Fix crash due to out-of-bounds access on 64-bit arches.

Package-Manager: portage-2.2.0_alpha85/cvs/Linux x86_64
author: Sergei Trofimovich <slyfox@gentoo.org> 2012-02-05 19:37:31 +0000
committer: Sergei Trofimovich <slyfox@gentoo.org> 2012-02-05 19:37:31 +0000
commit: 00fb95b45ece68dc3dde6fb0a79ab4fe9efff89b (patch)
tree: f27ce03feec11ff01f57788f821cbd5f7d39040b /app-misc
parent: Don't die if hg pull exits with status 1. (diff)
download: historical-00fb95b45ece68dc3dde6fb0a79ab4fe9efff89b.tar.gz
historical-00fb95b45ece68dc3dde6fb0a79ab4fe9efff89b.tar.bz2
historical-00fb95b45ece68dc3dde6fb0a79ab4fe9efff89b.zip
6 files changed, 136 insertions, 7 deletions
diff --git a/app-misc/bb/ChangeLog b/app-misc/bb/ChangeLog
index 6d2af5dfbbfa..f62771e6e050 100644
--- a/app-misc/bb/ChangeLog
+++ b/app-misc/bb/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for app-misc/bb
 # Copyright 1999-2012 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-misc/bb/ChangeLog,v 1.3 2012/01/28 19:25:23 slyfox Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-misc/bb/ChangeLog,v 1.4 2012/02/05 19:37:31 slyfox Exp $
+
+*bb-1.3.0_rc1-r2 (05 Feb 2012)
+
+  05 Feb 2012; Sergei Trofimovich <slyfox@gentoo.org> +bb-1.3.0_rc1-r2.ebuild,
+  +files/bb-1.3.0_rc1-messager-overlap.patch,
+  +files/bb-1.3.0_rc1-printf-cleanup.patch,
+  +files/bb-1.3.0_rc1-zbuff-fault.patch, -bb-1.3.0_rc1-r1.ebuild:
+  Fix crash due to out-of-bounds access on 64-bit arches.
 
 *bb-1.3.0_rc1-r1 (28 Jan 2012)
 
diff --git a/app-misc/bb/Manifest b/app-misc/bb/Manifest
index e56d86b09160..e5e163727297 100644
--- a/app-misc/bb/Manifest
+++ b/app-misc/bb/Manifest
@@ -2,15 +2,18 @@
 Hash: SHA1
 
 AUX bb-1.3.0_rc1-fix-protos.patch 369 RMD160 9a5d17403261476057d5658049084c342f9444a0 SHA1 900d39d2ab8c4d40382215cf4e2c146b7eaafbb6 SHA256 44fbe09a7ec1dd12f07e99aadec010eaffda8ada7fd836386956979906b49bc2
+AUX bb-1.3.0_rc1-messager-overlap.patch 1623 RMD160 7e0668cc0d0420a694e146d0c1ed77456b7b6360 SHA1 3007d59f71498a809a5385ef8b6e3d6f21809d44 SHA256 c8db5f70a14373e5a29afd04406e2ff9b307a605c2531aeb5d41b704d24861e8
 AUX bb-1.3.0_rc1-noattr.patch 509 RMD160 2f055793a0319d9dbae210920e4beace56d50308 SHA1 91623c619e2b38d14f5c1c5af9fafae5dc532918 SHA256 53463b5dca4b5b1240a39e4b41055e7583447d6c551131b1012ab559c61a6b29
+AUX bb-1.3.0_rc1-printf-cleanup.patch 2885 RMD160 c184c230ee552ab25a2211dfeedf4c9128983193 SHA1 6b7c7adec32472f10520cadd3326a2914750031d SHA256 12c5ede2a13eba22801261b16675dd0c2c3b5d0b68114f441da8ac4411d83235
+AUX bb-1.3.0_rc1-zbuff-fault.patch 1105 RMD160 79d609edbcaacd725fbdb894ff161b8dbb124cc5 SHA1 fc7816fff319ab9f00af09024598b9ff4266bb11 SHA256 f0e759752c40df22b70feb97997b374f154f0d8d5960091fcfe5b75e6bb3ec9a
 DIST bb-1.3rc1.tar.gz 1416292 RMD160 15ea8112bf551ad6a4da2860d01d8f22c6021eba SHA1 e4e87c6079d220d0bd4bdc97428020471a77cf68 SHA256 793d88c872793b6dab444cf5bab24f283ecb2f3502f1479ebbe41dd8e90b81c4
-EBUILD bb-1.3.0_rc1-r1.ebuild 1259 RMD160 cc4294e92089378fff620956848423d5937dd8d2 SHA1 1a8c525c9f33b743cb349b89db54e3d04371fe4d SHA256 ea4b993d0060e372c4b7806510c627b418264a559062731b4b24c0d240f75b1b
-MISC ChangeLog 789 RMD160 4675a92dd60a413f9050e345c447696b959d46f4 SHA1 372806f7fd18bb26cbe9d3b0743343a29e24bb54 SHA256 c31893bca326b44d867c45bba8270a27c90572e3251014549fee0b748229a37e
+EBUILD bb-1.3.0_rc1-r2.ebuild 1402 RMD160 e66dcef95bff83083e2c8262c8238237f2687d23 SHA1 9d3bc852c947d127b8d37fa5543ff4786be3dca8 SHA256 2c3f5b692f9044320abaed6899d02cb4df262eb45878c3917cd2622cf6d33033
+MISC ChangeLog 1115 RMD160 2f14e0c734e20d289f0eb895c4c0c28400bddbcf SHA1 9ff2ee35fefa3bfbaa6dd92058ac292aefec5a98 SHA256 1598ece45a39a12b764ca55379d75dce22dca67850cc5f82014ee148e93f2732
 MISC metadata.xml 330 RMD160 12c9e416f2ee3f470e0c55bffc6ca441035c8645 SHA1 360c646317f35f81e9e2b543432767d2e125101c SHA256 03d9f6686a71868d2b85d59dce05a7dcb7b83cfc14763f7b11d7826c71e0de7e
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.17 (GNU/Linux)
 
-iEYEARECAAYFAk8kTK4ACgkQcaHudmEf86oR5gCdHARTs9/8RvVh16Q84G3SVsMm
-t/cAn2iAzmiwgXXBEzYLnSR5nrjPtcWX
-=q8EA
+iEYEARECAAYFAk8u244ACgkQcaHudmEf86q83ACfSWbZNiqquu/ca0oRnDyq2B18
+7O4AnjPTfUGxfX4srp3GjeolceqLRX3A
+=FbNp
 -----END PGP SIGNATURE-----
diff --git a/app-misc/bb/bb-1.3.0_rc1-r1.ebuild b/app-misc/bb/bb-1.3.0_rc1-r2.ebuild
index 24340d184524..226bf990b3a2 100644
--- a/app-misc/bb/bb-1.3.0_rc1-r1.ebuild
+++ b/app-misc/bb/bb-1.3.0_rc1-r2.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2012 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/app-misc/bb/bb-1.3.0_rc1-r1.ebuild,v 1.1 2012/01/28 19:25:23 slyfox Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-misc/bb/bb-1.3.0_rc1-r2.ebuild,v 1.1 2012/02/05 19:37:31 slyfox Exp $
 
 EAPI=4
 
@@ -26,6 +26,9 @@ S="${WORKDIR}/${PN}-$(get_version_component_range 1-3)"
 src_prepare() {
 	epatch "${FILESDIR}/${P}-noattr.patch"
 	epatch "${FILESDIR}/${P}-fix-protos.patch"
+	epatch "${FILESDIR}"/${P}-messager-overlap.patch
+	epatch "${FILESDIR}"/${P}-zbuff-fault.patch
+	epatch "${FILESDIR}"/${P}-printf-cleanup.patch
 
 	# rename binary and manpage bb -> bb-aalib
 
diff --git a/app-misc/bb/files/bb-1.3.0_rc1-messager-overlap.patch b/app-misc/bb/files/bb-1.3.0_rc1-messager-overlap.patch
new file mode 100644
index 000000000000..e46b75fd5815
--- /dev/null
+++ b/app-misc/bb/files/bb-1.3.0_rc1-messager-overlap.patch
@@ -0,0 +1,25 @@
+messager.c: fix memory overlap (fixes artefacts in scrolling text)
+
+==363== Source and destination overlap in memcpy(0xa066240, 0xa0662b8, 240)
+==363==    at 0x4C2B220: memcpy@@GLIBC_2.14 (mc_replace_strmem.c:838)
+==363==    by 0x407D97: newline (messager.c:43)
+==363==    by 0x407EE6: put (messager.c:54)
+==363==    by 0x40806E: messager (messager.c:77)
+==363==    by 0x403009: bb (bb.c:258)
+==363==    by 0x407C06: main (main.c:202)
+
+diff --git a/messager.c b/messager.c
+index 95cc410..964080b 100644
+--- a/messager.c
++++ b/messager.c
+@@ -40,8 +40,8 @@ static void newline()
+ 	start = 0;
+     cursor_y++, cursor_x = 0;
+     if (cursor_y >= aa_scrheight(context)) {
+-	memcpy(context->textbuffer + start * aa_scrwidth(context), context->textbuffer + (start + 1) * aa_scrwidth(context), aa_scrwidth(context) * (aa_scrheight(context) - start - 1));
+-	memcpy(context->attrbuffer + start * aa_scrwidth(context), context->attrbuffer + (start + 1) * aa_scrwidth(context), aa_scrwidth(context) * (aa_scrheight(context) - start - 1));
++	memmove(context->textbuffer + start * aa_scrwidth(context), context->textbuffer + (start + 1) * aa_scrwidth(context), aa_scrwidth(context) * (aa_scrheight(context) - start - 1));
++	memmove(context->attrbuffer + start * aa_scrwidth(context), context->attrbuffer + (start + 1) * aa_scrwidth(context), aa_scrwidth(context) * (aa_scrheight(context) - start - 1));
+ 	memset(context->textbuffer + aa_scrwidth(context) * (aa_scrheight(context) - 1), ' ', aa_scrwidth(context));
+ 	memset(context->attrbuffer + aa_scrwidth(context) * (aa_scrheight(context) - 1), 0, aa_scrwidth(context));
+ 	cursor_y--;
diff --git a/app-misc/bb/files/bb-1.3.0_rc1-printf-cleanup.patch b/app-misc/bb/files/bb-1.3.0_rc1-printf-cleanup.patch
new file mode 100644
index 000000000000..da113795124b
--- /dev/null
+++ b/app-misc/bb/files/bb-1.3.0_rc1-printf-cleanup.patch
@@ -0,0 +1,55 @@
+zoom.c: cleanup protos
+
+x86_64-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I.     -O2 -march=core2 -pipe -I/usr/include -pthread -D_REENTRANT -D SOUNDDIR=\"/usr/share/bb\" -c zoom.c
+zoom.c: In function 'mkrealloc_table':
+zoom.c:245:113: warning: format '%i' expects type 'int', but argument 3 has type 'long unsigned int'
+zoom.c:251:113: warning: format '%i' expects type 'int', but argument 3 has type 'long unsigned int'
+zoom.c:260:113: warning: format '%i' expects type 'int', but argument 3 has type 'long unsigned int'
+zoom.c: In function 'moveoldpoints':
+zoom.c:590:3: warning: format '%i' expects type 'int', but argument 3 has type 'long unsigned int'
+zoom.c:596:3: warning: format '%i' expects type 'int', but argument 3 has type 'long unsigned int'
+diff --git a/zoom.c b/zoom.c
+index 7450095..b86cc8b 100644
+--- a/zoom.c
++++ b/zoom.c
+@@ -241,13 +241,13 @@ static /*INLINE */ void mkrealloc_table(register number_t * pos, realloc_t * rea
+ #endif
+     if (dyndata == NULL) {
+ 	fprintf(stderr, "XaoS fatal error:Could not allocate memory for"
+-		"temporary dynamical data of size:%i\n"
++		"temporary dynamical data of size:%li\n"
+ 		"I am unable to handle this problem so please resize to lower window\n", (size) * (DSIZE + 1) * sizeof(struct dyn_data) + size * sizeof(int) + size * sizeof(int));
+ 	return;
+     }
+     if (best == NULL) {
+ 	fprintf(stderr, "XaoS fatal error:Could not allocate memory for"
+-		"temporary dynamical data of size:%i\n"
++		"temporary dynamical data of size:%li\n"
+ 		"I am unable to handle this problem so please resize to lower window\n", (size) * (DSIZE + 1) * sizeof(struct dyn_data) + size * sizeof(int) + size * sizeof(int));
+ #ifndef HAVE_ALLOCA
+ 	free(dyndata);
+@@ -256,7 +256,7 @@ static /*INLINE */ void mkrealloc_table(register number_t * pos, realloc_t * rea
+     }
+     if (best1 == NULL) {
+ 	fprintf(stderr, "XaoS fatal error:Could not allocate memory for"
+-		"temporary dynamical data of size:%i\n"
++		"temporary dynamical data of size:%li\n"
+ 		"I am unable to handle this problem so please resize to lower window\n", (size) * (DSIZE + 1) * sizeof(struct dyn_data) + size * sizeof(int) + size * sizeof(int));
+ #ifndef HAVE_ALLOCA
+ 	free(dyndata);
+@@ -586,13 +586,13 @@ static /*INLINE */ void moveoldpoints(void)
+ #endif
+     if (size == NULL) {
+ 	fprintf(stderr, "XaoS fratal error:Could not allocate memory for"
+-		"temporary dynamical data of size:%i\n"
++		"temporary dynamical data of size:%li\n"
+ 		"I am unable to handle this problem so please resize to lower window\n", 2 * d->width * sizeof(int));
+ 	return;
+     }
+     if (start == NULL) {
+ 	fprintf(stderr, "XaoS fratal error:Could not allocate memory for"
+-		"temporary dynamical data of size:%i\n"
++		"temporary dynamical data of size:%li\n"
+ 		"I am unable to handle this problem so please resize to lower window\n", 2 * d->width * sizeof(int));
+ #ifndef HAVE_ALLOCA
+ 	free(size);
diff --git a/app-misc/bb/files/bb-1.3.0_rc1-zbuff-fault.patch b/app-misc/bb/files/bb-1.3.0_rc1-zbuff-fault.patch
new file mode 100644
index 000000000000..b3e882ed55e9
--- /dev/null
+++ b/app-misc/bb/files/bb-1.3.0_rc1-zbuff-fault.patch
@@ -0,0 +1,35 @@
+tex.c: Fix out-of-bounds zbuff clearing
+
+> zbuff = (int *) malloc(X_s * Y_s * sizeof(int));
+> memset(zbuff, 0x55, (X_s * Y_s * sizeof(long)));
+
+Ouch! amd64: sizeof(long) == 8; sizeof (int) == 4
+
+Valgrind says:
+==4525== Invalid write of size 4
+==4525==    at 0x4C2C3AF: memset (mc_replace_strmem.c:967)
+==4525==    by 0x4122E0: clear_zbuff (tex.c:95)
+==4525==    by 0x4144D8: disp3d (tex.c:292)
+==4525==    by 0x40F3C6: scene5 (scene5.c:206)
+==4525==    by 0x4031BC: bb (bb.c:325)
+==4525==    by 0x407C56: main (main.c:202)
+==4525==  Address 0xac9ef00 is 0 bytes after a block of size 34,992 alloc'd
+==4525==    at 0x4C2996D: malloc (vg_replace_malloc.c:263)
+==4525==    by 0x412283: set_zbuff (tex.c:85)
+==4525==    by 0x40F347: scene5 (scene5.c:196)
+==4525==    by 0x4031BC: bb (bb.c:325)
+==4525==    by 0x407C56: main (main.c:202)
+
+diff --git a/tex.c b/tex.c
+index 9f2f99d..b390510 100644
+--- a/tex.c
++++ b/tex.c
+@@ -92,7 +92,7 @@ void unset_zbuff()
+ 
+ static inline void clear_zbuff()
+ {
+-    memset(zbuff, 0x55, (X_s * Y_s * sizeof(long)));
++    memset(zbuff, 0x55, (X_s * Y_s * sizeof(int)));
+ }
+ 
+
author	Sergei Trofimovich <slyfox@gentoo.org>	2012-02-05 19:37:31 +0000
committer	Sergei Trofimovich <slyfox@gentoo.org>	2012-02-05 19:37:31 +0000
commit	00fb95b45ece68dc3dde6fb0a79ab4fe9efff89b (patch)
tree	f27ce03feec11ff01f57788f821cbd5f7d39040b /app-misc
parent	Don't die if hg pull exits with status 1. (diff)
download	historical-00fb95b45ece68dc3dde6fb0a79ab4fe9efff89b.tar.gz historical-00fb95b45ece68dc3dde6fb0a79ab4fe9efff89b.tar.bz2 historical-00fb95b45ece68dc3dde6fb0a79ab4fe9efff89b.zip