Version: (using KDE KDE 3.5.5) Installed from: SuSE RPMs OS: Linux Hello there, this is a crash report for kst 1.3.1 installed from OpenSUSE 10.2 (64 bit) How to reproduce ---------------- I have a directory with one file with data. The data file is named "bsp1_int_posmatch_rawhashhits_preassembly.0.lst". I start kst, choose data wizard, in data wizard open the file dialog, navigate to the directory with that file, choose the file and select open -> crash It's really just the filename, renaming the file to something like "bla.lst" makes the crash go away I had two types of error messages on my console. 1) Sometimes I had kst: posixio.c:396: px_get: Assertion `extent != 0' failed. KCrash: Application 'kst' crashing... 2) Most of the times I have *** buffer overflow detected ***: kst terminated ======= Backtrace: ========= /lib64/libc.so.6(__chk_fail+0x2f)[0x2ae735e39d4f] /opt/kde3/lib64/kde3/kstdata_frame.so(CReadData+0xbf)[0x2aaaaad045ff] /opt/kde3/lib64/kde3/kstdata_frame.so(understands_frame+0x4a)[0x2aaaaad00dba] /opt/kde3/lib64/libkst.so.1[0x2ae733d8e6d1] /opt/kde3/lib64/libkst.so.1(_ZN13KstDataSource18fieldListForSourceERK7QStringS2_PS0_Pb+0x109)[0x2ae733d90849] /opt/kde3/lib64/libkstapp.so.1(_ZN10DataWizard13sourceChangedERK7QString+0xe9d)[0x2ae7338171ad] /opt/kde3/lib64/libkstapp.so.1(_ZN10DataWizard9qt_invokeEiP8QUObject+0x12d)[0x2ae73380c15d] /usr/lib/qt3/lib64/libqt-mt.so.3(_ZN7QObject15activate_signalEP15QConnectionListP8QUObject+0x14c)[0x2ae735370adc] /usr/lib/qt3/lib64/libqt-mt.so.3(_ZN7QObject15activate_signalEi7QString+0x156)[0x2ae7353713c6] /opt/kde3/lib64/libkio.so.4(_ZN13KURLRequester11textChangedERK7QString+0x25)[0x2ae7342c45c5] /opt/kde3/lib64/libkio.so.4(_ZN13KURLRequester7qt_emitEiP8QUObject+0x6f)[0x2ae7342c465f] /usr/lib/qt3/lib64/libqt-mt.so.3(_ZN7QObject15activate_signalEP15QConnectionListP8QUObject+0x18a)[0x2ae735370b1a] /usr/lib/qt3/lib64/libqt-mt.so.3(_ZN7QObject15activate_signalEi7QString+0x156)[0x2ae7353713c6] /usr/lib/qt3/lib64/libqt-mt.so.3(_ZN9QLineEdit11textChangedERK7QString+0x25)[0x2ae735661885] /usr/lib/qt3/lib64/libqt-mt.so.3(_ZN16QLineEditPrivate12finishChangeEib+0xd2)[0x2ae7354291f2] /opt/kde3/lib64/libkio.so.4(_ZN13KURLRequester7setKURLERK4KURL+0x15a)[0x2ae7342c482a] /opt/kde3/lib64/libkio.so.4(_ZN13KURLRequester14slotOpenDialogEv+0x262)[0x2ae7342f31f2] /opt/kde3/lib64/libkio.so.4(_ZN13KURLRequester9qt_invokeEiP8QUObject+0x8d)[0x2ae7342f351d] /usr/lib/qt3/lib64/libqt-mt.so.3(_ZN7QObject15activate_signalEP15QConnectionListP8QUObject+0x14c)[0x2ae735370adc] /usr/lib/qt3/lib64/libqt-mt.so.3(_ZN7QObject15activate_signalEi+0xa3)[0x2ae7353717b3] /usr/lib/qt3/lib64/libqt-mt.so.3(_ZN7QWidget5eventEP6QEvent+0x3c7)[0x2ae7353a37b7] /usr/lib/qt3/lib64/libqt-mt.so.3(_ZN12QApplication14internalNotifyEP7QObjectP6QEvent+0x85)[0x2ae735319eb5] /usr/lib/qt3/lib64/libqt-mt.so.3(_ZN12QApplication6notifyEP7QObjectP6QEvent+0x2a1)[0x2ae73531adf1] /opt/kde3/lib64/libkdecore.so.4(_ZN12KApplication6notifyEP7QObjectP6QEvent+0x198)[0x2ae734d5fe38] /usr/lib/qt3/lib64/libqt-mt.so.3(_ZN9QETWidget19translateMouseEventEPK7_XEvent+0x489)[0x2ae7352c2399] /usr/lib/qt3/lib64/libqt-mt.so.3(_ZN12QApplication15x11ProcessEventEP7_XEvent+0x6d3)[0x2ae7352c13f3] /usr/lib/qt3/lib64/libqt-mt.so.3(_ZN10QEventLoop13processEventsEj+0x41f)[0x2ae7352d040f] /usr/lib/qt3/lib64/libqt-mt.so.3(_ZN10QEventLoop9enterLoopEv+0x43)[0x2ae73532e963] /usr/lib/qt3/lib64/libqt-mt.so.3(_ZN7QDialog4execEv+0x7b)[0x2ae7354cfdbb] /opt/kde3/lib64/libkstapp.so.1(_ZN6KstApp14showDataWizardEv+0x35)[0x2ae7337b55d5] /opt/kde3/lib64/libkstapp.so.1(_ZN20KstQuickStartDialogI9qt_invokeEiP8QUObject+0xbd)[0x2ae73377950d] /usr/lib/qt3/lib64/libqt-mt.so.3(_ZN7QObject15activate_signalEP15QConnectionListP8QUObject+0x14c)[0x2ae735370adc] /usr/lib/qt3/lib64/libqt-mt.so.3(_ZN7QObject15activate_signalEi+0xa3)[0x2ae7353717b3] /usr/lib/qt3/lib64/libqt-mt.so.3(_ZN7QWidget5eventEP6QEvent+0x3c7)[0x2ae7353a37b7] /usr/lib/qt3/lib64/libqt-mt.so.3(_ZN12QApplication14internalNotifyEP7QObjectP6QEvent+0x85)[0x2ae735319eb5] /usr/lib/qt3/lib64/libqt-mt.so.3(_ZN12QApplication6notifyEP7QObjectP6QEvent+0x2a1)[0x2ae73531adf1] /opt/kde3/lib64/libkdecore.so.4(_ZN12KApplication6notifyEP7QObjectP6QEvent+0x198)[0x2ae734d5fe38] /usr/lib/qt3/lib64/libqt-mt.so.3(_ZN9QETWidget19translateMouseEventEPK7_XEvent+0x489)[0x2ae7352c2399] /usr/lib/qt3/lib64/libqt-mt.so.3(_ZN12QApplication15x11ProcessEventEP7_XEvent+0x6d3)[0x2ae7352c13f3] /usr/lib/qt3/lib64/libqt-mt.so.3(_ZN10QEventLoop13processEventsEj+0x41f)[0x2ae7352d040f] /usr/lib/qt3/lib64/libqt-mt.so.3(_ZN10QEventLoop9enterLoopEv+0x43)[0x2ae73532e963] /usr/lib/qt3/lib64/libqt-mt.so.3(_ZN10QEventLoop4execEv+0x22)[0x2ae73532e812] kst[0x40cd7b] /lib64/libc.so.6(__libc_start_main+0xf4)[0x2ae735d84ae4] kst(_ZN6QGListD0Ev+0x81)[0x406d69] ======= Memory map: ======== 00400000-00414000 r-xp 00000000 08:17 394143 /opt/kde3/bin/kst 00613000-00615000 rw-p 00013000 08:17 394143 /opt/kde3/bin/kst 00615000-00fd7000 rw-p 00615000 00:00 0 [heap] 40000000-40001000 ---p 40000000 00:00 0 40001000-40801000 rw-p 40001000 00:00 0 2aaaaaabf000-2aaaaaaf4000 r--s 00000000 08:17 1676580 /var/run/nscd/passwd 2aaaaaaf4000-2aaaaaafa000 r-xp 00000000 08:17 1435275 /opt/kde3/lib64/kde3/kstdata_indirect.so 2aaaaaafa000-2aaaaacfa000 ---p 00006000 08:17 1435275 /opt/kde3/lib64/kde3/kstdata_indirect.so 2aaaaacfa000-2aaaaacfc000 rw-p 00006000 08:17 1435275 /opt/kde3/lib64/kde3/kstdata_indirect.so 2aaaaacfc000-2aaaaacfd000 r--p 00000000 08:17 1759367 /usr/share/locale/en_GB/LC_MESSAGES/libc.mo 2aaaaacfd000-2aaaaad08000 r-xp 00000000 08:17 1435271 /opt/kde3/lib64/kde3/kstdata_frame.so 2aaaaad08000-2aaaaaf07000 ---p 0000b000 08:17 1435271 /opt/kde3/lib64/kde3/kstdata_frame.so 2aaaaaf07000-2aaaaaf09000 rw-p 0000a000 08:17 1435271 /opt/kde3/lib64/kde3/kstdata_frame.so 2aaaaaf09000-2aaaaaf1e000 r-xp 00000000 08:17 1435263 /opt/kde3/lib64/kde3/kstdata_ascii.so 2aaaaaf1e000-2aaaab11e000 ---p 00015000 08:17 1435263 /opt/kde3/lib64/kde3/kstdata_ascii.so 2aaaab11e000-2aaaab120000 rw-p 00015000 08:17 1435263 /opt/kde3/lib64/kde3/kstdata_ascii.so 2aaaab120000-2aaaab12b000 r-xp 00000000 08:17 1435267 /opt/kde3/lib64/kde3/kstdata_dirfile.so 2aaaab12b000-2aaaab32a000 ---p 0000b000 08:17 1435267 /opt/kde3/lib64/kde3/kstdata_dirfile.so 2aaaab32a000-2aaaab32c000 rw-p 0000a000 08:17 1435267 /opt/kde3/lib64/kde3/kstdata_dirfile.so 2aaaab32c000-2aaaab37e000 r-xp 00000000 08:17 1435279 /opt/kde3/lib64/kde3/kstdata_netcdf.so 2aaaab37e000-2aaaab57e000 ---p 00052000 08:17 1435279 /opt/kde3/lib64/kde3/kstdata_netcdf.so 2aaaab57e000-2aaaab581000 rw-p 00052000 08:17 1435279 /opt/kde3/lib64/kde3/kstdata_netcdf.so 2aaaab581000-2aaaab583000 rw-p 2aaaab581000 00:00 0 2aaaab583000-2aaaab589000 r-xp 00000000 08:17 1435299 /opt/kde3/lib64/kde3/kstdata_qimagesource.so 2aaaab589000-2aaaab788000 ---p 00006000 08:17 1435299 /opt/kde3/lib64/kde3/kstdata_qimagesource.so 2aaaab788000-2aaaab78a000 rw-p 00005000 08:17 1435299 /opt/kde3/lib64/kde3/kstdata_qimagesource.so 2aaaab78a000-2aaaab78c000 rw-p 2aaaab78a000 00:00 0 2aaaab7c3000-2aaaab7cd000 r-xp 00000000 08:17 2216186 /lib64/libnss_files-2.5.so 2aaaab7cd000-2aaaab9cc000 ---p 0000a000 08:17 2216186 /lib64/libnss_files-2.5.so 2aaaab9cc000-2aaaab9ce000 rw-p 00009000 08:17 2216186 /lib64/libnss_files-2.5.so 2aaaac000000-2aaaac021000 rw-p 2aaaac000000 00:00 0 2aaaac021000-2aaab0000000 ---p 2aaaac021000 00:00 0 2ae733366000-2ae733382000 r-xp 00000000 08:17 2216162 /lib64/ld-2.5.so 2ae733382000-2ae733383000 rw-p 2ae733382000 00:00 0 2ae733383000-2ae733384000 r--p 00000000 08:17 1838599 /usr/lib/locale/en_GB.utf8/LC_IDENTIFICATION 2ae733384000-2ae73338b000 r--s 00000000 08:17 1855330 /usr/lib64/gconv/gconv-modules.cache 2ae73338b000-2ae73338c000 r--p 00000000 08:17 1855367 /usr/lib/locale/en_GB.utf8/LC_MEASUREMENT 2ae73338c000-2ae73338d000 r--p 00000000 08:17 1840644 /usr/lib/locale/en_GB.utf8/LC_TELEPHONE 2ae73338d000-2ae73338e000 r--p 00000000 08:17 1840583 /usr/lib/locale/en_GB.utf8/LC_ADDRESS 2ae73338e000-2ae73338f000 r--p 00000000 08:17 1840645 /usr/lib/locale/en_GB.utf8/LC_NAME 2ae73338f000-2ae733390000 r--p 00000000 08:17 1855366 /usr/lib/locale/en_GB.utf8/LC_PAPER 2ae733390000-2ae733391000 r--p 00000000 08:17 1840713 /usr/lib/locale/en_GB.utf8/LC_MESSAGES/SYS_LC_MESSAGES 2ae733391000-2ae733392000 r--p 00000000 08:17 1840646 /usr/lib/locale/en_GB.utf8/LC_MONETARY 2ae7333bc000-2ae7333bd000 rw-p 2ae7333bc000 00:00 0 2ae7333bd000-2ae733494000 r--p 00000000 08:17 1855369 /usr/lib/locale/en_GB.utf8/LC_COLLATE 2ae733494000-2ae733495000 r--p 00000000 08:17 1840582 /usr/lib/locale/en_GB.utf8/LC_TIME 2ae733495000-2ae733496000 r--p 00000000 08:17 1855361 /usr/lib/locale/en_GB.utf8/LC_NUMERIC 2ae733496000-2ae7334d1000 r--p 00000000 08:17 1855368 /usr/lib/locale/en_GB.utf8/LC_CTYPE 2ae7334d1000-2ae7334d2000 r--s 00000000 08:17 1676627 /var/cache/fontconfig/cf6c88e680607f2ab796171745f068a4-x86-64.cache-2 2ae7334d2000-2ae7334d3000 r--s 00000000 08:09 462254 /home/bach/.fontconfig/ee977348e8c023fbc96a494f7da23515-x86-64.cache-2 2ae7334d3000-2ae733KCrash: Application 'kst' crashing...
This is clearly a string overflow bug in the shipped but no longer maintained readdata/frame file data source. I can fix it, but for most people (eg, everyone who isn't reading 1997 Boomerang data - ie, everyone), an adequate fix would be to remove this data source. On Friday 02 March 2007 4:19:16 pm Bastien Chevreux wrote: [bugs.kde.org quoted mail]
Created attachment 20113 [details] strcpy == evil; strncpy == less evil as expected, we were overflowing the filename. This 'fix' will stop kst from crashing, and will let you use really long filenames on all data sources that support them... important for 1.4
Looks good. -- George Staikos KDE Developer http://www.kde.org/ Staikos Computing Services Inc. http://www.staikos.net/
SVN commit 647569 by netterfield: BUG: 142420 strcpy -> strncpy M +4 -3 creaddata.c M +3 -2 readdata.c --- trunk/extragear/graphics/kst/src/datasources/frame/creaddata.c #647568:647569 @@ -24,6 +24,7 @@ #define MAX_LINE_LENGTH 120 #define MAX_FIELDS_IN_CFORMAT 500 #define MAX_LINCOM_ENTRIES 4 +#define MAX_FILENAMELEN 256 #ifndef CALSPECS_DIR #define CALSPECS_DIR "/data/etc" @@ -838,7 +839,7 @@ int i_format, i_field, i_lincom; int s_per_frame; static int first_time=1; - char filename[100], tmpfilename[100]; + char filename[MAX_FILENAMELEN], tmpfilename[MAX_FILENAMELEN]; int i, n_read; void *tmpbuf; int *mp_cnt=NULL, *mp_data, cp_data; @@ -852,7 +853,7 @@ return(0); } - strcpy(filename, filename_in); + strncpy(filename, filename_in, MAX_FILENAMELEN-2); if (first_time) { *error_code = ReadCalFile(); @@ -900,7 +901,7 @@ /* Find t0 from the file creation time */ t0 = FindT0(filename_in, cstruct[i_format].field[i_field].framerate); /* Find f0 from reading the first frame val */ - strcpy(tmpfilename, filename); + strncpy(tmpfilename, filename, MAX_FILENAMELEN-2); tmpfilename[strlen(tmpfilename)-2] = '0'; tmpfilename[strlen(tmpfilename)-1] = '0'; --- trunk/extragear/graphics/kst/src/datasources/frame/readdata.c #647568:647569 @@ -27,6 +27,7 @@ #include "readdata.h" #define MAX_LINE_LENGTH 120 #define MAX_FIELDS_IN_FORMAT 500 +#define MAX_FILENAMELEN 256 #ifndef FILEFORMATS_DIR #define FILEFORMATS_DIR "/data/etc" @@ -782,9 +783,9 @@ char done='n'; unsigned char *data_buffer; int fp; - char filename[100]; + char filename[MAX_FILENAMELEN]; - strcpy(filename, filename_in); + strncpy(filename, filename_in, MAX_FILENAMELEN-2); /****************************/ /* Read the FileFormat file */