[sword-devel] Major Sword bug found -- buffer overflow
Martin Gruner
mg.pub at gmx.net
Thu Mar 2 03:40:39 MST 2006
Hi,
sorry for my misunderstanding of how Sword internals work.
However, the problem is there, it may be something in the decompression
algorithm. I'm attaching a valgrind trace of the crash in BibleTime when I
try to open the GerHfaLex2002 without a valid key.
mg
--
no room in outbuffer to during decompression. see zipcomp.cpp
==6598==
==6598== Conditional jump or move depends on uninitialised value(s)
==6598== at 0x599FD16: sword::EntriesBlock::getMetaEntry(int, unsigned
long*, unsigned long*) (in /usr/lib/libsword.so.5.0.0)
==6598== by 0x599FFC7: sword::EntriesBlock::getEntrySize(int)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x599EBDA: sword::zStr::getCompressedText(long, long, char**)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x599FB28: sword::zStr::getText(long, char**, char**)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x59F0644: sword::zLD::getEntry(long)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x59F08DF: sword::zLD::getRawEntryBuf()
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x59EEC61: sword::SWLD::setPosition(sword::SW_POSITION)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x812B19E: CSwordLexiconModuleInfo::entries()
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x80ACF99: CLexiconKeyChooser::refreshContent()
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x80AD702:
CLexiconKeyChooser::CLexiconKeyChooser(QValueList<CSwordModuleInfo*>,
CSwordKey*, QWidget*, char const*)
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x80A45FE:
CKeyChooser::createInstance(QValueList<CSwordModuleInfo*>, CSwordKey*,
QWidget*) (in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x808785B: CLexiconReadWindow::initView()
(in /home/dev/bibletime/bibletime/bibletime)
==6598==
==6598== Conditional jump or move depends on uninitialised value(s)
==6598== at 0x599FD16: sword::EntriesBlock::getMetaEntry(int, unsigned
long*, unsigned long*) (in /usr/lib/libsword.so.5.0.0)
==6598== by 0x599FF78: sword::EntriesBlock::getEntry(int)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x599EC0F: sword::zStr::getCompressedText(long, long, char**)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x599FB28: sword::zStr::getText(long, char**, char**)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x59F0644: sword::zLD::getEntry(long)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x59F08DF: sword::zLD::getRawEntryBuf()
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x59EEC61: sword::SWLD::setPosition(sword::SW_POSITION)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x812B19E: CSwordLexiconModuleInfo::entries()
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x80ACF99: CLexiconKeyChooser::refreshContent()
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x80AD702:
CLexiconKeyChooser::CLexiconKeyChooser(QValueList<CSwordModuleInfo*>,
CSwordKey*, QWidget*, char const*)
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x80A45FE:
CKeyChooser::createInstance(QValueList<CSwordModuleInfo*>, CSwordKey*,
QWidget*) (in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x808785B: CLexiconReadWindow::initView()
(in /home/dev/bibletime/bibletime/bibletime)
no room in outbuffer to during decompression. see zipcomp.cpp
==6598==
==6598== Conditional jump or move depends on uninitialised value(s)
==6598== at 0x599FFD0: sword::EntriesBlock::getEntrySize(int)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x599EBDA: sword::zStr::getCompressedText(long, long, char**)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x599FB28: sword::zStr::getText(long, char**, char**)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x59F0644: sword::zLD::getEntry(long)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x59F0824: sword::zLD::increment(int)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x812B263: CSwordLexiconModuleInfo::entries()
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x80ACF99: CLexiconKeyChooser::refreshContent()
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x80AD702:
CLexiconKeyChooser::CLexiconKeyChooser(QValueList<CSwordModuleInfo*>,
CSwordKey*, QWidget*, char const*)
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x80A45FE:
CKeyChooser::createInstance(QValueList<CSwordModuleInfo*>, CSwordKey*,
QWidget*) (in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x808785B: CLexiconReadWindow::initView()
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x80868AE: CDisplayWindow::init()
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x807E11E:
BibleTime::createReadDisplayWindow(QValueList<CSwordModuleInfo*>, QString
const&) (in /home/dev/bibletime/bibletime/bibletime)
==6598==
==6598== Conditional jump or move depends on uninitialised value(s)
==6598== at 0x599FF81: sword::EntriesBlock::getEntry(int)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x599EC0F: sword::zStr::getCompressedText(long, long, char**)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x599FB28: sword::zStr::getText(long, char**, char**)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x59F0644: sword::zLD::getEntry(long)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x59F0824: sword::zLD::increment(int)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x812B263: CSwordLexiconModuleInfo::entries()
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x80ACF99: CLexiconKeyChooser::refreshContent()
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x80AD702:
CLexiconKeyChooser::CLexiconKeyChooser(QValueList<CSwordModuleInfo*>,
CSwordKey*, QWidget*, char const*)
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x80A45FE:
CKeyChooser::createInstance(QValueList<CSwordModuleInfo*>, CSwordKey*,
QWidget*) (in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x808785B: CLexiconReadWindow::initView()
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x80868AE: CDisplayWindow::init()
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x807E11E:
BibleTime::createReadDisplayWindow(QValueList<CSwordModuleInfo*>, QString
const&) (in /home/dev/bibletime/bibletime/bibletime)
==6598==
==6598== Conditional jump or move depends on uninitialised value(s)
==6598== at 0x401D917: realloc (vg_replace_malloc.c:306)
==6598== by 0x599EBF7: sword::zStr::getCompressedText(long, long, char**)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x599FB28: sword::zStr::getText(long, char**, char**)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x59F0644: sword::zLD::getEntry(long)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x59F0824: sword::zLD::increment(int)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x812B263: CSwordLexiconModuleInfo::entries()
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x80ACF99: CLexiconKeyChooser::refreshContent()
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x80AD702:
CLexiconKeyChooser::CLexiconKeyChooser(QValueList<CSwordModuleInfo*>,
CSwordKey*, QWidget*, char const*)
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x80A45FE:
CKeyChooser::createInstance(QValueList<CSwordModuleInfo*>, CSwordKey*,
QWidget*) (in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x808785B: CLexiconReadWindow::initView()
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x80868AE: CDisplayWindow::init()
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x807E11E:
BibleTime::createReadDisplayWindow(QValueList<CSwordModuleInfo*>, QString
const&) (in /home/dev/bibletime/bibletime/bibletime)
==6598==
==6598== Use of uninitialised value of size 4
==6598== at 0x401E7AA: strcpy (mac_replace_strmem.c:269)
==6598== by 0x599EC1D: sword::zStr::getCompressedText(long, long, char**)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x599FB28: sword::zStr::getText(long, char**, char**)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x59F0644: sword::zLD::getEntry(long)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x59F0824: sword::zLD::increment(int)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x812B263: CSwordLexiconModuleInfo::entries()
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x80ACF99: CLexiconKeyChooser::refreshContent()
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x80AD702:
CLexiconKeyChooser::CLexiconKeyChooser(QValueList<CSwordModuleInfo*>,
CSwordKey*, QWidget*, char const*)
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x80A45FE:
CKeyChooser::createInstance(QValueList<CSwordModuleInfo*>, CSwordKey*,
QWidget*) (in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x808785B: CLexiconReadWindow::initView()
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x80868AE: CDisplayWindow::init()
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x807E11E:
BibleTime::createReadDisplayWindow(QValueList<CSwordModuleInfo*>, QString
const&) (in /home/dev/bibletime/bibletime/bibletime)
==6598==
==6598== Conditional jump or move depends on uninitialised value(s)
==6598== at 0x401E7B3: strcpy (mac_replace_strmem.c:269)
==6598== by 0x599EC1D: sword::zStr::getCompressedText(long, long, char**)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x599FB28: sword::zStr::getText(long, char**, char**)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x59F0644: sword::zLD::getEntry(long)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x59F0824: sword::zLD::increment(int)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x812B263: CSwordLexiconModuleInfo::entries()
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x80ACF99: CLexiconKeyChooser::refreshContent()
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x80AD702:
CLexiconKeyChooser::CLexiconKeyChooser(QValueList<CSwordModuleInfo*>,
CSwordKey*, QWidget*, char const*)
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x80A45FE:
CKeyChooser::createInstance(QValueList<CSwordModuleInfo*>, CSwordKey*,
QWidget*) (in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x808785B: CLexiconReadWindow::initView()
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x80868AE: CDisplayWindow::init()
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x807E11E:
BibleTime::createReadDisplayWindow(QValueList<CSwordModuleInfo*>, QString
const&) (in /home/dev/bibletime/bibletime/bibletime)
==6598==
==6598== Conditional jump or move depends on uninitialised value(s)
==6598== at 0x401E7DC: strcpy (mac_replace_strmem.c:69)
==6598== by 0x599EC1D: sword::zStr::getCompressedText(long, long, char**)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x599FB28: sword::zStr::getText(long, char**, char**)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x59F0644: sword::zLD::getEntry(long)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x59F0824: sword::zLD::increment(int)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x812B263: CSwordLexiconModuleInfo::entries()
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x80ACF99: CLexiconKeyChooser::refreshContent()
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x80AD702:
CLexiconKeyChooser::CLexiconKeyChooser(QValueList<CSwordModuleInfo*>,
CSwordKey*, QWidget*, char const*)
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x80A45FE:
CKeyChooser::createInstance(QValueList<CSwordModuleInfo*>, CSwordKey*,
QWidget*) (in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x808785B: CLexiconReadWindow::initView()
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x80868AE: CDisplayWindow::init()
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x807E11E:
BibleTime::createReadDisplayWindow(QValueList<CSwordModuleInfo*>, QString
const&) (in /home/dev/bibletime/bibletime/bibletime)
==6598== Warning: set address range perms: large range 243302452, a 0, v 1
==6598== Warning: set address range perms: large range 243302481, a 1, v 1
==6598== Warning: silly arg (-2147483639) to realloc()
==6598==
==6598== Invalid write of size 1
==6598== at 0x401E7C0: strcpy (mac_replace_strmem.c:269)
==6598== by 0x599EC1D: sword::zStr::getCompressedText(long, long, char**)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x599FB28: sword::zStr::getText(long, char**, char**)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x59F0644: sword::zLD::getEntry(long)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x59F0824: sword::zLD::increment(int)
(in /usr/lib/libsword.so.5.0.0)
==6598== by 0x812B263: CSwordLexiconModuleInfo::entries()
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x80ACF99: CLexiconKeyChooser::refreshContent()
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x80AD702:
CLexiconKeyChooser::CLexiconKeyChooser(QValueList<CSwordModuleInfo*>,
CSwordKey*, QWidget*, char const*)
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x80A45FE:
CKeyChooser::createInstance(QValueList<CSwordModuleInfo*>, CSwordKey*,
QWidget*) (in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x808785B: CLexiconReadWindow::initView()
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x80868AE: CDisplayWindow::init()
(in /home/dev/bibletime/bibletime/bibletime)
==6598== by 0x807E11E:
BibleTime::createReadDisplayWindow(QValueList<CSwordModuleInfo*>, QString
const&) (in /home/dev/bibletime/bibletime/bibletime)
==6598== Address 0x0 is not stack'd, malloc'd or (recently) free'd
*** BibleTime got signal 11 (Crashing). Trying to save settings.
More information about the sword-devel
mailing list