Bug 142420

Summary: kst data wizard crashes with sigabrt on certain file names
Product: [Applications] kst Reporter: Bastien Chevreux <bach>
Component: generalAssignee: kst
Status: RESOLVED FIXED    
Severity: crash    
Priority: NOR    
Version: 1.x   
Target Milestone: ---   
Platform: openSUSE   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: strcpy == evil; strncpy == less evil

Description Bastien Chevreux 2007-03-02 22:19:13 UTC 
Version:            (using KDE KDE 3.5.5)
Installed from:    SuSE RPMs
OS:                Linux

Hello there,

this is a crash report for kst 1.3.1 installed from OpenSUSE 10.2 (64 bit)

How to reproduce
----------------
I have a directory with one file with data. The data file is named "bsp1_int_posmatch_rawhashhits_preassembly.0.lst".

I start kst, choose data wizard, in data wizard open the file dialog, navigate to the directory with that file, choose the file and select open -> crash

It's really just the filename, renaming the file to something like "bla.lst" makes the crash go away


I had two types of error messages on my console.
1) Sometimes I had
kst: posixio.c:396: px_get: Assertion `extent != 0' failed.
KCrash: Application 'kst' crashing...

2) Most of the times I have
*** buffer overflow detected ***: kst terminated
======= Backtrace: =========
/lib64/libc.so.6(__chk_fail+0x2f)[0x2ae735e39d4f]
/opt/kde3/lib64/kde3/kstdata_frame.so(CReadData+0xbf)[0x2aaaaad045ff]
/opt/kde3/lib64/kde3/kstdata_frame.so(understands_frame+0x4a)[0x2aaaaad00dba]
/opt/kde3/lib64/libkst.so.1[0x2ae733d8e6d1]
/opt/kde3/lib64/libkst.so.1(_ZN13KstDataSource18fieldListForSourceERK7QStringS2_PS0_Pb+0x109)[0x2ae733d90849]
/opt/kde3/lib64/libkstapp.so.1(_ZN10DataWizard13sourceChangedERK7QString+0xe9d)[0x2ae7338171ad]
/opt/kde3/lib64/libkstapp.so.1(_ZN10DataWizard9qt_invokeEiP8QUObject+0x12d)[0x2ae73380c15d]
/usr/lib/qt3/lib64/libqt-mt.so.3(_ZN7QObject15activate_signalEP15QConnectionListP8QUObject+0x14c)[0x2ae735370adc]
/usr/lib/qt3/lib64/libqt-mt.so.3(_ZN7QObject15activate_signalEi7QString+0x156)[0x2ae7353713c6]
/opt/kde3/lib64/libkio.so.4(_ZN13KURLRequester11textChangedERK7QString+0x25)[0x2ae7342c45c5]
/opt/kde3/lib64/libkio.so.4(_ZN13KURLRequester7qt_emitEiP8QUObject+0x6f)[0x2ae7342c465f]
/usr/lib/qt3/lib64/libqt-mt.so.3(_ZN7QObject15activate_signalEP15QConnectionListP8QUObject+0x18a)[0x2ae735370b1a]
/usr/lib/qt3/lib64/libqt-mt.so.3(_ZN7QObject15activate_signalEi7QString+0x156)[0x2ae7353713c6]
/usr/lib/qt3/lib64/libqt-mt.so.3(_ZN9QLineEdit11textChangedERK7QString+0x25)[0x2ae735661885]
/usr/lib/qt3/lib64/libqt-mt.so.3(_ZN16QLineEditPrivate12finishChangeEib+0xd2)[0x2ae7354291f2]
/opt/kde3/lib64/libkio.so.4(_ZN13KURLRequester7setKURLERK4KURL+0x15a)[0x2ae7342c482a]
/opt/kde3/lib64/libkio.so.4(_ZN13KURLRequester14slotOpenDialogEv+0x262)[0x2ae7342f31f2]
/opt/kde3/lib64/libkio.so.4(_ZN13KURLRequester9qt_invokeEiP8QUObject+0x8d)[0x2ae7342f351d]
/usr/lib/qt3/lib64/libqt-mt.so.3(_ZN7QObject15activate_signalEP15QConnectionListP8QUObject+0x14c)[0x2ae735370adc]
/usr/lib/qt3/lib64/libqt-mt.so.3(_ZN7QObject15activate_signalEi+0xa3)[0x2ae7353717b3]
/usr/lib/qt3/lib64/libqt-mt.so.3(_ZN7QWidget5eventEP6QEvent+0x3c7)[0x2ae7353a37b7]
/usr/lib/qt3/lib64/libqt-mt.so.3(_ZN12QApplication14internalNotifyEP7QObjectP6QEvent+0x85)[0x2ae735319eb5]
/usr/lib/qt3/lib64/libqt-mt.so.3(_ZN12QApplication6notifyEP7QObjectP6QEvent+0x2a1)[0x2ae73531adf1]
/opt/kde3/lib64/libkdecore.so.4(_ZN12KApplication6notifyEP7QObjectP6QEvent+0x198)[0x2ae734d5fe38]
/usr/lib/qt3/lib64/libqt-mt.so.3(_ZN9QETWidget19translateMouseEventEPK7_XEvent+0x489)[0x2ae7352c2399]
/usr/lib/qt3/lib64/libqt-mt.so.3(_ZN12QApplication15x11ProcessEventEP7_XEvent+0x6d3)[0x2ae7352c13f3]
/usr/lib/qt3/lib64/libqt-mt.so.3(_ZN10QEventLoop13processEventsEj+0x41f)[0x2ae7352d040f]
/usr/lib/qt3/lib64/libqt-mt.so.3(_ZN10QEventLoop9enterLoopEv+0x43)[0x2ae73532e963]
/usr/lib/qt3/lib64/libqt-mt.so.3(_ZN7QDialog4execEv+0x7b)[0x2ae7354cfdbb]
/opt/kde3/lib64/libkstapp.so.1(_ZN6KstApp14showDataWizardEv+0x35)[0x2ae7337b55d5]
/opt/kde3/lib64/libkstapp.so.1(_ZN20KstQuickStartDialogI9qt_invokeEiP8QUObject+0xbd)[0x2ae73377950d]
/usr/lib/qt3/lib64/libqt-mt.so.3(_ZN7QObject15activate_signalEP15QConnectionListP8QUObject+0x14c)[0x2ae735370adc]
/usr/lib/qt3/lib64/libqt-mt.so.3(_ZN7QObject15activate_signalEi+0xa3)[0x2ae7353717b3]
/usr/lib/qt3/lib64/libqt-mt.so.3(_ZN7QWidget5eventEP6QEvent+0x3c7)[0x2ae7353a37b7]
/usr/lib/qt3/lib64/libqt-mt.so.3(_ZN12QApplication14internalNotifyEP7QObjectP6QEvent+0x85)[0x2ae735319eb5]
/usr/lib/qt3/lib64/libqt-mt.so.3(_ZN12QApplication6notifyEP7QObjectP6QEvent+0x2a1)[0x2ae73531adf1]
/opt/kde3/lib64/libkdecore.so.4(_ZN12KApplication6notifyEP7QObjectP6QEvent+0x198)[0x2ae734d5fe38]
/usr/lib/qt3/lib64/libqt-mt.so.3(_ZN9QETWidget19translateMouseEventEPK7_XEvent+0x489)[0x2ae7352c2399]
/usr/lib/qt3/lib64/libqt-mt.so.3(_ZN12QApplication15x11ProcessEventEP7_XEvent+0x6d3)[0x2ae7352c13f3]
/usr/lib/qt3/lib64/libqt-mt.so.3(_ZN10QEventLoop13processEventsEj+0x41f)[0x2ae7352d040f]
/usr/lib/qt3/lib64/libqt-mt.so.3(_ZN10QEventLoop9enterLoopEv+0x43)[0x2ae73532e963]
/usr/lib/qt3/lib64/libqt-mt.so.3(_ZN10QEventLoop4execEv+0x22)[0x2ae73532e812]
kst[0x40cd7b]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x2ae735d84ae4]
kst(_ZN6QGListD0Ev+0x81)[0x406d69]
======= Memory map: ========
00400000-00414000 r-xp 00000000 08:17 394143                             /opt/kde3/bin/kst
00613000-00615000 rw-p 00013000 08:17 394143                             /opt/kde3/bin/kst
00615000-00fd7000 rw-p 00615000 00:00 0                                  [heap]
40000000-40001000 ---p 40000000 00:00 0
40001000-40801000 rw-p 40001000 00:00 0
2aaaaaabf000-2aaaaaaf4000 r--s 00000000 08:17 1676580                    /var/run/nscd/passwd
2aaaaaaf4000-2aaaaaafa000 r-xp 00000000 08:17 1435275                    /opt/kde3/lib64/kde3/kstdata_indirect.so
2aaaaaafa000-2aaaaacfa000 ---p 00006000 08:17 1435275                    /opt/kde3/lib64/kde3/kstdata_indirect.so
2aaaaacfa000-2aaaaacfc000 rw-p 00006000 08:17 1435275                    /opt/kde3/lib64/kde3/kstdata_indirect.so
2aaaaacfc000-2aaaaacfd000 r--p 00000000 08:17 1759367                    /usr/share/locale/en_GB/LC_MESSAGES/libc.mo
2aaaaacfd000-2aaaaad08000 r-xp 00000000 08:17 1435271                    /opt/kde3/lib64/kde3/kstdata_frame.so
2aaaaad08000-2aaaaaf07000 ---p 0000b000 08:17 1435271                    /opt/kde3/lib64/kde3/kstdata_frame.so
2aaaaaf07000-2aaaaaf09000 rw-p 0000a000 08:17 1435271                    /opt/kde3/lib64/kde3/kstdata_frame.so
2aaaaaf09000-2aaaaaf1e000 r-xp 00000000 08:17 1435263                    /opt/kde3/lib64/kde3/kstdata_ascii.so
2aaaaaf1e000-2aaaab11e000 ---p 00015000 08:17 1435263                    /opt/kde3/lib64/kde3/kstdata_ascii.so
2aaaab11e000-2aaaab120000 rw-p 00015000 08:17 1435263                    /opt/kde3/lib64/kde3/kstdata_ascii.so
2aaaab120000-2aaaab12b000 r-xp 00000000 08:17 1435267                    /opt/kde3/lib64/kde3/kstdata_dirfile.so
2aaaab12b000-2aaaab32a000 ---p 0000b000 08:17 1435267                    /opt/kde3/lib64/kde3/kstdata_dirfile.so
2aaaab32a000-2aaaab32c000 rw-p 0000a000 08:17 1435267                    /opt/kde3/lib64/kde3/kstdata_dirfile.so
2aaaab32c000-2aaaab37e000 r-xp 00000000 08:17 1435279                    /opt/kde3/lib64/kde3/kstdata_netcdf.so
2aaaab37e000-2aaaab57e000 ---p 00052000 08:17 1435279                    /opt/kde3/lib64/kde3/kstdata_netcdf.so
2aaaab57e000-2aaaab581000 rw-p 00052000 08:17 1435279                    /opt/kde3/lib64/kde3/kstdata_netcdf.so
2aaaab581000-2aaaab583000 rw-p 2aaaab581000 00:00 0
2aaaab583000-2aaaab589000 r-xp 00000000 08:17 1435299                    /opt/kde3/lib64/kde3/kstdata_qimagesource.so
2aaaab589000-2aaaab788000 ---p 00006000 08:17 1435299                    /opt/kde3/lib64/kde3/kstdata_qimagesource.so
2aaaab788000-2aaaab78a000 rw-p 00005000 08:17 1435299                    /opt/kde3/lib64/kde3/kstdata_qimagesource.so
2aaaab78a000-2aaaab78c000 rw-p 2aaaab78a000 00:00 0
2aaaab7c3000-2aaaab7cd000 r-xp 00000000 08:17 2216186                    /lib64/libnss_files-2.5.so
2aaaab7cd000-2aaaab9cc000 ---p 0000a000 08:17 2216186                    /lib64/libnss_files-2.5.so
2aaaab9cc000-2aaaab9ce000 rw-p 00009000 08:17 2216186                    /lib64/libnss_files-2.5.so
2aaaac000000-2aaaac021000 rw-p 2aaaac000000 00:00 0
2aaaac021000-2aaab0000000 ---p 2aaaac021000 00:00 0
2ae733366000-2ae733382000 r-xp 00000000 08:17 2216162                    /lib64/ld-2.5.so
2ae733382000-2ae733383000 rw-p 2ae733382000 00:00 0
2ae733383000-2ae733384000 r--p 00000000 08:17 1838599                    /usr/lib/locale/en_GB.utf8/LC_IDENTIFICATION
2ae733384000-2ae73338b000 r--s 00000000 08:17 1855330                    /usr/lib64/gconv/gconv-modules.cache
2ae73338b000-2ae73338c000 r--p 00000000 08:17 1855367                    /usr/lib/locale/en_GB.utf8/LC_MEASUREMENT
2ae73338c000-2ae73338d000 r--p 00000000 08:17 1840644                    /usr/lib/locale/en_GB.utf8/LC_TELEPHONE
2ae73338d000-2ae73338e000 r--p 00000000 08:17 1840583                    /usr/lib/locale/en_GB.utf8/LC_ADDRESS
2ae73338e000-2ae73338f000 r--p 00000000 08:17 1840645                    /usr/lib/locale/en_GB.utf8/LC_NAME
2ae73338f000-2ae733390000 r--p 00000000 08:17 1855366                    /usr/lib/locale/en_GB.utf8/LC_PAPER
2ae733390000-2ae733391000 r--p 00000000 08:17 1840713                    /usr/lib/locale/en_GB.utf8/LC_MESSAGES/SYS_LC_MESSAGES
2ae733391000-2ae733392000 r--p 00000000 08:17 1840646                    /usr/lib/locale/en_GB.utf8/LC_MONETARY
2ae7333bc000-2ae7333bd000 rw-p 2ae7333bc000 00:00 0
2ae7333bd000-2ae733494000 r--p 00000000 08:17 1855369                    /usr/lib/locale/en_GB.utf8/LC_COLLATE
2ae733494000-2ae733495000 r--p 00000000 08:17 1840582                    /usr/lib/locale/en_GB.utf8/LC_TIME
2ae733495000-2ae733496000 r--p 00000000 08:17 1855361                    /usr/lib/locale/en_GB.utf8/LC_NUMERIC
2ae733496000-2ae7334d1000 r--p 00000000 08:17 1855368                    /usr/lib/locale/en_GB.utf8/LC_CTYPE
2ae7334d1000-2ae7334d2000 r--s 00000000 08:17 1676627                    /var/cache/fontconfig/cf6c88e680607f2ab796171745f068a4-x86-64.cache-2
2ae7334d2000-2ae7334d3000 r--s 00000000 08:09 462254                     /home/bach/.fontconfig/ee977348e8c023fbc96a494f7da23515-x86-64.cache-2
2ae7334d3000-2ae733KCrash: Application 'kst' crashing...
Comment 1 Netterfield 2007-03-03 00:44:39 UTC 
This is clearly a string overflow bug in the shipped but no longer maintained 
readdata/frame file data source.   I can fix it, but for most people (eg, 
everyone who isn't reading 1997 Boomerang data - ie, everyone), an adequate 
fix would be to remove this data source.

On Friday 02 March 2007 4:19:16 pm Bastien Chevreux wrote:
[bugs.kde.org quoted mail]
Comment 2 Netterfield 2007-03-28 20:17:23 UTC 
Created attachment 20113 [details]
strcpy == evil; strncpy == less evil

as expected, we were overflowing the filename.
This 'fix' will stop kst from crashing, and will let you use really long
filenames on all data sources that support them...

important for 1.4
Comment 3 George Staikos 2007-03-28 20:22:33 UTC 
Looks good.

--
George Staikos
KDE Developer				http://www.kde.org/
Staikos Computing Services Inc.		http://www.staikos.net/
Comment 4 Netterfield 2007-03-28 20:39:26 UTC 
SVN commit 647569 by netterfield:

BUG: 142420
strcpy -> strncpy 



 M  +4 -3      creaddata.c  
 M  +3 -2      readdata.c  


--- trunk/extragear/graphics/kst/src/datasources/frame/creaddata.c #647568:647569
@@ -24,6 +24,7 @@
 #define MAX_LINE_LENGTH 120
 #define MAX_FIELDS_IN_CFORMAT 500
 #define MAX_LINCOM_ENTRIES 4
+#define MAX_FILENAMELEN 256
 
 #ifndef CALSPECS_DIR
 #define CALSPECS_DIR "/data/etc"
@@ -838,7 +839,7 @@
   int i_format, i_field, i_lincom;
   int s_per_frame;
   static int first_time=1;
-  char filename[100], tmpfilename[100];
+  char filename[MAX_FILENAMELEN], tmpfilename[MAX_FILENAMELEN];
   int i, n_read;
   void *tmpbuf;
   int *mp_cnt=NULL, *mp_data, cp_data;
@@ -852,7 +853,7 @@
     return(0);
   }
 
-  strcpy(filename, filename_in);
+  strncpy(filename, filename_in, MAX_FILENAMELEN-2);
 
   if (first_time) {
     *error_code = ReadCalFile();
@@ -900,7 +901,7 @@
     /* Find t0 from the file creation time */
     t0 = FindT0(filename_in,  cstruct[i_format].field[i_field].framerate);
     /* Find f0 from reading the first frame val */
-    strcpy(tmpfilename, filename);
+    strncpy(tmpfilename, filename, MAX_FILENAMELEN-2);
     tmpfilename[strlen(tmpfilename)-2] = '0';
     tmpfilename[strlen(tmpfilename)-1] = '0';
 
--- trunk/extragear/graphics/kst/src/datasources/frame/readdata.c #647568:647569
@@ -27,6 +27,7 @@
 #include "readdata.h"
 #define MAX_LINE_LENGTH 120
 #define MAX_FIELDS_IN_FORMAT 500
+#define MAX_FILENAMELEN 256
 
 #ifndef FILEFORMATS_DIR
 #define FILEFORMATS_DIR "/data/etc"
@@ -782,9 +783,9 @@
   char done='n';
   unsigned char *data_buffer;
   int fp;
-  char filename[100];
+  char filename[MAX_FILENAMELEN];
 
-  strcpy(filename, filename_in);
+  strncpy(filename, filename_in, MAX_FILENAMELEN-2);
 
   /****************************/
   /* Read the FileFormat file */