1 |
slyfox 12/02/05 19:37:31 |
2 |
|
3 |
Added: bb-1.3.0_rc1-messager-overlap.patch |
4 |
bb-1.3.0_rc1-zbuff-fault.patch |
5 |
bb-1.3.0_rc1-printf-cleanup.patch |
6 |
Log: |
7 |
Fix crash due to out-of-bounds access on 64-bit arches. |
8 |
|
9 |
(Portage version: 2.2.0_alpha85/cvs/Linux x86_64) |
10 |
|
11 |
Revision Changes Path |
12 |
1.1 app-misc/bb/files/bb-1.3.0_rc1-messager-overlap.patch |
13 |
|
14 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-misc/bb/files/bb-1.3.0_rc1-messager-overlap.patch?rev=1.1&view=markup |
15 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-misc/bb/files/bb-1.3.0_rc1-messager-overlap.patch?rev=1.1&content-type=text/plain |
16 |
|
17 |
Index: bb-1.3.0_rc1-messager-overlap.patch |
18 |
=================================================================== |
19 |
messager.c: fix memory overlap (fixes artefacts in scrolling text) |
20 |
|
21 |
==363== Source and destination overlap in memcpy(0xa066240, 0xa0662b8, 240) |
22 |
==363== at 0x4C2B220: memcpy@@GLIBC_2.14 (mc_replace_strmem.c:838) |
23 |
==363== by 0x407D97: newline (messager.c:43) |
24 |
==363== by 0x407EE6: put (messager.c:54) |
25 |
==363== by 0x40806E: messager (messager.c:77) |
26 |
==363== by 0x403009: bb (bb.c:258) |
27 |
==363== by 0x407C06: main (main.c:202) |
28 |
|
29 |
diff --git a/messager.c b/messager.c |
30 |
index 95cc410..964080b 100644 |
31 |
--- a/messager.c |
32 |
+++ b/messager.c |
33 |
@@ -40,8 +40,8 @@ static void newline() |
34 |
start = 0; |
35 |
cursor_y++, cursor_x = 0; |
36 |
if (cursor_y >= aa_scrheight(context)) { |
37 |
- memcpy(context->textbuffer + start * aa_scrwidth(context), context->textbuffer + (start + 1) * aa_scrwidth(context), aa_scrwidth(context) * (aa_scrheight(context) - start - 1)); |
38 |
- memcpy(context->attrbuffer + start * aa_scrwidth(context), context->attrbuffer + (start + 1) * aa_scrwidth(context), aa_scrwidth(context) * (aa_scrheight(context) - start - 1)); |
39 |
+ memmove(context->textbuffer + start * aa_scrwidth(context), context->textbuffer + (start + 1) * aa_scrwidth(context), aa_scrwidth(context) * (aa_scrheight(context) - start - 1)); |
40 |
+ memmove(context->attrbuffer + start * aa_scrwidth(context), context->attrbuffer + (start + 1) * aa_scrwidth(context), aa_scrwidth(context) * (aa_scrheight(context) - start - 1)); |
41 |
memset(context->textbuffer + aa_scrwidth(context) * (aa_scrheight(context) - 1), ' ', aa_scrwidth(context)); |
42 |
memset(context->attrbuffer + aa_scrwidth(context) * (aa_scrheight(context) - 1), 0, aa_scrwidth(context)); |
43 |
cursor_y--; |
44 |
|
45 |
|
46 |
|
47 |
1.1 app-misc/bb/files/bb-1.3.0_rc1-zbuff-fault.patch |
48 |
|
49 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-misc/bb/files/bb-1.3.0_rc1-zbuff-fault.patch?rev=1.1&view=markup |
50 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-misc/bb/files/bb-1.3.0_rc1-zbuff-fault.patch?rev=1.1&content-type=text/plain |
51 |
|
52 |
Index: bb-1.3.0_rc1-zbuff-fault.patch |
53 |
=================================================================== |
54 |
tex.c: Fix out-of-bounds zbuff clearing |
55 |
|
56 |
> zbuff = (int *) malloc(X_s * Y_s * sizeof(int)); |
57 |
> memset(zbuff, 0x55, (X_s * Y_s * sizeof(long))); |
58 |
|
59 |
Ouch! amd64: sizeof(long) == 8; sizeof (int) == 4 |
60 |
|
61 |
Valgrind says: |
62 |
==4525== Invalid write of size 4 |
63 |
==4525== at 0x4C2C3AF: memset (mc_replace_strmem.c:967) |
64 |
==4525== by 0x4122E0: clear_zbuff (tex.c:95) |
65 |
==4525== by 0x4144D8: disp3d (tex.c:292) |
66 |
==4525== by 0x40F3C6: scene5 (scene5.c:206) |
67 |
==4525== by 0x4031BC: bb (bb.c:325) |
68 |
==4525== by 0x407C56: main (main.c:202) |
69 |
==4525== Address 0xac9ef00 is 0 bytes after a block of size 34,992 alloc'd |
70 |
==4525== at 0x4C2996D: malloc (vg_replace_malloc.c:263) |
71 |
==4525== by 0x412283: set_zbuff (tex.c:85) |
72 |
==4525== by 0x40F347: scene5 (scene5.c:196) |
73 |
==4525== by 0x4031BC: bb (bb.c:325) |
74 |
==4525== by 0x407C56: main (main.c:202) |
75 |
|
76 |
diff --git a/tex.c b/tex.c |
77 |
index 9f2f99d..b390510 100644 |
78 |
--- a/tex.c |
79 |
+++ b/tex.c |
80 |
@@ -92,7 +92,7 @@ void unset_zbuff() |
81 |
|
82 |
static inline void clear_zbuff() |
83 |
{ |
84 |
- memset(zbuff, 0x55, (X_s * Y_s * sizeof(long))); |
85 |
+ memset(zbuff, 0x55, (X_s * Y_s * sizeof(int))); |
86 |
} |
87 |
|
88 |
|
89 |
|
90 |
|
91 |
|
92 |
1.1 app-misc/bb/files/bb-1.3.0_rc1-printf-cleanup.patch |
93 |
|
94 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-misc/bb/files/bb-1.3.0_rc1-printf-cleanup.patch?rev=1.1&view=markup |
95 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-misc/bb/files/bb-1.3.0_rc1-printf-cleanup.patch?rev=1.1&content-type=text/plain |
96 |
|
97 |
Index: bb-1.3.0_rc1-printf-cleanup.patch |
98 |
=================================================================== |
99 |
zoom.c: cleanup protos |
100 |
|
101 |
x86_64-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -O2 -march=core2 -pipe -I/usr/include -pthread -D_REENTRANT -D SOUNDDIR=\"/usr/share/bb\" -c zoom.c |
102 |
zoom.c: In function 'mkrealloc_table': |
103 |
zoom.c:245:113: warning: format '%i' expects type 'int', but argument 3 has type 'long unsigned int' |
104 |
zoom.c:251:113: warning: format '%i' expects type 'int', but argument 3 has type 'long unsigned int' |
105 |
zoom.c:260:113: warning: format '%i' expects type 'int', but argument 3 has type 'long unsigned int' |
106 |
zoom.c: In function 'moveoldpoints': |
107 |
zoom.c:590:3: warning: format '%i' expects type 'int', but argument 3 has type 'long unsigned int' |
108 |
zoom.c:596:3: warning: format '%i' expects type 'int', but argument 3 has type 'long unsigned int' |
109 |
diff --git a/zoom.c b/zoom.c |
110 |
index 7450095..b86cc8b 100644 |
111 |
--- a/zoom.c |
112 |
+++ b/zoom.c |
113 |
@@ -241,13 +241,13 @@ static /*INLINE */ void mkrealloc_table(register number_t * pos, realloc_t * rea |
114 |
#endif |
115 |
if (dyndata == NULL) { |
116 |
fprintf(stderr, "XaoS fatal error:Could not allocate memory for" |
117 |
- "temporary dynamical data of size:%i\n" |
118 |
+ "temporary dynamical data of size:%li\n" |
119 |
"I am unable to handle this problem so please resize to lower window\n", (size) * (DSIZE + 1) * sizeof(struct dyn_data) + size * sizeof(int) + size * sizeof(int)); |
120 |
return; |
121 |
} |
122 |
if (best == NULL) { |
123 |
fprintf(stderr, "XaoS fatal error:Could not allocate memory for" |
124 |
- "temporary dynamical data of size:%i\n" |
125 |
+ "temporary dynamical data of size:%li\n" |
126 |
"I am unable to handle this problem so please resize to lower window\n", (size) * (DSIZE + 1) * sizeof(struct dyn_data) + size * sizeof(int) + size * sizeof(int)); |
127 |
#ifndef HAVE_ALLOCA |
128 |
free(dyndata); |
129 |
@@ -256,7 +256,7 @@ static /*INLINE */ void mkrealloc_table(register number_t * pos, realloc_t * rea |
130 |
} |
131 |
if (best1 == NULL) { |
132 |
fprintf(stderr, "XaoS fatal error:Could not allocate memory for" |
133 |
- "temporary dynamical data of size:%i\n" |
134 |
+ "temporary dynamical data of size:%li\n" |
135 |
"I am unable to handle this problem so please resize to lower window\n", (size) * (DSIZE + 1) * sizeof(struct dyn_data) + size * sizeof(int) + size * sizeof(int)); |
136 |
#ifndef HAVE_ALLOCA |
137 |
free(dyndata); |
138 |
@@ -586,13 +586,13 @@ static /*INLINE */ void moveoldpoints(void) |
139 |
#endif |
140 |
if (size == NULL) { |
141 |
fprintf(stderr, "XaoS fratal error:Could not allocate memory for" |
142 |
- "temporary dynamical data of size:%i\n" |
143 |
+ "temporary dynamical data of size:%li\n" |
144 |
"I am unable to handle this problem so please resize to lower window\n", 2 * d->width * sizeof(int)); |
145 |
return; |
146 |
} |
147 |
if (start == NULL) { |
148 |
fprintf(stderr, "XaoS fratal error:Could not allocate memory for" |
149 |
- "temporary dynamical data of size:%i\n" |
150 |
+ "temporary dynamical data of size:%li\n" |
151 |
"I am unable to handle this problem so please resize to lower window\n", 2 * d->width * sizeof(int)); |
152 |
#ifndef HAVE_ALLOCA |
153 |
free(size); |