Debian Bug report logs - #348117
Buffer overflow in example code c++/demo.cc

Package: ncurses; Maintainer for ncurses is Craig Small <csmall@debian.org>;

Reported by: dickey@his.com

Date: Sun, 15 Jan 2006 00:18:05 UTC

Severity: normal

Done: Thomas Dickey <dickey@his.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian GCC Maintainers <debian-gcc@lists.debian.org>:
Bug#348117; Package g++-4.0. Full text and rfc822 format available.

Acknowledgement sent to dickey@his.com:
New Bug report received and forwarded. Copy sent to Debian GCC Maintainers <debian-gcc@lists.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Thomas Dickey <tom@invisible-island.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: g++-4.0: g++ upgrade broke ncurses c++ demo
Date: Sat, 14 Jan 2006 19:01:57 -0500
Package: g++-4.0
Version: 4.0.2-5
Severity: important


Retesting ncurses c++ demo, I get an exception in code which hasn't
changed for several months and which has no apparent error (checked
with valgrind).  This function

void TestApplication::init_labels(Soft_Label_Key_Set& S) const
{ 
  for(int i=1; i <= S.labels(); i++) {
    char buf[5];
    ::sprintf(buf,"Key%02d",i);
    S[i] = buf;                                      // Text 
    S[i] = Soft_Label_Key_Set::Soft_Label_Key::Left; // Justification 
  }
}

is raising an exception in the [] operator for S, which claims that
the index i is zero.  So it dies on the "Text" line.  The buf variable
contains "Key01", so the index was correct on the previous line.
valgrind can only tell me that the program raised an exception -
which is not the cause of the problem in this case.  Here's what
gdb shows me:

(gdb) break demo.cc:504
Breakpoint 1 at 0x804b724: file ../c++/demo.cc, line 504.
(gdb) run
Starting program: /usr/build/ncurses/ncurses-5.5-20060114/c++/demo

Breakpoint 1, TestApplication::init_labels (this=0x805cdac, S=@0x805cec0)
    at ../c++/demo.cc:504
504         ::sprintf(buf,"Key%02d",i);
(gdb) print i
$1 = 1
(gdb) next
505         S[i] = buf;                                      // Text
(gdb) print i
$2 = 0
(gdb) 

I checked this against ncurses 5.5, just in case there was some
recent change of mine that I should debug - it has the same
problem.

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.4.27-td2
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages g++-4.0 depends on:
ii  gcc-4.0                       4.0.2-5    The GNU C compiler
ii  gcc-4.0-base                  4.0.2-5    The GNU Compiler Collection (base 
ii  libc6                         2.3.5-8    GNU C Library: Shared libraries an
ii  libstdc++6-4.0-dev            4.0.2-5    The GNU Standard C++ Library v3 (d

g++-4.0 recommends no packages.

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Debian GCC Maintainers <debian-gcc@lists.debian.org>:
Bug#348117; Package g++-4.0. Full text and rfc822 format available.

Acknowledgement sent to Falk Hueffner <falk@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian GCC Maintainers <debian-gcc@lists.debian.org>. Full text and rfc822 format available.

Message #10 received at 348117@bugs.debian.org (full text, mbox):

From: Falk Hueffner <falk@debian.org>
To: dickey@his.com
Cc: 348117@bugs.debian.org
Subject: Re: Bug#348117: g++-4.0: g++ upgrade broke ncurses c++ demo
Date: Sun, 15 Jan 2006 09:51:11 +0100
Thomas Dickey <tom@invisible-island.net> writes:

>     char buf[5];

[...]

> The buf variable contains "Key01"

So 6 bytes. Does this still happen if you don't overrun buf?  Also,
can you send a complete test case?

-- 
	Falk



Information forwarded to debian-bugs-dist@lists.debian.org, Debian GCC Maintainers <debian-gcc@lists.debian.org>:
Bug#348117; Package g++-4.0. Full text and rfc822 format available.

Acknowledgement sent to Thomas Dickey <dickey@his.com>:
Extra info received and forwarded to list. Copy sent to Debian GCC Maintainers <debian-gcc@lists.debian.org>. Full text and rfc822 format available.

Message #15 received at 348117@bugs.debian.org (full text, mbox):

From: Thomas Dickey <dickey@his.com>
To: Falk Hueffner <falk@debian.org>
Cc: 348117@bugs.debian.org
Subject: Re: Bug#348117: g++-4.0: g++ upgrade broke ncurses c++ demo
Date: Sun, 15 Jan 2006 06:57:59 -0500 (EST)
On Sun, 15 Jan 2006, Falk Hueffner wrote:

> Thomas Dickey <tom@invisible-island.net> writes:
>
>>     char buf[5];
>
> [...]
>
>> The buf variable contains "Key01"
>
> So 6 bytes. Does this still happen if you don't overrun buf?  Also,
> can you send a complete test case?

ah.  I didn't see that (will check later today on my home machine).

I did list the case (ncurses 5.5, the c++ demo program, e.g,.
	ncurses-5.5/c++/demo.cc (along with lots of other code)

I'll check that buffer limit, which I agree should improve things.
(Last night I could only see that it had worked with everything
except g++ 4.0).

-- 
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net



Information forwarded to debian-bugs-dist@lists.debian.org, Debian GCC Maintainers <debian-gcc@lists.debian.org>:
Bug#348117; Package g++-4.0. Full text and rfc822 format available.

Acknowledgement sent to Thomas Dickey <dickey@his.com>:
Extra info received and forwarded to list. Copy sent to Debian GCC Maintainers <debian-gcc@lists.debian.org>. Full text and rfc822 format available.

Message #20 received at 348117@bugs.debian.org (full text, mbox):

From: Thomas Dickey <dickey@his.com>
To: Falk Hueffner <falk@debian.org>
Cc: 348117@bugs.debian.org
Subject: Re: Bug#348117: g++-4.0: g++ upgrade broke ncurses c++ demo
Date: Sun, 15 Jan 2006 15:26:02 -0500 (EST)
On Sun, 15 Jan 2006, Falk Hueffner wrote:

> Thomas Dickey <tom@invisible-island.net> writes:
>
>>     char buf[5];
>
> [...]
>
>> The buf variable contains "Key01"
>
> So 6 bytes. Does this still happen if you don't overrun buf?  Also,
> can you send a complete test case?

It doesn't happen if I don't overrun.  (Do you still need a complete test 
case?)

-- 
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net



Information forwarded to debian-bugs-dist@lists.debian.org, Debian GCC Maintainers <debian-gcc@lists.debian.org>:
Bug#348117; Package g++-4.0. Full text and rfc822 format available.

Acknowledgement sent to Falk Hueffner <falk@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian GCC Maintainers <debian-gcc@lists.debian.org>. Full text and rfc822 format available.

Message #25 received at 348117@bugs.debian.org (full text, mbox):

From: Falk Hueffner <falk@debian.org>
To: Thomas Dickey <dickey@his.com>
Cc: 348117@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#348117: g++-4.0: g++ upgrade broke ncurses c++ demo
Date: Sun, 15 Jan 2006 21:40:22 +0100
reassign 348117 ncurses
severity 348117 normal
retitle 348117 Buffer overflow in example code c++/demo.cc
thanks

Thomas Dickey <dickey@his.com> writes:

> On Sun, 15 Jan 2006, Falk Hueffner wrote:
>
>> Thomas Dickey <tom@invisible-island.net> writes:
>>
>>>     char buf[5];
>>
>> [...]
>>
>>> The buf variable contains "Key01"
>>
>> So 6 bytes. Does this still happen if you don't overrun buf?  Also,
>> can you send a complete test case?
>
> It doesn't happen if I don't overrun.  (Do you still need a complete
> test case?)

No, I'll just reassign it to ncurses then.

-- 
	Falk



Bug reassigned from package `g++-4.0' to `ncurses'. Request was from Falk Hueffner <falk@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `normal'. Request was from Falk Hueffner <falk@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug title. Request was from Falk Hueffner <falk@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to dickey@his.com:
You have taken responsibility. (Sat, 29 Aug 2009 18:18:08 GMT) Full text and rfc822 format available.

Notification sent to dickey@his.com:
Bug acknowledged by developer. (Sat, 29 Aug 2009 18:18:08 GMT) Full text and rfc822 format available.

Message #36 received at 348117-done@bugs.debian.org (full text, mbox):

From: Thomas Dickey <dickey@his.com>
To: 348117-done@bugs.debian.org
Subject: re: #348117 Buffer overflow in example code c++/demo.cc
Date: Sat, 29 Aug 2009 14:09:23 -0400
[Message part 1 (text/plain, inline)]
this was fixed in ncurses 20060121 patch.

-- 
Thomas E. Dickey <dickey@invisible-island.net>
http://invisible-island.net
ftp://invisible-island.net
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 27 Sep 2009 07:28:35 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 13:56:36 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.