Bug#694260: Fwd: Re: [Bug-freedink] Bug#694260: freedink: Stack corruption

Bas Wijnen wijnen at debian.org
Mon Dec 3 09:11:46 UTC 2012 

This message was meant for the bug itself as well (instead of the
wrongly written package address).

-------- Original Message --------
Subject: Re: [Bug-freedink] Bug#694260: freedink: Stack corruption
Date: Mon, 03 Dec 2012 10:02:23 +0100
From: Bas Wijnen <wijnen at debian.org>
Organization: Debian
To: Luiji Maryo <luiji at users.sourceforge.net>, control at bugs.debian.org,
 sdl-mixer1.2 at bugs.debian.org

reassign 694260 sdl-mixer1.2 1.2.12-3
thanks

Hello SDL maintainers,

I'm usually hesitant to assign a bug to a library, because it often
happens that the actual bug is in the calling code. This is even more
likely with freedink, which originates from code with lots of bugs.

However, in this case I think I really did hit a bug in the library. If
you disagree, feel free to assign it back of course.

Unfortunately, I am unable to create a slim test-case to trigger the
bug. The problem is "stack smashing", which means that there is a buffer
overflow on the stack. This is caught with gcc's stack protector (a
fortify feature), which checks a guard variable when a function with
arrays on the stack returns. Therefore the function from the backtrace
is the one which owns the overflowed array, but it may or may not be the
one which overflows it.

I attached a file which can be used to trigger this bug. If you want to
see it, you need to follow these steps:

1. install the freedink package.
2. unpack the attached midibug.tar.gz.
3. run "freedink -w -g midibug".

The midi file that causes the problem is midibug/sound/10.mid

If you have any questions, don't hesitate to ask.

Thanks,
Bas

On 03-12-12 00:55, Luiji Maryo wrote:
> You should probably send that MIDI file to the SDL_Mixer developers as
> well so that they can look over it for something that would cause this
> type of fault.
> 
> 
> On Sun, Dec 2, 2012 at 2:20 PM, Bas Wijnen <wijnen at debian.org
> <mailto:wijnen at debian.org>> wrote:
> 
>     Hi,
> 
>     What I have found out so far:
> 
>     - It crashes when it makes the call to play the midi file.
>     - It doesn't crash when 20.mid is not present, nor when it is replaced
>     by a different midi file. (even though 20.mid plays without a problem
>     with timidity).
> 
>     However, a really slim test case with only calls to make that file play
>     is not enough to make it crash.
> 
>     Thanks,
>     Bas
> 
>     On 02-12-12 20:01, Sylvain wrote:
>     > Additional info :
>     >
>     > - No crash when run with '-s' (no sound), so looks like this comes
>     >   from SDL_Mixer indeed.
>     >
>     > - I think I tested this D-Mod already during the FreeDink development,
>     >   as I remembered it was a good test case for "bug-compatibility"
>     >   (ahem), abeilt maybe only the Lava part.
>     >
>     > - Sylvain
>     >
>     > On Sun, Dec 02, 2012 at 06:39:40PM +0000, Sylvain wrote:
>     >> Hi,
>     >>
>     >> According to the backtrace, it looks like it's in the SDL_mixer
>     >> thread indeed.
>     >>
>     >> Cheers!
>     >> Sylvain
>     >>
>     >> On Sat, Dec 01, 2012 at 12:38:17AM +0100, Bas Wijnen wrote:
>     >>> After a lot of debugging, the problem seems to be in libSDL
>     instead. If
>     >>> I manage to get a simple test program triggering the bug, I'll
>     report it
>     >>> there and close this bug. Until I do, I'll leave it open on
>     freedink,
>     >>> because I'm still not entirely sure.
>     >>>
>     >>> Thanks,
>     >>> Bas
>     >>>
>     >>> On 24-11-12 21:08, Bas Wijnen wrote:
>     >>>> Package: freedink
>     >>>> Version: 1.08.2012042
>     >>>>
>     >>>> The dmod "Eternal suicide" is full of bugs which are nicely
>     handled by
>     >>>> the engine (and which don't really affect gameplay). However,
>     there is
>     >>>> one problem which causes the engine to abort with the attached
>     message.
>     >>>> I'm having trouble debugging this, as there is no mention of
>     what really
>     >>>> is the problem, except that some fortify check fails.
>     >>>>
>     >>>> I attached a save file with which you can reproduce it. It
>     brings you in
>     >>>> front of a cave. Enter it and it crashes.
>     >>>>
>     >>>> Thanks,
>     >>>> Bas
> 
> 
> 
>     _______________________________________________
>     Bug-freedink mailing list
>     Bug-freedink at gnu.org <mailto:Bug-freedink at gnu.org>
>     https://lists.gnu.org/mailman/listinfo/bug-freedink
> 
> 
> 
> 
> -- 
> - Luiji Maryo
> mail: luiji at users.sourceforge.net <mailto:luiji at users.sourceforge.net>
> blog: http://brainboyblogger.blogspot.com/
> corp: http://www.entertainingsoftware.com/
> fun: http://www.secretmaryo.org/


-------------- next part --------------
A non-text attachment was scrubbed...
Name: midibug.tar.gz
Type: application/x-gzip
Size: 28442 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-sdl-maintainers/attachments/20121203/b57408d7/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-sdl-maintainers/attachments/20121203/b57408d7/attachment-0001.pgp>

More information about the Pkg-sdl-maintainers mailing list