Luca Bruno writes:
Runnnig `foomatic-db-engine -O` in gdb says that the bug is at line
1840:
Running it under valgrind is more telling. It's a buffer overflow.
I get this first:
==8614== Source and destination overlap in strcpy(0xBEEED388, 0xBEEED388)
==8614== at 0x401E83B: strcpy (mac_replace_strmem.c:107)
==8614== by 0x804AAB2: parse (foomatic-combo-xml.c:1203)
==8614== by 0x804D2F2: main (foomatic-combo-xml.c:1782)
which may be harmless, depending on the implementation of strcpy, but
the buffer overflow happens here:
==8614==
==8614== Invalid write of size 4
==8614== at 0x804AFAE: parse (foomatic-combo-xml.c:1434)
==8614== by 0x804D462: main (foomatic-combo-xml.c:1834)
==8614== Address 0x4257755 is 981 bytes inside a block of size 984 alloc'd
==8614== at 0x401D98D: realloc (vg_replace_malloc.c:306)
==8614== by 0x8048A10: loadfile (foomatic-combo-xml.c:105)
==8614== by 0x804D3EF: main (foomatic-combo-xml.c:1825)
It's doing a whole bunch of strcat'ing without checking the buffer
length, and it eventually overflows.
If I change the final realloc on line 105 from:
/* Make space for an additional line, needed for the default value in an
option file */
data = (char *)realloc(data, size + 128);
to:
data = (char *)realloc(data, size + 128 * 1024);
Then everything works for me, although obviously that's not a real patch
either.
Eric
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
