News:

SimuTranslator
Make Simutrans speak your language.

buffer overflow in gui/depot_frame.cc (depot_frame_t::zeichnen)

Started by ansgar, April 22, 2011, 08:55:04 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

ansgar

Hi,

a crash was reported in Ubuntu[1].  It looks like too much was written to txt_convoi_count (in gui/depot_frame.cc: depot_frame_t::zeichnen), at least in some locales (the submitter has a Russian locale for his system).  It might also only result in termination when building with hardening flags which I believe Ubuntu now does by default.

Relevent part of the backtrace:

#10 0x0042f3bd in ___sprintf_chk (s=0xdfac87e "\320\242/\321\201: 1 (\320\241\320\265\320\272\321\206\320\270\320\270 c\321\202\320\260\320\275\321\206\320\270\320\270: 1s", flags=1, slen=40, format=0x81f9b8b "%s %d (%s %i)") at sprintf_chk.c:33
       arg = 0xbfdf2980 " \026\004\263\001"
       done = 0
#11 0x080e619a in sprintf (this=0xdfab3e8, pos=..., groesse=...) at /usr/include/bits/stdio2.h:35
No locals.
#12 depot_frame_t::zeichnen (this=0xdfab3e8, pos=..., groesse=...) at gui/depot_frame.cc:1143
       total_max_weight = 107
       total_min_weight = 107
       total_power = <value optimized out>
       max_speed = <value optimized out>
       min_speed = 130


The problematic line is:

1141                         sprintf(txt_convoi_count, "%s %d (%s %i)",
1142                                 translator::translate("Fahrzeuge:"), cnv->get_vehikel_anzahl(),
1143                                 translator::translate("Station tiles:"), cnv->get_tile_length() );


txt_convoi_count is a char[40].

According to the report, the bug is triggered when creating a new unit or clicking on it afterwards.

Regards,
Ansgar

[1] https://bugs.launchpad.net/ubuntu/+source/simutrans/+bug/760999

prissi