Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Sergei Trofimovich (slyfox)" <slyfox@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo-x86 commit in app-misc/bb/files: bb-1.3.0_rc1-messager-overlap.patch bb-1.3.0_rc1-zbuff-fault.patch bb-1.3.0_rc1-printf-cleanup.patch
Date: Sun, 05 Feb 2012 19:37:43
Message-Id: 20120205193731.6146F2004B@flycatcher.gentoo.org
1 slyfox 12/02/05 19:37:31
2
3 Added: bb-1.3.0_rc1-messager-overlap.patch
4 bb-1.3.0_rc1-zbuff-fault.patch
5 bb-1.3.0_rc1-printf-cleanup.patch
6 Log:
7 Fix crash due to out-of-bounds access on 64-bit arches.
8
9 (Portage version: 2.2.0_alpha85/cvs/Linux x86_64)
10
11 Revision Changes Path
12 1.1 app-misc/bb/files/bb-1.3.0_rc1-messager-overlap.patch
13
14 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-misc/bb/files/bb-1.3.0_rc1-messager-overlap.patch?rev=1.1&view=markup
15 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-misc/bb/files/bb-1.3.0_rc1-messager-overlap.patch?rev=1.1&content-type=text/plain
16
17 Index: bb-1.3.0_rc1-messager-overlap.patch
18 ===================================================================
19 messager.c: fix memory overlap (fixes artefacts in scrolling text)
20
21 ==363== Source and destination overlap in memcpy(0xa066240, 0xa0662b8, 240)
22 ==363== at 0x4C2B220: memcpy@@GLIBC_2.14 (mc_replace_strmem.c:838)
23 ==363== by 0x407D97: newline (messager.c:43)
24 ==363== by 0x407EE6: put (messager.c:54)
25 ==363== by 0x40806E: messager (messager.c:77)
26 ==363== by 0x403009: bb (bb.c:258)
27 ==363== by 0x407C06: main (main.c:202)
28
29 diff --git a/messager.c b/messager.c
30 index 95cc410..964080b 100644
31 --- a/messager.c
32 +++ b/messager.c
33 @@ -40,8 +40,8 @@ static void newline()
34 start = 0;
35 cursor_y++, cursor_x = 0;
36 if (cursor_y >= aa_scrheight(context)) {
37 - memcpy(context->textbuffer + start * aa_scrwidth(context), context->textbuffer + (start + 1) * aa_scrwidth(context), aa_scrwidth(context) * (aa_scrheight(context) - start - 1));
38 - memcpy(context->attrbuffer + start * aa_scrwidth(context), context->attrbuffer + (start + 1) * aa_scrwidth(context), aa_scrwidth(context) * (aa_scrheight(context) - start - 1));
39 + memmove(context->textbuffer + start * aa_scrwidth(context), context->textbuffer + (start + 1) * aa_scrwidth(context), aa_scrwidth(context) * (aa_scrheight(context) - start - 1));
40 + memmove(context->attrbuffer + start * aa_scrwidth(context), context->attrbuffer + (start + 1) * aa_scrwidth(context), aa_scrwidth(context) * (aa_scrheight(context) - start - 1));
41 memset(context->textbuffer + aa_scrwidth(context) * (aa_scrheight(context) - 1), ' ', aa_scrwidth(context));
42 memset(context->attrbuffer + aa_scrwidth(context) * (aa_scrheight(context) - 1), 0, aa_scrwidth(context));
43 cursor_y--;
44
45
46
47 1.1 app-misc/bb/files/bb-1.3.0_rc1-zbuff-fault.patch
48
49 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-misc/bb/files/bb-1.3.0_rc1-zbuff-fault.patch?rev=1.1&view=markup
50 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-misc/bb/files/bb-1.3.0_rc1-zbuff-fault.patch?rev=1.1&content-type=text/plain
51
52 Index: bb-1.3.0_rc1-zbuff-fault.patch
53 ===================================================================
54 tex.c: Fix out-of-bounds zbuff clearing
55
56 > zbuff = (int *) malloc(X_s * Y_s * sizeof(int));
57 > memset(zbuff, 0x55, (X_s * Y_s * sizeof(long)));
58
59 Ouch! amd64: sizeof(long) == 8; sizeof (int) == 4
60
61 Valgrind says:
62 ==4525== Invalid write of size 4
63 ==4525== at 0x4C2C3AF: memset (mc_replace_strmem.c:967)
64 ==4525== by 0x4122E0: clear_zbuff (tex.c:95)
65 ==4525== by 0x4144D8: disp3d (tex.c:292)
66 ==4525== by 0x40F3C6: scene5 (scene5.c:206)
67 ==4525== by 0x4031BC: bb (bb.c:325)
68 ==4525== by 0x407C56: main (main.c:202)
69 ==4525== Address 0xac9ef00 is 0 bytes after a block of size 34,992 alloc'd
70 ==4525== at 0x4C2996D: malloc (vg_replace_malloc.c:263)
71 ==4525== by 0x412283: set_zbuff (tex.c:85)
72 ==4525== by 0x40F347: scene5 (scene5.c:196)
73 ==4525== by 0x4031BC: bb (bb.c:325)
74 ==4525== by 0x407C56: main (main.c:202)
75
76 diff --git a/tex.c b/tex.c
77 index 9f2f99d..b390510 100644
78 --- a/tex.c
79 +++ b/tex.c
80 @@ -92,7 +92,7 @@ void unset_zbuff()
81
82 static inline void clear_zbuff()
83 {
84 - memset(zbuff, 0x55, (X_s * Y_s * sizeof(long)));
85 + memset(zbuff, 0x55, (X_s * Y_s * sizeof(int)));
86 }
87
88
89
90
91
92 1.1 app-misc/bb/files/bb-1.3.0_rc1-printf-cleanup.patch
93
94 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-misc/bb/files/bb-1.3.0_rc1-printf-cleanup.patch?rev=1.1&view=markup
95 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-misc/bb/files/bb-1.3.0_rc1-printf-cleanup.patch?rev=1.1&content-type=text/plain
96
97 Index: bb-1.3.0_rc1-printf-cleanup.patch
98 ===================================================================
99 zoom.c: cleanup protos
100
101 x86_64-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -O2 -march=core2 -pipe -I/usr/include -pthread -D_REENTRANT -D SOUNDDIR=\"/usr/share/bb\" -c zoom.c
102 zoom.c: In function 'mkrealloc_table':
103 zoom.c:245:113: warning: format '%i' expects type 'int', but argument 3 has type 'long unsigned int'
104 zoom.c:251:113: warning: format '%i' expects type 'int', but argument 3 has type 'long unsigned int'
105 zoom.c:260:113: warning: format '%i' expects type 'int', but argument 3 has type 'long unsigned int'
106 zoom.c: In function 'moveoldpoints':
107 zoom.c:590:3: warning: format '%i' expects type 'int', but argument 3 has type 'long unsigned int'
108 zoom.c:596:3: warning: format '%i' expects type 'int', but argument 3 has type 'long unsigned int'
109 diff --git a/zoom.c b/zoom.c
110 index 7450095..b86cc8b 100644
111 --- a/zoom.c
112 +++ b/zoom.c
113 @@ -241,13 +241,13 @@ static /*INLINE */ void mkrealloc_table(register number_t * pos, realloc_t * rea
114 #endif
115 if (dyndata == NULL) {
116 fprintf(stderr, "XaoS fatal error:Could not allocate memory for"
117 - "temporary dynamical data of size:%i\n"
118 + "temporary dynamical data of size:%li\n"
119 "I am unable to handle this problem so please resize to lower window\n", (size) * (DSIZE + 1) * sizeof(struct dyn_data) + size * sizeof(int) + size * sizeof(int));
120 return;
121 }
122 if (best == NULL) {
123 fprintf(stderr, "XaoS fatal error:Could not allocate memory for"
124 - "temporary dynamical data of size:%i\n"
125 + "temporary dynamical data of size:%li\n"
126 "I am unable to handle this problem so please resize to lower window\n", (size) * (DSIZE + 1) * sizeof(struct dyn_data) + size * sizeof(int) + size * sizeof(int));
127 #ifndef HAVE_ALLOCA
128 free(dyndata);
129 @@ -256,7 +256,7 @@ static /*INLINE */ void mkrealloc_table(register number_t * pos, realloc_t * rea
130 }
131 if (best1 == NULL) {
132 fprintf(stderr, "XaoS fatal error:Could not allocate memory for"
133 - "temporary dynamical data of size:%i\n"
134 + "temporary dynamical data of size:%li\n"
135 "I am unable to handle this problem so please resize to lower window\n", (size) * (DSIZE + 1) * sizeof(struct dyn_data) + size * sizeof(int) + size * sizeof(int));
136 #ifndef HAVE_ALLOCA
137 free(dyndata);
138 @@ -586,13 +586,13 @@ static /*INLINE */ void moveoldpoints(void)
139 #endif
140 if (size == NULL) {
141 fprintf(stderr, "XaoS fratal error:Could not allocate memory for"
142 - "temporary dynamical data of size:%i\n"
143 + "temporary dynamical data of size:%li\n"
144 "I am unable to handle this problem so please resize to lower window\n", 2 * d->width * sizeof(int));
145 return;
146 }
147 if (start == NULL) {
148 fprintf(stderr, "XaoS fratal error:Could not allocate memory for"
149 - "temporary dynamical data of size:%i\n"
150 + "temporary dynamical data of size:%li\n"
151 "I am unable to handle this problem so please resize to lower window\n", 2 * d->width * sizeof(int));
152 #ifndef HAVE_ALLOCA
153 free(size);
Report Message
Find on MARC Find on Google Groups