https://bugzilla.redhat.com/show_bug.cgi?id=1549478
Jakub Jelinek <jakub(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |i18n-bugs(a)lists.fedoraproje
| |ct.org, tagoh(a)redhat.com
Component|gcc |uim
Assignee|jakub(a)redhat.com |tagoh(a)redhat.com
Summary|gcc optimizations causes a |buffer overflow in uim
|segfault on building uim |
|package |
--- Comment #1 from Jakub Jelinek <jakub(a)redhat.com> ---
There is nothing weird on it, you overflow an buffer. Before filing bugs try
to your package with -fsanitize=address and/or -fsanitize=undefined.
static MConverter *converter;
static char buffer_for_converter[4096]; /* Currently, if preedit strings or
candidate strings over this buffer
size, they will simply ignore. */
...
static char *
convert_mtext2str(MText *mtext)
{
mconv_rebind_buffer(converter, (unsigned char *)buffer_for_converter,
sizeof(buffer_for_converter));
mconv_encode(converter, mtext);
buffer_for_converter[converter->nbytes] = 0;
return uim_strdup(buffer_for_converter);
}
So, you call first mconv_rebind_buffer which sets internal->bufsize to 4096,
then try to encode something. If it is really long, it will encode at most
that bufsize characters and set converter->nbytes to 4096. Then in
buffer_for_converter[converter->nbytes] = 0;
you overflow the buffer and because converter pointer happens to be adjacent
with -O2 right after it, you overwrite the last significant byte of it.
Guess either you need to pass sizeof(buffer_for_converter)-1 to
mconv_rebind_buffer, so that there is a place for the terminating '\0', or that
plus bump buffer_for_converter size to 4096+1.
--
You are receiving this mail because:
You are on the CC list for the bug.