[Bug 250425] Re: zsnes crashes with buffer overflow on startup
Cesar Eduardo Barros
cesarb at cesarb.net
Fri Jan 2 19:02:15 UTC 2009
The problem is an interaction between the uncommon (to put it mildly)
way zsnes calls memcpy to restore its global state from the "regsbackup"
buffer, and _FORTIFY_SOURCE:
gcc -ggdb3 -pipe -I. -I/usr/local/include -I/usr/include -D__UNIXSDL__ -I/usr/include/SDL -D_GNU_SOURCE=1 -D_REENTRANT -DNO_DEBUGGER -D__LIBAO__ -D__OPENGL__ -march=i486 -O3 -fomit-frame-pointer -fprefetch-loop-arrays -fforce-addr -s -D__RELEASE__ -o initc.o -c initc.c
[...]
In function ‘memcpy’,
inlined from ‘powercycle’ at initc.c:2624:
/usr/include/bits/string3.h:52: warning: call to __builtin___memcpy_chk will always overflow destination buffer
The corresponding block of code is:
sramsavedis = 0;
memcpy(&sndrot, regsbackup, 3019);
And the declaration for the relevant variables, from the same file:
extern unsigned char NextLineCache, sramsavedis, sndrot,
regsbackup[3019];
The reason this strange memcpy call will always work correctly is that
the storage for sndrot and the rest of the state variables is allocated
in assembly (cpu/regs.inc, included from cpu/table.asm), in a way which
guarantees that all the correct variables will be sequential in memory,
with no padding (sndrot is just the first variable on that block).
However, gcc cannot know that; it sees instead an attempt to write 3019
bytes to a single byte-sized variable, which will obviously overflow
(and, in fact, overflowing is precisely the desired behaviour!).
The easiest way to fix this is to disable the extra security checks (via
-D_FORTIFY_SOURCE=0). There might be other places which use that unusual
"design pattern", so simply fixing that memcpy call might not be enough.
** Attachment added: "Disable _FORTIFY_SOURCE when building zsnes"
http://launchpadlibrarian.net/20867159/zsnes-disable-fortify-source.patch
--
zsnes crashes with buffer overflow on startup
https://bugs.launchpad.net/bugs/250425
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
More information about the universe-bugs
mailing list