summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSergei Trofimovich <slyfox@gentoo.org>2012-02-05 19:37:31 +0000
committerSergei Trofimovich <slyfox@gentoo.org>2012-02-05 19:37:31 +0000
commitb3dd424639a66c36e1eb9819a33706f8297aefc6 (patch)
treebbc908a81bda034e6d67197979fae34bc971ea94
parentDon't die if hg pull exits with status 1. (diff)
downloadgentoo-2-b3dd424639a66c36e1eb9819a33706f8297aefc6.tar.gz
gentoo-2-b3dd424639a66c36e1eb9819a33706f8297aefc6.tar.bz2
gentoo-2-b3dd424639a66c36e1eb9819a33706f8297aefc6.zip
Fix crash due to out-of-bounds access on 64-bit arches.
(Portage version: 2.2.0_alpha85/cvs/Linux x86_64)
-rw-r--r--app-misc/bb/ChangeLog10
-rw-r--r--app-misc/bb/bb-1.3.0_rc1-r2.ebuild (renamed from app-misc/bb/bb-1.3.0_rc1-r1.ebuild)5
-rw-r--r--app-misc/bb/files/bb-1.3.0_rc1-messager-overlap.patch25
-rw-r--r--app-misc/bb/files/bb-1.3.0_rc1-printf-cleanup.patch55
-rw-r--r--app-misc/bb/files/bb-1.3.0_rc1-zbuff-fault.patch35
5 files changed, 128 insertions, 2 deletions
diff --git a/app-misc/bb/ChangeLog b/app-misc/bb/ChangeLog
index 6d2af5dfbbfa..f62771e6e050 100644
--- a/app-misc/bb/ChangeLog
+++ b/app-misc/bb/ChangeLog
@@ -1,6 +1,14 @@
# ChangeLog for app-misc/bb
# Copyright 1999-2012 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-misc/bb/ChangeLog,v 1.3 2012/01/28 19:25:23 slyfox Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-misc/bb/ChangeLog,v 1.4 2012/02/05 19:37:31 slyfox Exp $
+
+*bb-1.3.0_rc1-r2 (05 Feb 2012)
+
+ 05 Feb 2012; Sergei Trofimovich <slyfox@gentoo.org> +bb-1.3.0_rc1-r2.ebuild,
+ +files/bb-1.3.0_rc1-messager-overlap.patch,
+ +files/bb-1.3.0_rc1-printf-cleanup.patch,
+ +files/bb-1.3.0_rc1-zbuff-fault.patch, -bb-1.3.0_rc1-r1.ebuild:
+ Fix crash due to out-of-bounds access on 64-bit arches.
*bb-1.3.0_rc1-r1 (28 Jan 2012)
diff --git a/app-misc/bb/bb-1.3.0_rc1-r1.ebuild b/app-misc/bb/bb-1.3.0_rc1-r2.ebuild
index 24340d184524..226bf990b3a2 100644
--- a/app-misc/bb/bb-1.3.0_rc1-r1.ebuild
+++ b/app-misc/bb/bb-1.3.0_rc1-r2.ebuild
@@ -1,6 +1,6 @@
# Copyright 1999-2012 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/app-misc/bb/bb-1.3.0_rc1-r1.ebuild,v 1.1 2012/01/28 19:25:23 slyfox Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-misc/bb/bb-1.3.0_rc1-r2.ebuild,v 1.1 2012/02/05 19:37:31 slyfox Exp $
EAPI=4
@@ -26,6 +26,9 @@ S="${WORKDIR}/${PN}-$(get_version_component_range 1-3)"
src_prepare() {
epatch "${FILESDIR}/${P}-noattr.patch"
epatch "${FILESDIR}/${P}-fix-protos.patch"
+ epatch "${FILESDIR}"/${P}-messager-overlap.patch
+ epatch "${FILESDIR}"/${P}-zbuff-fault.patch
+ epatch "${FILESDIR}"/${P}-printf-cleanup.patch
# rename binary and manpage bb -> bb-aalib
diff --git a/app-misc/bb/files/bb-1.3.0_rc1-messager-overlap.patch b/app-misc/bb/files/bb-1.3.0_rc1-messager-overlap.patch
new file mode 100644
index 000000000000..e46b75fd5815
--- /dev/null
+++ b/app-misc/bb/files/bb-1.3.0_rc1-messager-overlap.patch
@@ -0,0 +1,25 @@
+messager.c: fix memory overlap (fixes artefacts in scrolling text)
+
+==363== Source and destination overlap in memcpy(0xa066240, 0xa0662b8, 240)
+==363== at 0x4C2B220: memcpy@@GLIBC_2.14 (mc_replace_strmem.c:838)
+==363== by 0x407D97: newline (messager.c:43)
+==363== by 0x407EE6: put (messager.c:54)
+==363== by 0x40806E: messager (messager.c:77)
+==363== by 0x403009: bb (bb.c:258)
+==363== by 0x407C06: main (main.c:202)
+
+diff --git a/messager.c b/messager.c
+index 95cc410..964080b 100644
+--- a/messager.c
++++ b/messager.c
+@@ -40,8 +40,8 @@ static void newline()
+ start = 0;
+ cursor_y++, cursor_x = 0;
+ if (cursor_y >= aa_scrheight(context)) {
+- memcpy(context->textbuffer + start * aa_scrwidth(context), context->textbuffer + (start + 1) * aa_scrwidth(context), aa_scrwidth(context) * (aa_scrheight(context) - start - 1));
+- memcpy(context->attrbuffer + start * aa_scrwidth(context), context->attrbuffer + (start + 1) * aa_scrwidth(context), aa_scrwidth(context) * (aa_scrheight(context) - start - 1));
++ memmove(context->textbuffer + start * aa_scrwidth(context), context->textbuffer + (start + 1) * aa_scrwidth(context), aa_scrwidth(context) * (aa_scrheight(context) - start - 1));
++ memmove(context->attrbuffer + start * aa_scrwidth(context), context->attrbuffer + (start + 1) * aa_scrwidth(context), aa_scrwidth(context) * (aa_scrheight(context) - start - 1));
+ memset(context->textbuffer + aa_scrwidth(context) * (aa_scrheight(context) - 1), ' ', aa_scrwidth(context));
+ memset(context->attrbuffer + aa_scrwidth(context) * (aa_scrheight(context) - 1), 0, aa_scrwidth(context));
+ cursor_y--;
diff --git a/app-misc/bb/files/bb-1.3.0_rc1-printf-cleanup.patch b/app-misc/bb/files/bb-1.3.0_rc1-printf-cleanup.patch
new file mode 100644
index 000000000000..da113795124b
--- /dev/null
+++ b/app-misc/bb/files/bb-1.3.0_rc1-printf-cleanup.patch
@@ -0,0 +1,55 @@
+zoom.c: cleanup protos
+
+x86_64-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -O2 -march=core2 -pipe -I/usr/include -pthread -D_REENTRANT -D SOUNDDIR=\"/usr/share/bb\" -c zoom.c
+zoom.c: In function 'mkrealloc_table':
+zoom.c:245:113: warning: format '%i' expects type 'int', but argument 3 has type 'long unsigned int'
+zoom.c:251:113: warning: format '%i' expects type 'int', but argument 3 has type 'long unsigned int'
+zoom.c:260:113: warning: format '%i' expects type 'int', but argument 3 has type 'long unsigned int'
+zoom.c: In function 'moveoldpoints':
+zoom.c:590:3: warning: format '%i' expects type 'int', but argument 3 has type 'long unsigned int'
+zoom.c:596:3: warning: format '%i' expects type 'int', but argument 3 has type 'long unsigned int'
+diff --git a/zoom.c b/zoom.c
+index 7450095..b86cc8b 100644
+--- a/zoom.c
++++ b/zoom.c
+@@ -241,13 +241,13 @@ static /*INLINE */ void mkrealloc_table(register number_t * pos, realloc_t * rea
+ #endif
+ if (dyndata == NULL) {
+ fprintf(stderr, "XaoS fatal error:Could not allocate memory for"
+- "temporary dynamical data of size:%i\n"
++ "temporary dynamical data of size:%li\n"
+ "I am unable to handle this problem so please resize to lower window\n", (size) * (DSIZE + 1) * sizeof(struct dyn_data) + size * sizeof(int) + size * sizeof(int));
+ return;
+ }
+ if (best == NULL) {
+ fprintf(stderr, "XaoS fatal error:Could not allocate memory for"
+- "temporary dynamical data of size:%i\n"
++ "temporary dynamical data of size:%li\n"
+ "I am unable to handle this problem so please resize to lower window\n", (size) * (DSIZE + 1) * sizeof(struct dyn_data) + size * sizeof(int) + size * sizeof(int));
+ #ifndef HAVE_ALLOCA
+ free(dyndata);
+@@ -256,7 +256,7 @@ static /*INLINE */ void mkrealloc_table(register number_t * pos, realloc_t * rea
+ }
+ if (best1 == NULL) {
+ fprintf(stderr, "XaoS fatal error:Could not allocate memory for"
+- "temporary dynamical data of size:%i\n"
++ "temporary dynamical data of size:%li\n"
+ "I am unable to handle this problem so please resize to lower window\n", (size) * (DSIZE + 1) * sizeof(struct dyn_data) + size * sizeof(int) + size * sizeof(int));
+ #ifndef HAVE_ALLOCA
+ free(dyndata);
+@@ -586,13 +586,13 @@ static /*INLINE */ void moveoldpoints(void)
+ #endif
+ if (size == NULL) {
+ fprintf(stderr, "XaoS fratal error:Could not allocate memory for"
+- "temporary dynamical data of size:%i\n"
++ "temporary dynamical data of size:%li\n"
+ "I am unable to handle this problem so please resize to lower window\n", 2 * d->width * sizeof(int));
+ return;
+ }
+ if (start == NULL) {
+ fprintf(stderr, "XaoS fratal error:Could not allocate memory for"
+- "temporary dynamical data of size:%i\n"
++ "temporary dynamical data of size:%li\n"
+ "I am unable to handle this problem so please resize to lower window\n", 2 * d->width * sizeof(int));
+ #ifndef HAVE_ALLOCA
+ free(size);
diff --git a/app-misc/bb/files/bb-1.3.0_rc1-zbuff-fault.patch b/app-misc/bb/files/bb-1.3.0_rc1-zbuff-fault.patch
new file mode 100644
index 000000000000..b3e882ed55e9
--- /dev/null
+++ b/app-misc/bb/files/bb-1.3.0_rc1-zbuff-fault.patch
@@ -0,0 +1,35 @@
+tex.c: Fix out-of-bounds zbuff clearing
+
+> zbuff = (int *) malloc(X_s * Y_s * sizeof(int));
+> memset(zbuff, 0x55, (X_s * Y_s * sizeof(long)));
+
+Ouch! amd64: sizeof(long) == 8; sizeof (int) == 4
+
+Valgrind says:
+==4525== Invalid write of size 4
+==4525== at 0x4C2C3AF: memset (mc_replace_strmem.c:967)
+==4525== by 0x4122E0: clear_zbuff (tex.c:95)
+==4525== by 0x4144D8: disp3d (tex.c:292)
+==4525== by 0x40F3C6: scene5 (scene5.c:206)
+==4525== by 0x4031BC: bb (bb.c:325)
+==4525== by 0x407C56: main (main.c:202)
+==4525== Address 0xac9ef00 is 0 bytes after a block of size 34,992 alloc'd
+==4525== at 0x4C2996D: malloc (vg_replace_malloc.c:263)
+==4525== by 0x412283: set_zbuff (tex.c:85)
+==4525== by 0x40F347: scene5 (scene5.c:196)
+==4525== by 0x4031BC: bb (bb.c:325)
+==4525== by 0x407C56: main (main.c:202)
+
+diff --git a/tex.c b/tex.c
+index 9f2f99d..b390510 100644
+--- a/tex.c
++++ b/tex.c
+@@ -92,7 +92,7 @@ void unset_zbuff()
+
+ static inline void clear_zbuff()
+ {
+- memset(zbuff, 0x55, (X_s * Y_s * sizeof(long)));
++ memset(zbuff, 0x55, (X_s * Y_s * sizeof(int)));
+ }
+
+