diff options
author | Sergei Trofimovich <slyfox@gentoo.org> | 2012-02-05 19:37:31 +0000 |
---|---|---|
committer | Sergei Trofimovich <slyfox@gentoo.org> | 2012-02-05 19:37:31 +0000 |
commit | b3dd424639a66c36e1eb9819a33706f8297aefc6 (patch) | |
tree | bbc908a81bda034e6d67197979fae34bc971ea94 | |
parent | Don't die if hg pull exits with status 1. (diff) | |
download | gentoo-2-b3dd424639a66c36e1eb9819a33706f8297aefc6.tar.gz gentoo-2-b3dd424639a66c36e1eb9819a33706f8297aefc6.tar.bz2 gentoo-2-b3dd424639a66c36e1eb9819a33706f8297aefc6.zip |
Fix crash due to out-of-bounds access on 64-bit arches.
(Portage version: 2.2.0_alpha85/cvs/Linux x86_64)
-rw-r--r-- | app-misc/bb/ChangeLog | 10 | ||||
-rw-r--r-- | app-misc/bb/bb-1.3.0_rc1-r2.ebuild (renamed from app-misc/bb/bb-1.3.0_rc1-r1.ebuild) | 5 | ||||
-rw-r--r-- | app-misc/bb/files/bb-1.3.0_rc1-messager-overlap.patch | 25 | ||||
-rw-r--r-- | app-misc/bb/files/bb-1.3.0_rc1-printf-cleanup.patch | 55 | ||||
-rw-r--r-- | app-misc/bb/files/bb-1.3.0_rc1-zbuff-fault.patch | 35 |
5 files changed, 128 insertions, 2 deletions
diff --git a/app-misc/bb/ChangeLog b/app-misc/bb/ChangeLog index 6d2af5dfbbfa..f62771e6e050 100644 --- a/app-misc/bb/ChangeLog +++ b/app-misc/bb/ChangeLog @@ -1,6 +1,14 @@ # ChangeLog for app-misc/bb # Copyright 1999-2012 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-misc/bb/ChangeLog,v 1.3 2012/01/28 19:25:23 slyfox Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-misc/bb/ChangeLog,v 1.4 2012/02/05 19:37:31 slyfox Exp $ + +*bb-1.3.0_rc1-r2 (05 Feb 2012) + + 05 Feb 2012; Sergei Trofimovich <slyfox@gentoo.org> +bb-1.3.0_rc1-r2.ebuild, + +files/bb-1.3.0_rc1-messager-overlap.patch, + +files/bb-1.3.0_rc1-printf-cleanup.patch, + +files/bb-1.3.0_rc1-zbuff-fault.patch, -bb-1.3.0_rc1-r1.ebuild: + Fix crash due to out-of-bounds access on 64-bit arches. *bb-1.3.0_rc1-r1 (28 Jan 2012) diff --git a/app-misc/bb/bb-1.3.0_rc1-r1.ebuild b/app-misc/bb/bb-1.3.0_rc1-r2.ebuild index 24340d184524..226bf990b3a2 100644 --- a/app-misc/bb/bb-1.3.0_rc1-r1.ebuild +++ b/app-misc/bb/bb-1.3.0_rc1-r2.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2012 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-misc/bb/bb-1.3.0_rc1-r1.ebuild,v 1.1 2012/01/28 19:25:23 slyfox Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-misc/bb/bb-1.3.0_rc1-r2.ebuild,v 1.1 2012/02/05 19:37:31 slyfox Exp $ EAPI=4 @@ -26,6 +26,9 @@ S="${WORKDIR}/${PN}-$(get_version_component_range 1-3)" src_prepare() { epatch "${FILESDIR}/${P}-noattr.patch" epatch "${FILESDIR}/${P}-fix-protos.patch" + epatch "${FILESDIR}"/${P}-messager-overlap.patch + epatch "${FILESDIR}"/${P}-zbuff-fault.patch + epatch "${FILESDIR}"/${P}-printf-cleanup.patch # rename binary and manpage bb -> bb-aalib diff --git a/app-misc/bb/files/bb-1.3.0_rc1-messager-overlap.patch b/app-misc/bb/files/bb-1.3.0_rc1-messager-overlap.patch new file mode 100644 index 000000000000..e46b75fd5815 --- /dev/null +++ b/app-misc/bb/files/bb-1.3.0_rc1-messager-overlap.patch @@ -0,0 +1,25 @@ +messager.c: fix memory overlap (fixes artefacts in scrolling text) + +==363== Source and destination overlap in memcpy(0xa066240, 0xa0662b8, 240) +==363== at 0x4C2B220: memcpy@@GLIBC_2.14 (mc_replace_strmem.c:838) +==363== by 0x407D97: newline (messager.c:43) +==363== by 0x407EE6: put (messager.c:54) +==363== by 0x40806E: messager (messager.c:77) +==363== by 0x403009: bb (bb.c:258) +==363== by 0x407C06: main (main.c:202) + +diff --git a/messager.c b/messager.c +index 95cc410..964080b 100644 +--- a/messager.c ++++ b/messager.c +@@ -40,8 +40,8 @@ static void newline() + start = 0; + cursor_y++, cursor_x = 0; + if (cursor_y >= aa_scrheight(context)) { +- memcpy(context->textbuffer + start * aa_scrwidth(context), context->textbuffer + (start + 1) * aa_scrwidth(context), aa_scrwidth(context) * (aa_scrheight(context) - start - 1)); +- memcpy(context->attrbuffer + start * aa_scrwidth(context), context->attrbuffer + (start + 1) * aa_scrwidth(context), aa_scrwidth(context) * (aa_scrheight(context) - start - 1)); ++ memmove(context->textbuffer + start * aa_scrwidth(context), context->textbuffer + (start + 1) * aa_scrwidth(context), aa_scrwidth(context) * (aa_scrheight(context) - start - 1)); ++ memmove(context->attrbuffer + start * aa_scrwidth(context), context->attrbuffer + (start + 1) * aa_scrwidth(context), aa_scrwidth(context) * (aa_scrheight(context) - start - 1)); + memset(context->textbuffer + aa_scrwidth(context) * (aa_scrheight(context) - 1), ' ', aa_scrwidth(context)); + memset(context->attrbuffer + aa_scrwidth(context) * (aa_scrheight(context) - 1), 0, aa_scrwidth(context)); + cursor_y--; diff --git a/app-misc/bb/files/bb-1.3.0_rc1-printf-cleanup.patch b/app-misc/bb/files/bb-1.3.0_rc1-printf-cleanup.patch new file mode 100644 index 000000000000..da113795124b --- /dev/null +++ b/app-misc/bb/files/bb-1.3.0_rc1-printf-cleanup.patch @@ -0,0 +1,55 @@ +zoom.c: cleanup protos + +x86_64-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -O2 -march=core2 -pipe -I/usr/include -pthread -D_REENTRANT -D SOUNDDIR=\"/usr/share/bb\" -c zoom.c +zoom.c: In function 'mkrealloc_table': +zoom.c:245:113: warning: format '%i' expects type 'int', but argument 3 has type 'long unsigned int' +zoom.c:251:113: warning: format '%i' expects type 'int', but argument 3 has type 'long unsigned int' +zoom.c:260:113: warning: format '%i' expects type 'int', but argument 3 has type 'long unsigned int' +zoom.c: In function 'moveoldpoints': +zoom.c:590:3: warning: format '%i' expects type 'int', but argument 3 has type 'long unsigned int' +zoom.c:596:3: warning: format '%i' expects type 'int', but argument 3 has type 'long unsigned int' +diff --git a/zoom.c b/zoom.c +index 7450095..b86cc8b 100644 +--- a/zoom.c ++++ b/zoom.c +@@ -241,13 +241,13 @@ static /*INLINE */ void mkrealloc_table(register number_t * pos, realloc_t * rea + #endif + if (dyndata == NULL) { + fprintf(stderr, "XaoS fatal error:Could not allocate memory for" +- "temporary dynamical data of size:%i\n" ++ "temporary dynamical data of size:%li\n" + "I am unable to handle this problem so please resize to lower window\n", (size) * (DSIZE + 1) * sizeof(struct dyn_data) + size * sizeof(int) + size * sizeof(int)); + return; + } + if (best == NULL) { + fprintf(stderr, "XaoS fatal error:Could not allocate memory for" +- "temporary dynamical data of size:%i\n" ++ "temporary dynamical data of size:%li\n" + "I am unable to handle this problem so please resize to lower window\n", (size) * (DSIZE + 1) * sizeof(struct dyn_data) + size * sizeof(int) + size * sizeof(int)); + #ifndef HAVE_ALLOCA + free(dyndata); +@@ -256,7 +256,7 @@ static /*INLINE */ void mkrealloc_table(register number_t * pos, realloc_t * rea + } + if (best1 == NULL) { + fprintf(stderr, "XaoS fatal error:Could not allocate memory for" +- "temporary dynamical data of size:%i\n" ++ "temporary dynamical data of size:%li\n" + "I am unable to handle this problem so please resize to lower window\n", (size) * (DSIZE + 1) * sizeof(struct dyn_data) + size * sizeof(int) + size * sizeof(int)); + #ifndef HAVE_ALLOCA + free(dyndata); +@@ -586,13 +586,13 @@ static /*INLINE */ void moveoldpoints(void) + #endif + if (size == NULL) { + fprintf(stderr, "XaoS fratal error:Could not allocate memory for" +- "temporary dynamical data of size:%i\n" ++ "temporary dynamical data of size:%li\n" + "I am unable to handle this problem so please resize to lower window\n", 2 * d->width * sizeof(int)); + return; + } + if (start == NULL) { + fprintf(stderr, "XaoS fratal error:Could not allocate memory for" +- "temporary dynamical data of size:%i\n" ++ "temporary dynamical data of size:%li\n" + "I am unable to handle this problem so please resize to lower window\n", 2 * d->width * sizeof(int)); + #ifndef HAVE_ALLOCA + free(size); diff --git a/app-misc/bb/files/bb-1.3.0_rc1-zbuff-fault.patch b/app-misc/bb/files/bb-1.3.0_rc1-zbuff-fault.patch new file mode 100644 index 000000000000..b3e882ed55e9 --- /dev/null +++ b/app-misc/bb/files/bb-1.3.0_rc1-zbuff-fault.patch @@ -0,0 +1,35 @@ +tex.c: Fix out-of-bounds zbuff clearing + +> zbuff = (int *) malloc(X_s * Y_s * sizeof(int)); +> memset(zbuff, 0x55, (X_s * Y_s * sizeof(long))); + +Ouch! amd64: sizeof(long) == 8; sizeof (int) == 4 + +Valgrind says: +==4525== Invalid write of size 4 +==4525== at 0x4C2C3AF: memset (mc_replace_strmem.c:967) +==4525== by 0x4122E0: clear_zbuff (tex.c:95) +==4525== by 0x4144D8: disp3d (tex.c:292) +==4525== by 0x40F3C6: scene5 (scene5.c:206) +==4525== by 0x4031BC: bb (bb.c:325) +==4525== by 0x407C56: main (main.c:202) +==4525== Address 0xac9ef00 is 0 bytes after a block of size 34,992 alloc'd +==4525== at 0x4C2996D: malloc (vg_replace_malloc.c:263) +==4525== by 0x412283: set_zbuff (tex.c:85) +==4525== by 0x40F347: scene5 (scene5.c:196) +==4525== by 0x4031BC: bb (bb.c:325) +==4525== by 0x407C56: main (main.c:202) + +diff --git a/tex.c b/tex.c +index 9f2f99d..b390510 100644 +--- a/tex.c ++++ b/tex.c +@@ -92,7 +92,7 @@ void unset_zbuff() + + static inline void clear_zbuff() + { +- memset(zbuff, 0x55, (X_s * Y_s * sizeof(long))); ++ memset(zbuff, 0x55, (X_s * Y_s * sizeof(int))); + } + + |