The International Simutrans Forum

 

Author Topic: buffer overflow in gui/depot_frame.cc (depot_frame_t::zeichnen)  (Read 1609 times)

0 Members and 1 Guest are viewing this topic.

Offline ansgar

  • *
  • Posts: 80
Hi,

a crash was reported in Ubuntu[1].  It looks like too much was written to txt_convoi_count (in gui/depot_frame.cc: depot_frame_t::zeichnen), at least in some locales (the submitter has a Russian locale for his system).  It might also only result in termination when building with hardening flags which I believe Ubuntu now does by default.

Relevent part of the backtrace:
Code: [Select]
#10 0x0042f3bd in ___sprintf_chk (s=0xdfac87e "\320\242/\321\201: 1 (\320\241\320\265\320\272\321\206\320\270\320\270 c\321\202\320\260\320\275\321\206\320\270\320\270: 1s", flags=1, slen=40, format=0x81f9b8b "%s %d (%s %i)") at sprintf_chk.c:33
        arg = 0xbfdf2980 " \026\004\263\001"
        done = 0
#11 0x080e619a in sprintf (this=0xdfab3e8, pos=..., groesse=...) at /usr/include/bits/stdio2.h:35
No locals.
#12 depot_frame_t::zeichnen (this=0xdfab3e8, pos=..., groesse=...) at gui/depot_frame.cc:1143
        total_max_weight = 107
        total_min_weight = 107
        total_power = <value optimized out>
        max_speed = <value optimized out>
        min_speed = 130

The problematic line is:
Code: [Select]
1141                         sprintf(txt_convoi_count, "%s %d (%s %i)",
1142                                 translator::translate("Fahrzeuge:"), cnv->get_vehikel_anzahl(),
1143                                 translator::translate("Station tiles:"), cnv->get_tile_length() );

txt_convoi_count is a char[40].

According to the report, the bug is triggered when creating a new unit or clicking on it afterwards.

Regards,
Ansgar

[1] https://bugs.launchpad.net/ubuntu/+source/simutrans/+bug/760999
« Last Edit: May 06, 2011, 02:01:52 AM by IgorEliezer »

Offline prissi

  • Developer
  • Administrator
  • *
  • Posts: 10828
  • Languages: De,EN,JP
Re: buffer overflow in gui/depot_frame.cc (depot_frame_t::zeichnen)
« Reply #1 on: May 06, 2011, 12:17:51 PM »
IN the nightly the offing buffer was extended.