[Gtkradiant] q3map2.x86 buffer overflow detected on amd64
Martin Gerhardy
martin.gerhardy at gmail.com
Wed Jul 22 13:42:06 CDT 2009
Hello,
Sorry to bother you but I tried to send this mail to the gtkradiant
mailing list without success :-(
Maybe you can help me with this ?
Cedric
-------- Original Message --------
Subject: q3map2.x86 buffer overflow detected on amd64
Date: Tue, 21 Jul 2009 17:51:08 +0200
From: Cédric Godin <cedric at belbone.be>
To: gtkradiant at zerowing.idsoftware.com
Hello,
I just compiled the 1.5 branch of Gtkradiant but when trying q3map2, I
had the following error:
cedric at endymion ~/devel/GtkRadiant $ install/q3map2.x86
2.5.17
threads: 4
Q3Map - v1.0r (c) 1999 Id Software Inc.
Q3Map (ydnar) - v2.5.17
GtkRadiant - v1.5.0 Jul 20 2009 19:36:19
Last one turns the lights off
*** buffer overflow detected ***: install/q3map2.x86 terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x37)[0x7f62ea343c17]
/lib/libc.so.6[0x7f62ea341a10]
/lib/libc.so.6[0x7f62ea3420fb]
install/q3map2.x86[0x4589c2]
install/q3map2.x86[0x458b61]
install/q3map2.x86[0x454b21]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7f62ea27d486]
install/q3map2.x86[0x40bb39]
======= Memory map: ========
00400000-0049b000 r-xp 00000000 08:04 4853836
/home/cedric/devel/GtkRadiant/install/q3map2.x86
0069b000-0069d000 r--p 0009b000 08:04 4853836
/home/cedric/devel/GtkRadiant/install/q3map2.x86
0069d000-006ae000 rw-p 0009d000 08:04 4853836
/home/cedric/devel/GtkRadiant/install/q3map2.x86
006ae000-0611a000 rw-p 00000000 00:00 0
[heap]
7f62e9e44000-7f62e9e5a000 r-xp 00000000 08:03 3326761
/lib64/libgcc_s.so.1
7f62e9e5a000-7f62ea059000 ---p 00016000 08:03 3326761
/lib64/libgcc_s.so.1
7f62ea059000-7f62ea05a000 r--p 00015000 08:03 3326761
/lib64/libgcc_s.so.1
7f62ea05a000-7f62ea05b000 rw-p 00016000 08:03 3326761
/lib64/libgcc_s.so.1
7f62ea05b000-7f62ea05d000 r-xp 00000000 08:03 5112009
/lib64/libdl-2.8.so
7f62ea05d000-7f62ea25d000 ---p 00002000 08:03 5112009
/lib64/libdl-2.8.so
7f62ea25d000-7f62ea25e000 r--p 00002000 08:03 5112009
/lib64/libdl-2.8.so
7f62ea25e000-7f62ea25f000 rw-p 00003000 08:03 5112009
/lib64/libdl-2.8.so
7f62ea25f000-7f62ea3aa000 r-xp 00000000 08:03 5111968
/lib64/libc-2.8.so
7f62ea3aa000-7f62ea5a9000 ---p 0014b000 08:03 5111968
/lib64/libc-2.8.so
7f62ea5a9000-7f62ea5ad000 r--p 0014a000 08:03 5111968
/lib64/libc-2.8.so
7f62ea5ad000-7f62ea5ae000 rw-p 0014e000 08:03 5111968
/lib64/libc-2.8.so
7f62ea5ae000-7f62ea5b3000 rw-p 00000000 00:00 0
7f62ea5b3000-7f62ea635000 r-xp 00000000 08:03 5111974
/lib64/libm-2.8.so
7f62ea635000-7f62ea834000 ---p 00082000 08:03 5111974
/lib64/libm-2.8.so
7f62ea834000-7f62ea835000 r--p 00081000 08:03 5111974
/lib64/libm-2.8.so
7f62ea835000-7f62ea836000 rw-p 00082000 08:03 5111974
/lib64/libm-2.8.so
7f62ea836000-7f62ea925000 r-xp 00000000 08:03 4244309
/usr/lib64/gcc/x86_64-pc-linux-gnu/4.3.3/libstdc++.so.6.0.10
7f62ea925000-7f62eab25000 ---p 000ef000 08:03 4244309
/usr/lib64/gcc/x86_64-pc-linux-gnu/4.3.3/libstdc++.so.6.0.10
7f62eab25000-7f62eab2c000 r--p 000ef000 08:03 4244309
/usr/lib64/gcc/x86_64-pc-linux-gnu/4.3.3/libstdc++.so.6.0.10
7f62eab2c000-7f62eab2e000 rw-p 000f6000 08:03 4244309
/usr/lib64/gcc/x86_64-pc-linux-gnu/4.3.3/libstdc++.so.6.0.10
7f62eab2e000-7f62eab41000 rw-p 00000000 00:00 0
7f62eab41000-7f62eab57000 r-xp 00000000 08:03 5112010
/lib64/libpthread-2.8.so
7f62eab57000-7f62ead57000 ---p 00016000 08:03 5112010
/lib64/libpthread-2.8.so
7f62ead57000-7f62ead58000 r--p 00016000 08:03 5112010
/lib64/libpthread-2.8.so
7f62ead58000-7f62ead59000 rw-p 00017000 08:03 5112010
/lib64/libpthread-2.8.so
7f62ead59000-7f62ead5d000 rw-p 00000000 00:00 0
7f62ead5d000-7f62ead87000 r-xp 00000000 08:03 3476226
/usr/lib64/libmhash.so.2.0.1
7f62ead87000-7f62eaf87000 ---p 0002a000 08:03 3476226
/usr/lib64/libmhash.so.2.0.1
7f62eaf87000-7f62eaf88000 r--p 0002a000 08:03 3476226
/usr/lib64/libmhash.so.2.0.1
7f62eaf88000-7f62eaf89000 rw-p 0002b000 08:03 3476226
/usr/lib64/libmhash.so.2.0.1
7f62eaf89000-7f62eafad000 r-xp 00000000 08:03 3376539 Abandon
Here is the backtrace of the problem :
#0 0x00007f281647f205 in raise (sig=<value optimized out>) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1 0x00007f2816480723 in abort () at abort.c:88
#2 0x00007f28164bc298 in __libc_message (do_abort=2, fmt=0x7f281656a24b
"*** %s ***: %s terminated\n") at
../sysdeps/unix/sysv/linux/libc_fatal.c:170
#3 0x00007f2816531c17 in __fortify_fail (msg=0x7f281656a20b "buffer
overflow detected") at fortify_fail.c:32
#4 0x00007f281652fa10 in __chk_fail () at chk_fail.c:29
#5 0x00007f28165300fb in __realpath_chk (buf=0x1164 <Address 0x1164 out
of bounds>, resolved=0x1164 <Address 0x1164 out of bounds>,
resolvedlen=6) at realpath_chk.c:30
#6 0x00000000004589c2 in LokiInitPaths ()
#7 0x0000000000458b61 in InitPaths ()
#8 0x0000000000454b21 in main ()
(gdb) p installPath
$1 = 0
in the man page of 'realpath', we have:
If resolved_path is specified as NULL, then realpath() uses malloc(3) to
allocate a buffer of up to PATH_MAX bytes to hold the resolved
pathname, and returns a pointer to this buffer.
but in "tools/quake2/common/path_init.c" we have "char installPath[
MAX_OS_PATH ];" with "#define MAX_OS_PATH 1024" in
"tools/quake3/common/cmdlib.h". On my system, PATH_MAX is 4096. With the
attached patch I can execute (and compile maps) q3map2.
PS: i tried to subscribe to the mailing list but have not yet received
the confirmation mail (after 2 days) so could you cc me in case of reply
? thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch-q3map2.diff
Type: text/x-patch
Size: 429 bytes
Desc: not available
Url : http://zerowing.idsoftware.com/pipermail/gtkradiant/attachments/20090722/45547e33/attachment.bin
More information about the Gtkradiant
mailing list