The International Simutrans Forum

Development => Patches & Projects => Incorporated Patches and Solved Bug Reports => Topic started by: ansgar on April 22, 2011, 08:55:04 PM

Title: buffer overflow in gui/ (depot_frame_t::zeichnen)
Post by: ansgar on April 22, 2011, 08:55:04 PM

a crash was reported in Ubuntu[1].  It looks like too much was written to txt_convoi_count (in gui/ depot_frame_t::zeichnen), at least in some locales (the submitter has a Russian locale for his system).  It might also only result in termination when building with hardening flags which I believe Ubuntu now does by default.

Relevent part of the backtrace:
Code: [Select]
#10 0x0042f3bd in ___sprintf_chk (s=0xdfac87e "\320\242/\321\201: 1 (\320\241\320\265\320\272\321\206\320\270\320\270 c\321\202\320\260\320\275\321\206\320\270\320\270: 1s", flags=1, slen=40, format=0x81f9b8b "%s %d (%s %i)") at sprintf_chk.c:33
        arg = 0xbfdf2980 " \026\004\263\001"
        done = 0
#11 0x080e619a in sprintf (this=0xdfab3e8, pos=..., groesse=...) at /usr/include/bits/stdio2.h:35
No locals.
#12 depot_frame_t::zeichnen (this=0xdfab3e8, pos=..., groesse=...) at gui/
        total_max_weight = 107
        total_min_weight = 107
        total_power = <value optimized out>
        max_speed = <value optimized out>
        min_speed = 130

The problematic line is:
Code: [Select]
1141                         sprintf(txt_convoi_count, "%s %d (%s %i)",
1142                                 translator::translate("Fahrzeuge:"), cnv->get_vehikel_anzahl(),
1143                                 translator::translate("Station tiles:"), cnv->get_tile_length() );

txt_convoi_count is a char[40].

According to the report, the bug is triggered when creating a new unit or clicking on it afterwards.


Title: Re: buffer overflow in gui/ (depot_frame_t::zeichnen)
Post by: prissi on May 06, 2011, 12:17:51 PM
IN the nightly the offing buffer was extended.