[Bug 372217] [NEW] dvipdfmx does not work on 9.04 (It killed by GCC Stack Smashing Protector)

Fumihito YOSHIDA hito at kugutsu.org
Tue May 5 14:22:43 UTC 2009 

Public bug reported:

Binary package hint: dvipdfmx

Original Information is here(notes: it wrote in Japanese).
https://forums.ubuntulinux.jp/viewtopic.php?id=4615

[Description]
dvipdfmx does not work anymore. exec dvipdsmx, that killed by gcc-SSP.
-----------------------------------------------------
[1*** stack smashing detected ***: dvipdfmx terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7e9ada8]
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x0)[0xb7e9ad60]
dvipdfmx[0x805cdc5]
(snip)
-----------------------------------------------------

It caused by something missed array handling, this is not security vuln..
This is coding bug. 
-----------------------------------------------------
in dvipdfmx-20080607/src/cmap_read.c :
-----------------------------------------------------
#define INPUT_BUF_SIZE 4096
#define CMAP_SIG_MAX   64
int
CMap_parse_check_sig (FILE *fp)
{
  int  result = -1;
  char sig[CMAP_SIG_MAX+1]; /* array size is "CMAP_SIG_MAX+1" */

  if (!fp)
    return -1;

  rewind(fp);
  if (fread(sig, sizeof(char), CMAP_SIG_MAX, fp) != CMAP_SIG_MAX)
    result = -1;
  else {
    sig[CMAP_SIG_MAX+1] = 0; /* Access "sig[CMAP_SIG_MAX+1]" <= missed access! */
    if (strncmp(sig, "%!PS", 4))
      result = -1;
    else if (strstr(sig+4, "Resource-CMap"))
      result = 0;
  }
  rewind(fp);

  return result;
}
-----------------------------------------------------
[How to Fix]
Apply patch.

[Notes]
9.04 -> Process killed by GCC Stack Smashing Protector
8.10, 8.04 -> Process is still lived, but 1bite missed allign overwrite cauesed...

[Appendix]
This bug still there in latest uprestreams(snapshot 20090501).
http://project.ktug.or.kr/pipermail/dvipdfmx/2009-May/000077.html
I'll contact original author(s).

** Affects: dvipdfmx (Ubuntu)
     Importance: Undecided
         Status: New

-- 
dvipdfmx does not work on 9.04 (It killed by GCC Stack Smashing Protector)
https://bugs.launchpad.net/bugs/372217
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

More information about the universe-bugs mailing list