Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 157739 - [PATCH] Buffer overflow when importing photos from Ricoh camera
Summary: [PATCH] Buffer overflow when importing photos from Ricoh camera
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: gphoto2
Version: rawhide
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tim Waugh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-05-14 12:05 UTC by Gijs Hollestelle
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version: 2.1.5-9
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-05-14 12:22:59 UTC


Attachments (Terms of Use)
Patch to fix the buffer overflow (deleted)
2005-05-14 12:05 UTC, Gijs Hollestelle
no flags Details | Diff

Description Gijs Hollestelle 2005-05-14 12:05:08 UTC
Description of problem:
When importing photo's using gthumb or gphoto2 -P the process is killed because
of a buffer overflow (caused by the FORTIFY_SOURCE)

Version-Release number of selected component (if applicable):
gphoto2-2.1.5-8

How reproducible:
Import photo's from a Ricoh G3 camera.

Steps to Reproduce:
1. Attach Ricoh G3 camera
2. Run gphoto2 -P

Actual results:

[gijs@bruce test]% gphoto2 -P
*** buffer overflow detected ***: gphoto2 terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0x1ef345]
/lib/libc.so.6(__strcpy_chk+0x3f)[0x1ee9d7]
/usr/lib/gphoto2/2.1.5/libgphoto2_ricoh_g3.so[0xa02db6]
/usr/lib/libgphoto2.so.2(gp_filesystem_list_files+0x125)[0xb790a9]
/usr/lib/libgphoto2.so.2(gp_camera_folder_list_files+0xec)[0xb7230b]
gphoto2[0x804e13a]
gphoto2[0x804e2cc]
gphoto2[0x804e2cc]
gphoto2[0x804e2cc]
gphoto2[0x8051d41]
/usr/lib/libpopt.so.0[0x5f6567]
/usr/lib/libpopt.so.0(poptGetNextOpt+0x246)[0x5f7d80]
gphoto2[0x80505cf]
/lib/libc.so.6(__libc_start_main+0xc6)[0x125de6]
gphoto2[0x804ad21]
======= Memory map: ========
00111000-00235000 r-xp 00000000 03:01 4177923    /lib/libc-2.3.5.so
00235000-00237000 r-xp 00124000 03:01 4177923    /lib/libc-2.3.5.so
00237000-00239000 rwxp 00126000 03:01 4177923    /lib/libc-2.3.5.so
00239000-0023b000 rwxp 00239000 00:00 0
004dd000-004e6000 r-xp 00000000 03:01 4177929    /lib/libgcc_s-4.0.0-20050505.so .1
004e6000-004e7000 rwxp 00009000 03:01 4177929    /lib/libgcc_s-4.0.0-20050505.so .1
004e9000-00507000 r-xp 00000000 03:01 333045     /usr/lib/libjpeg.so.62.0.0
00507000-00508000 rwxp 0001d000 03:01 333045     /usr/lib/libjpeg.so.62.0.0
005f5000-005fc000 r-xp 00000000 03:01 330099     /usr/lib/libpopt.so.0.0.0
005fc000-005fd000 rwxp 00006000 03:01 330099     /usr/lib/libpopt.so.0.0.0
00929000-00943000 r-xp 00000000 03:01 750756     /lib/ld-2.3.5.so
00943000-00944000 r-xp 00019000 03:01 750756     /lib/ld-2.3.5.so
00944000-00945000 rwxp 0001a000 03:01 750756     /lib/ld-2.3.5.so
0097d000-0097e000 r-xp 0097d000 00:00 0
00995000-0099b000 r-xp 00000000 03:01 338350     /usr/lib/libgphoto2_port.so.0.5 .1
0099b000-0099c000 rwxp 00005000 03:01 338350     /usr/lib/libgphoto2_port.so.0.5 .1
00a00000-00a04000 r-xp 00000000 03:01 461267     /usr/lib/gphoto2/2.1.5/libgphot
o2_ricoh_g3.so
00a04000-00a05000 rwxp 00003000 03:01 461267     /usr/lib/gphoto2/2.1.5/libgphot
o2_ricoh_g3.so
00a73000-00a95000 r-xp 00000000 03:01 4177924    /lib/libm-2.3.5.so
00a95000-00a96000 r-xp 00021000 03:01 4177924    /lib/libm-2.3.5.so
00a96000-00a97000 rwxp 00022000 03:01 4177924    /lib/libm-2.3.5.so
00a99000-00a9b000 r-xp 00000000 03:01 4177925    /lib/libdl-2.3.5.so
00a9b000-00a9c000 r-xp 00001000 03:01 4177925    /lib/libdl-2.3.5.so
00a9c000-00a9d000 rwxp 00002000 03:01 4177925    /lib/libdl-2.3.5.so
00b20000-00b47000 r-xp 00000000 03:01 337001     /usr/lib/libreadline.so.5.0
00b47000-00b4b000 rwxp 00027000 03:01 337001     /usr/lib/libreadline.so.5.0
00b4b000-00b4c000 rwxp 00b4b000 00:00 0
00b69000-00b84000 r-xp 00000000 03:01 336435     /usr/lib/libgphoto2.so.2.0.3
00b84000-00b85000 rwxp 0001a000 03:01 336435     /usr/lib/libgphoto2.so.2.0.3
00b85000-00be5000 rwxp 00b85000 00:00 0
00cdd000-00ceb000 r-xp 00000000 03:01 4177926    /lib/libpthread-2.3.5.so
00ceb000-00cec000 r-xp 0000d000 03:01 4177926    /lib/libpthread-2.3.5.so
00cec000-00ced000 rwxp 0000e000 03:01 4177926    /lib/libpthread-2.3.5.so
00ced000-00cef000 rwxp 00ced000 00:00 0
00d72000-00d78000 r-xp 00000000 03:01 337530     /usr/lib/libusb-0.1.so.4.4.2
00d78000-00d7a000 rwxp 00005000 03:01 337530     /usr/lib/libusb-0.1.so.4.4.2
00f3b000-00f3e000 r-xp 00000000 03:01 494862     /usr/lib/gphoto2_port/0.5.1/lib
gphoto2_port_usb.so
00f3e000-00f3f000 rwxp 00002000 03:01 494862     /usr/lib/gphoto2_port/0.5.1/lib
gphoto2_port_usb.so
046ab000-046e9000 r-xp 00000000 03:01 336672     /usr/lib/libncurses.so.5.4
046e9000-046f2000 rwxp 0003d000 03:01 336672     /usr/lib/libncurses.so.5.4
047a7000-047c4000 r-xp 00000000 03:01 335257     /usr/lib/libexif.so.12.0.0
047c4000-047c9000 rwxp 0001c000 03:01 335257     /usr/lib/libexif.so.12.0.0
08048000-08058000 r-xp 00000000 03:01 334404     /usr/bin/gphoto2
08058000-08059000 rw-p 00010000 03:01 334404     /usr/bin/gphoto2
08059000-0805d000 rw-p 08059000 00:00 0
08481000-084c7000 rw-p 08481000 00:00 0          [heap]
b7b4c000-b7bce000 rw-p b7b4c000 00:00 0
b7bce000-b7d13000 rw-p b7d87000 00:00 0
b7d42000-b7dc5000 rw-p b7d42000 00:00 0
b7dc5000-b7dcb000 r--s 00000000 03:01 398602     /usr/lib/gconv/gconv-modules.ca che
b7dcb000-b7dcc000 rw-p b7dcb000 00:00 0
b7dcc000-b7fcc000 r--p 00000000 03:01 328884     /usr/lib/locale/locale-archive
b7fcc000-b7fd0000 rw-p b7fcc000 00:00 0
bffcb000-bffe1000 rw-p bffcb000 00:00 0          [stack]
zsh: abort      gphoto2 -P

Expected results:
Imported photos.

Additional info:
After installing the debuginfo rpm I found out the error is caused by line 751
in camlibs/ricoh/g3.c:
749:                            strcpy(xfn, buf+n*32);
750:                            xfn[8] = '.';
751:                            strcpy(xfn+9, buf+n*32+8);

Replacing the 2 strcpy's with strncpy resolves the problem. See the attached patch.

Comment 1 Gijs Hollestelle 2005-05-14 12:05:08 UTC
Created attachment 114378 [details]
Patch to fix the buffer overflow

Comment 2 Tim Waugh 2005-05-14 12:22:59 UTC
Thanks!


Note You need to log in before you can comment on or make changes to this bug.