GNOME Bugzilla – Bug 304334
Start Gnibbles on Fedora Core 4 Test 3 x86_64
Last modified: 2005-06-17 19:27:46 UTC
Distribution: Fedora Core release 3.92 (Pre-FC4) Package: gnome-games Severity: normal Version: GNOME2.10.0 2.10.0 Gnome-Distributor: Red Hat, Inc Synopsis: Start Gnibbles on Fedora Core 4 Test 3 x86_64 Bugzilla-Product: gnome-games Bugzilla-Component: gnibbles Bugzilla-Version: 2.10.0 BugBuddy-GnomeVersion: 2.0 (2.10.0) Description: Description of the crash: Steps to reproduce the crash: 1. 2. 3. Expected Results: How often does this happen? Additional Information: Debugging Information: Backtrace was generated from '/usr/bin/gnibbles' ------- Bug moved to this database by unknown@bugzilla.gnome.org 2005-05-16 10:19 UTC ------- Unknown version 2.10.0 in product gnome-games. Setting version to "2.10.x".
Thanks for taking the time to report this bug. If you have time and can still reproduce the bug, please read http://bugzilla.gnome.org/bug-HOWTO.html and add a description of how to reproduce this bug. You'll also need to add a stack trace; please see http://live.gnome.org/GettingTraces for more information about how to do so. (Second report of this, a duplicate of Bug #303974... I'll try to download FC4test3 and reproduce it.)
I grabbed the gnome-games x86 rpm (FC4 test 3) and installed it on my laptop (FC4 test2), running it in GDB brings the junk below.. The crash happens when you click "Game->New Game". This does not happen on my gnibbles from CVS. ------------------------------ *** buffer overflow detected ***: /usr/bin/gnibbles terminated (no debugging symbols found) ======= Backtrace: ========= /lib/libc.so.6(__chk_fail+0x41)[0x7fbcc5] /usr/bin/gnibbles(gnibbles_load_level+0xa6)[0x8050538] /usr/bin/gnibbles[0x8054cc4] /usr/lib/libgobject-2.0.so.0(g_cclosure_marshal_VOID__VOID+0x47)[0xc9a6f7] /usr/lib/libgobject-2.0.so.0(g_closure_invoke+0x10a)[0xc8f172] /usr/lib/libgobject-2.0.so.0[0xc9e9bb] /usr/lib/libgobject-2.0.so.0(g_signal_emit_valist+0x6ae)[0xca0107] /usr/lib/libgobject-2.0.so.0(g_signal_emit+0x29)[0xca047b] /usr/lib/libgtk-x11-2.0.so.0(gtk_widget_activate+0x8a)[0x4e8c5dd] /usr/lib/libgtk-x11-2.0.so.0(gtk_menu_shell_activate_item+0xc5)[0x4dbebcf] /usr/lib/libgtk-x11-2.0.so.0[0x4dbee85] /usr/lib/libgtk-x11-2.0.so.0[0x4db6340] /usr/lib/libgtk-x11-2.0.so.0[0x4db0e72] /usr/lib/libgobject-2.0.so.0[0xc8ec86] /usr/lib/libgobject-2.0.so.0(g_closure_invoke+0x10a)[0xc8f172] /usr/lib/libgobject-2.0.so.0[0xc9eb47] /usr/lib/libgobject-2.0.so.0(g_signal_emit_valist+0x422)[0xc9fe7b] /usr/lib/libgobject-2.0.so.0(g_signal_emit+0x29)[0xca047b] /usr/lib/libgtk-x11-2.0.so.0[0x4e8c7e3] /usr/lib/libgtk-x11-2.0.so.0(gtk_propagate_event+0xc1)[0x4daf5d7] /usr/lib/libgtk-x11-2.0.so.0(gtk_main_do_event+0x329)[0x4dafa14] /usr/lib/libgdk-x11-2.0.so.0[0x18bce4] /usr/lib/libglib-2.0.so.0(g_main_context_dispatch+0x1dc)[0xc2a46e] /usr/lib/libglib-2.0.so.0[0xc2d476] /usr/lib/libglib-2.0.so.0(g_main_loop_run+0x1a1)[0xc2d763] /usr/lib/libgtk-x11-2.0.so.0(gtk_main+0xb4)[0x4daecd5] /usr/bin/gnibbles(main+0x5bf)[0x8055483] /lib/libc.so.6(__libc_start_main+0xc6)[0x732de6] /usr/bin/gnibbles[0x804e931] ======= Memory map: ======== 00101000-00131000 r-xp 00000000 03:03 730869 /usr/lib/libpango-1.0.so.0.800.1 00131000-00137000 rwxp 00030000 03:03 730869 /usr/lib/libpango-1.0.so.0.800.1 00137000-00138000 r-xp 00000000 03:03 856866 /usr/X11R6/lib/X11/locale/lib/common/xlcUTF8Load.so.2 00138000-00139000 rwxp 00000000 03:03 856866 /usr/X11R6/lib/X11/locale/lib/common/xlcUTF8Load.so.2 00139000-0014c000 r-xp 00000000 03:03 730764 /usr/lib/libgdk_pixbuf-2.0.so.0.600.4 0014c000-0014e000 rwxp 00012000 03:03 730764 /usr/lib/libgdk_pixbuf-2.0.so.0.600.4 00150000-001c1000 r-xp 00000000 03:03 731081 /usr/lib/libgdk-x11-2.0.so.0.600.4 001c1000-001c8000 rwxp 00071000 03:03 731081 /usr/lib/libgdk-x11-2.0.so.0.600.4 001ca000-0020e000 r-xp 00000000 03:03 731445 /usr/lib/libORBit-2.so.0.0.0 0020e000-0021b000 rwxp 00043000 03:03 731445 /usr/lib/libORBit-2.so.0.0.0 0021d000-0022e000 r-xp 00000000 03:03 731523 /usr/lib/libbonobo-activation.so.4.0.0 0022e000-00231000 rwxp 00010000 03:03 731523 /usr/lib/libbonobo-activation.so.4.0.0 00233000-00248000 r-xp 00000000 03:03 731556 /usr/lib/libhowl.so.0.0.0 00248000-0024a000 rwxp 00014000 03:03 731556 /usr/lib/libhowl.so.0.0.0 0024a000-0035c000 rwxp 0024a000 00:00 0 0035e000-00370000 r-xp 00000000 03:03 731560 /usr/lib/libgnome-2.so.0.900.1 00370000-00371000 rwxp 00012000 03:03 731560 /usr/lib/libgnome-2.so.0.900.1 00373000-0037b000 r-xp 00000000 03:03 731594 /usr/lib/libgnome-keyring.so.0.0.1 0037b000-0037c000 rwxp 00007000 03:03 731594 /usr/lib/libgnome-keyring.so.0.0.1 0037c000-00385000 r-xp 00000000 03:03 393257 /lib/libnss_files-2.3.4.so 00385000-00386000 r-xp 00008000 03:03 393257 /lib/libnss_files-2.3.4.so 00386000-00387000 rwxp 00009000 03:03 393257 /lib/libnss_files-2.3.4.so 00387000-00388000 r-xp 00000000 03:03 786873 /usr/lib/gconv/ISO8859-1.so 00388000-0038a000 rwxp 00000000 03:03 786873 /usr/lib/gconv/ISO8859-1.so 0038f000-00486000 r-xp 00000000 03:03 393273 /lib/libcrypto.so.0.9.7f 00486000-00498000 rwxp 000f7000 03:03 393273 /lib/libcrypto.so.0.9.7f 00498000-0049b000 rwxp 00498000 00:00 0 0049d000-004b3000 r-xp 00000000 03:03 727570 /usr/lib/libgssapi_krb5.so.2.2 004b3000-004b4000 rwxp 00016000 03:03 727570 /usr/lib/libgssapi_krb5.so.2.2 004b6000-004eb000 r-xp 00000000 03:03 393275 /lib/libssl.so.0.9.7f 004eb000-004ee000 rwxp 00035000 03:03 393275 /lib/libssl.so.0.9.7f 004f0000-00516000 r-xp 00000000 03:03 731202 /usr/lib/libgnomecanvas-2.so.0.1000.0 00516000-00519000 rwxp 00025000 03:03 731202 /usr/lib/libgnomecanvas-2.so.0.1000.0 0051b000-00625000 r-xp 00000000 03:03 731547 /usr/lib/libxml2.so.2.6.19 00625000-0062d000 rwxp 00109000 03:03 731547 /usr/lib/libxml2.so.2.6.19 0062d000-0062e000 rwxp 0062d000 00:00 0 00630000-006d0000 r-xp 00000000 03:03 393315 /lib/libasound.so.2.0.0 006d0000-006de000 rwxp 0009f000 03:03 393315 /lib/libasound.so.2.0.0 006e0000-006e8000 r-xp 00000000 03:03 729142 /usr/lib/libesd.so.0.2.35 006e8000-006e9000 rwxp 00008000 03:03 729142 / Program received signal SIGABRT, Aborted. [Switching to Thread -1208436256 (LWP 3506)] 0x007017e2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2 (thread apply all bt)
+ Trace 59875
Thread 1 (Thread -1208436256 (LWP 3506))
*** Bug 303974 has been marked as a duplicate of this bug. ***
*** Bug 304724 has been marked as a duplicate of this bug. ***
Created attachment 46647 [details] [review] Gnibbles bug fix. Built from Fedora's source RPMs, and one result of whatever mojo they do in there is apparently the fgets refuses to read into a buffer that is smaller than the limit specified. Easy to fix, and there are more new bugs of this sort on other products in Fedora. It also looks like the size of tmparray was one byte too short.... honestly, looking at the code several times over, I don't yet know why. :)
fgets() is probably tying to append a NULL character to the end of the string, after the newline, but we've allocated just enough space (and set a limit for) 92 characters and a newline. I'm not sure what's supposed to happen in this particular situation, but it's not working. We should probably should move over to something like g_file_get_contents() during this cycle.
The fix is absolutely correct. The limit given to fgets should _never_ have been greater than the buffer size. Probably the only thing that stopped this bug appearing before was the gap provided by word alignment. This needs to be applied to both 2.10 and 2.11 branches. Using g_file_get_contents() won't improve anything really. It will just use more memory (since we would store the entire file) for no real gain in portability (the core stdio functions are a lot more portable than glib). Neither of these is really an issue here, but it saves mucking around with tested code.
The fix has been committed to CVS HEAD and the gnome-2-10 branch.
FWIW, sending this downstream too...: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=158269
*** Bug 305235 has been marked as a duplicate of this bug. ***
*** Bug 305880 has been marked as a duplicate of this bug. ***
*** Bug 306594 has been marked as a duplicate of this bug. ***
*** Bug 306976 has been marked as a duplicate of this bug. ***
*** Bug 308114 has been marked as a duplicate of this bug. ***