Open GoogleCodeExporter opened 9 years ago
I seem to have gotten around this issue by building libtool with gcc 4.1
Original comment by adamvleg...@gmail.com
on 13 Dec 2010 at 4:33
Tried compiling everything with GCC 4.1.2 and still get this same error:
```i686-apple-darwin9-ar rc ./libgcov.a libgcc/./_gcov.o
libgcc/./_gcov_merge_add.o libgcc/./_gcov_merge_single.o
libgcc/./_gcov_merge_delta.o libgcc/./_gcov_fork.o libgcc/./_gcov_execl.o
libgcc/./_gcov_execlp.o libgcc/./_gcov_execle.o libgcc/./_gcov_execv.o
libgcc/./_gcov_execvp.o libgcc/./_gcov_execve.o
libgcc/./_gcov_interval_profiler.o libgcc/./_gcov_pow2_profiler.o
libgcc/./_gcov_one_value_profiler.o
*** buffer overflow detected ***: /home/tatsh/usr/apple-darwin9/usr/bin/ranlib
terminated
======= Backtrace: =========
/lib32/libc.so.6(__fortify_fail+0x50)[0xf76666b0]
/lib32/libc.so.6(+0xe753a)[0xf766453a]
/lib32/libc.so.6(+0xe6c08)[0xf7663c08]
/lib32/libc.so.6(_IO_default_xsputn+0xa4)[0xf75e8744]
/lib32/libc.so.6(_IO_padn+0xd7)[0xf75dba97]
/lib32/libc.so.6(_IO_vfprintf+0xfd0)[0xf75bbcf0]
/lib32/libc.so.6(__vsprintf_chk+0x9f)[0xf7663cbf]
/lib32/libc.so.6(__sprintf_chk+0x2d)[0xf7663bed]
/home/tatsh/usr/apple-darwin9/usr/bin/ranlib[0x804ad9c]
/home/tatsh/usr/apple-darwin9/usr/bin/ranlib[0x804cbb2]
/home/tatsh/usr/apple-darwin9/usr/bin/ranlib[0x804d3bf]
/lib32/libc.so.6(__libc_start_main+0xe6)[0xf7593ce6]
/home/tatsh/usr/apple-darwin9/usr/bin/ranlib[0x8048ec1]
======= Memory map: ========
08048000-08067000 r-xp 00000000 08:21 116858913
/home/tatsh/usr/apple-darwin9/usr/bin/libtool
08067000-08068000 r--p 0001e000 08:21 116858913
/home/tatsh/usr/apple-darwin9/usr/bin/libtool
08068000-08069000 rw-p 0001f000 08:21 116858913
/home/tatsh/usr/apple-darwin9/usr/bin/libtool
09d9b000-09dbc000 rw-p 00000000 00:00 0 [heap]
f757c000-f757d000 rw-p 00000000 00:00 0
f757d000-f76d5000 r-xp 00000000 08:01 3886863
/lib32/libc-2.12.2.so
f76d5000-f76d7000 r--p 00158000 08:01 3886863
/lib32/libc-2.12.2.so
f76d7000-f76d8000 rw-p 0015a000 08:01 3886863
/lib32/libc-2.12.2.so
f76d8000-f76db000 rw-p 00000000 00:00 0
f76fb000-f7705000 r-xp 00000000 08:01 1044847
/lib32/libgcc_s.so.1
f7705000-f7706000 r--p 00009000 08:01 1044847
/lib32/libgcc_s.so.1
f7706000-f7707000 rw-p 0000a000 08:01 1044847
/lib32/libgcc_s.so.1
f7707000-f771b000 rw-p 00000000 08:21 92864568
/home/tatsh/usr/src/toolwhip2/gcc.i386.obj/gcc/libgcov.a
f771b000-f771c000 rw-p 00000000 00:00 0
f771c000-f7739000 r-xp 00000000 08:01 3886861
/lib32/ld-2.12.2.so
f7739000-f773a000 r--p 0001c000 08:01 3886861
/lib32/ld-2.12.2.so
f773a000-f773b000 rw-p 0001d000 08:01 3886861
/lib32/ld-2.12.2.so
ffabe000-ffae2000 rw-p 00000000 00:00 0 [stack]
ffffe000-fffff000 r-xp 00000000 00:00 0 [vdso]
i686-apple-darwin9-ar: fatal error in
/home/tatsh/usr/apple-darwin9/usr/bin/ranlib
make[3]: *** [libgcov.a] Error 1
make[3]: Leaving directory `/home/tatsh/usr/src/toolwhip2/gcc.i386.obj/gcc'
make[2]: *** [stmp-multilib] Error 2
make[2]: Leaving directory `/home/tatsh/usr/src/toolwhip2/gcc.i386.obj/gcc'
make[1]: *** [all-gcc] Error 2
make[1]: Leaving directory `/home/tatsh/usr/src/toolwhip2/gcc.i386.obj'
make: *** [all] Error 2
Think it would be better to figure out the line where the buffer overflow
occurs.
Original comment by audvare
on 22 Aug 2011 at 2:33
The lines related are in the add_member() function in libtool.c:
lines ~1949-1966:
else{
/*
* Since we can use long names force this to use extended
* format #1. And round the name size to 8 plus the size of
* struct ar_hdr rounded to 8 bytes.
*/
member->member_name_size = size_ar_name(&member->ar_hdr);
ar_name_size = round(ofile->member_name_size, 8) +
(round(sizeof(struct ar_hdr), 8) -
sizeof(struct ar_hdr));
member->output_long_name = TRUE; // buffer overflow: wants "#1/20"
sprintf(ar_name_buf, "%s%-*lu",
AR_EFMT1, // %s
(int)(sizeof(member->ar_hdr.ar_name) - (sizeof(AR_EFMT1) - 1)), // %-* left justify by this width
ar_name_size); // lu
memcpy(member->ar_hdr.ar_name, ar_name_buf,
sizeof(member->ar_hdr.ar_name));
}
It seems to want to write "#1/20" into the buffer and the buffer size here is
17. sizeof(member->ar_hdr.ar_name) = 20 and
(int)(sizeof(member->ar_hdr.ar_name) - (sizeof(AR_EFMT1) - 1) = 13.
A simple lookalike does not reproduce this error (values taken from GDB):
#include <stdio.h>
#define AFT1 "#1/"
int main() {
char p[17];
sprintf(p, "%s%-*lu",
AFT1,
(int)(sizeof("_gcov_execve.o ") - (sizeof(AFT1) - 1)),
20);
printf("%s\n", p);
return 0;
}
I'm kind of ruling out libtool.c as the problem because Apple's logs mention a
few overflow issues but none about this particular section and the only
difference now in the latest version is that round() is now called rnd().
Otherwise everything else is the same.
Original comment by audvare
on 22 Aug 2011 at 1:55
Original issue reported on code.google.com by
jdiw...@gmail.com
on 8 Jul 2010 at 2:43