop iteration. Alex On Tue, Dec 24, 2013 at 2:26 PM, pini p...@pustule.org wrote: Hi, Alexandre Rebert a écrit , Le 10/07/2013 21:07: Package: hdf5-tools Version: 1.8.10-patch1-1 Severity: normal User: may...@forallsecure.com Usertags: mayhem gif2h5 crashes with exit status 139. We confirmed the crash by re-running it in a fresh debian unstable installation. The attachment [1] contains a testcase (under ./crash) crashing the program. It ensures that you can easily reproduce the bug. Additionally, under ./crash_info/, we include more information about the crash such as a core dump, the dmesg generated by the crash, and its output. Regards, The Mayhem Team (Alexandre Rebert, Thanassis Avgerinos, Sang Kil Cha, David Brumley, Manuel Egele) Cylab, Carnegie Mellon University [1] http://www.forallsecure.com/bug-reports/ 44229785e52406a1153f91ea5e404ea14fe736af/full_report I fail to find a valid GIF file in your archive. This makes it difficult for me to understand the problem. Would you mind providing an actual GIF file? Thanks in advance, _g.
Bug#716516: [Mayhem] Bug report on xjdic: xjdxgen crashes with exit status 139
Hi Ludovic, Thanks for looking into the crash. After looking at the code, it seems that the crash happen because ap is incremented twice (line 95, and line 117) while arg_c is decremented once. If we run the program with ./xjdxgen A A, at the end of the first loop iteration, arg_c is 2, and ap points to argv[2]. At the beginning of second iteration, ap is incremented and now points to argv[3] which is NULL. Therefore, when ap is dereferenced, the program will crash An easy way to fix that is to remove line 117 (ap++). Best, Alex On Fri, Sep 13, 2013 at 1:26 PM, ldro...@debian.org wrote: Hi! All the bugs are caused by poor argv parsing. (gdb) bt #0 strcmp () at ../sysdeps/i386/i686/strcmp.S:39 #1 0x08048884 in main (argc=3, argv=0xbe74) at xjdxgen.c:96 How to fix this quickly??? Excerpt of code around xjdxgen.c:96: ap = argv; arg_c = argc; while (arg_c 1) { --ap++; --if(strcmp(*ap,-h) == 0) --- CRASH ... ... --strcpy(strtmp,*ap); --strcpy(Dname,*ap); --strcpy(JDXname,*ap); --strcat(JDXname,.xjdx); --printf(Commandline request to use files %s and %s \n,Dname,JDXname); --ap++; --arg_c--; } -- Ludovic Drolez. http://www.aopensource.com - The Android Open Source Portal http://www.drolez.com - Personal site - Linux and Free Software