mate-desktop / pluma

A powerful text editor for MATE
http://www.mate-desktop.org
GNU General Public License v2.0
158 stars 66 forks source link

Fix out-of-bounds write #665

Closed balping closed 2 years ago

balping commented 2 years ago

Closes #664

The size of tempfont was one byte too short, so strcpy performed an out-of-bounds write when writing the terminating 0. This lead to segfault when D_FORTIFY_SOURCE=3 compiler flag was turned on.

Fix tested on openSUSE Tumbleweed.

raveit65 commented 1 year ago

Seems the issue is still landed in next fedora release (38).

Program terminated with signal SIGABRT, Aborted.
warning: Section `.reg-xstate/2186' in core file too small.
#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
44        return INTERNAL_SYSCALL_ERROR_P (ret) ? INTERNAL_SYSCALL_ERRNO (ret) : 0;
[Current thread is 1 (Thread 0x7ff2cff3fac0 (LWP 2186))]

Thread 1 (Thread 0x7ff2cff3fac0 (LWP 2186)):
#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
        tid = <optimized out>
        ret = 0
        pd = <optimized out>
        old_mask = {__val = {13}}
        ret = <optimized out>
#1  0x00007ff2d1037c03 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
No locals.
#2  0x00007ff2d0fe6aee in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
        ret = <optimized out>
#3  0x00007ff2d0fcf87f in __GI_abort () at abort.c:79
        save_stage = 1
        act = {__sigaction_handler = {sa_handler = 0x20, sa_sigaction = 0x20}, sa_mask = {__val = {93896012798768, 24, 140722627469632, 140722627469440, 140680867245573, 140722627469632, 93896012798768, 140722627469472, 140680867379691, 93896012798768, 15138960226847091968, 140722627469616, 18446744073709551496, 11, 15138960226847091968, 93896004860144}}, sa_flags = -120, sa_restorer = 0xb}
#4  0x00007ff2d0fd060f in __libc_message (fmt=fmt@entry=0x7ff2d114b2e6 "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:150
        ap = {{gp_offset = 16, fp_offset = 21861, overflow_arg_area = 0x7ffc8a38e230, reg_save_area = 0x7ffc8a38e1c0}}
        fd = 2
        list = <optimized out>
        nlist = <optimized out>
        cp = <optimized out>
#5  0x00007ff2d10cbb29 in __GI___fortify_fail (msg=msg@entry=0x7ff2d114b28c "buffer overflow detected") at fortify_fail.c:24
No locals.
#6  0x00007ff2d10ca364 in __GI___chk_fail () at chk_fail.c:28
No locals.
#7  0x00005565dd7e7c62 in strcpy (__src=0x5565de7d1b30 "Monospace 12", __dest=0x7ffc8a38e250 "\320\342\070\212\374\177") at /usr/include/bits/string_fortified.h:79
No locals.
#8  pluma_window_key_press_event (widget=0x5565de03f8f0, event=event@entry=0x5565de7b3960) at /usr/src/debug/pluma-1.26.0-6.fc38.x86_64/pluma/pluma-window.c:322
        nsize = 21861
        tmp = <optimized out>
        tmp = <optimized out>
        font = <optimized out>
        tempsize = 0x5565de7d1c70 "12"
        tempfont = "\320\342\070\212\374\177\000\000\004|~\335"
        window = 0x5565de03f8f0
        handled = 0
        settings = 0x5565de7d0d80
        grand_parent_class = 0x5565ddf3f9e0
#9  0x00007ff2d189c967 in _gtk_marshal_BOOLEAN__BOXEDv (closure=0x5565ddf32ed0, return_value=0x7ffc8a38e430, instance=<optimized out>, args=<optimized out>, marshal_data=<optimized out>, n_params=<optimized out>, param_types=0x5565ddf32f00) at gtk/gtkmarshalers.c:130
        cc = <optimized out>
        data1 = <optimized out>
        data2 = 0x5565ddf2b1f0
        callback = 0x5565dd7e7ae0 <pluma_window_key_press_event>
        v_return = <optimized out>
        arg0 = 0x5565de7b3960
        args_copy = {{gp_offset = 32, fp_offset = 48, overflow_arg_area = 0x7ffc8a38e5c0, reg_save_area = 0x7ffc8a38e500}}
        __func__ = "_gtk_marshal_BOOLEAN__BOXEDv"

I will test if this commit helps.

raveit65 commented 1 year ago

Thanks, that fixes the issue in fedora 38.

raveit65 commented 1 year ago

I will cherry-pick that to 1.26 branch.