Segfault in cvs

[Llywar]

I'm getting segfaults when trying to compile from cvs. I suspect that perhaps I have a dependency issue that is triggering an error that isn't being properly handled. What version of smpeg does el require (I have 0.4.4 installed)?

 

The segfault happens on the initial load - before you get to the login screen. If I don't install sound files it gets slightly further - just past the login screen.

 

Here is a backtrace:

$ gdb el
GNU gdb 6.7.1
Copyright © 2007 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu"...
Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) run
Starting program: /data/usr/games/bin/el
[Thread debugging using libthread_db enabled]
[New Thread 0x7f19549e4740 (LWP 17848)]
[New Thread 0x41ab4950 (LWP 17862)]
[New Thread 0x422b5950 (LWP 17863)]

Program received signal SIGSEGV, Segmentation fault.
[switching to Thread 0x7f19549e4740 (LWP 17848)]
0x0000003aff873ad0 in strlen () from /lib/libc.so.6
(gdb) bt full
#0  0x0000003aff873ad0 in strlen () from /lib/libc.so.6
No symbol table info available.
#1  0x0000003aff8446f4 in vfprintf () from /lib/libc.so.6
No symbol table info available.
#2  0x0000003aff84a388 in fprintf () from /lib/libc.so.6
No symbol table info available.
#3  0x000000000043ebe9 in log_error (
   message=0x539e37 "Sound devices detected: %s\n") at errors.c:76
       ap = {{gp_offset = 622879849, fp_offset = 1936269412,
   overflow_arg_area = 0x7fff5c006120, reg_save_area = 0x7fff5ca1d7f0}}
       l_time = <value optimized out>
       c_time = 1216266500
       logmsg = "[23:48:20] Sound devices detected: ,No buffer id %d in data structures\n,libsmpeg.so,Could not open smpeg library: %s\n,SMPEG_enablevideo,Could not resolve smpeg symbol %s: %s\n,SMPEG_status,SMPEG_wanted"...
       errmsg = "Sound devices detected: ,No buffer id %d in data structures\n,libsmpeg.so,Could not open smpeg library: %s\n,SMPEG_enablevideo,Could not resolve smpeg symbol %s: %s\n,SMPEG_status,SMPEG_wantedSpec,SMPEG_"...
#4  0x0000000000483e36 in init_sound () at sound.c:3984
       context = <value optimized out>
       device = <value optimized out>
       listenerPos = {0, 0, 0}
       listenerVel = {0, 0, 0}
       listenerOri = {0, 1, 0, 0, 0, 1}
       error = <value optimized out>
       i = <value optimized out>
       __FUNCTION__ = "init_sound"
#5  0x000000000048423d in turn_sound_on () at sound.c:480
       i = <value optimized out>
       state = 0
       source = <value optimized out>
       __FUNCTION__ = "turn_sound_on"
#6  0x00000000004500ba in init_stuff () at init.c:908
       file_name = "languages/en/Encyclopedia/index.xml\000\000\000\000\000Ç\215C\000\000\000\000\000¨\031S", '\0' <repeats 13 times>, "\004MC\000\000\000\000\000\214\224C\000\000\000\000\0003\024S\000\000\000\000\000(\024S\000\000\000\000---Type <return> to continue, or q <return> to quit---
\000\035\024S\000\000\000\000\000\021\024S\000\000\000\000\000\005\024S\000\000\000\000\000ù\023S\000\000\000\000\000í\023S\000\000\000\000\000à\023S\000\000\000\000\000Ó\023S\000\000\000\000\000Æ\023S\000\000\000\000\000¹\023S\000\000\000\000\000­\023S\000\000\000\000\000¡\023S\000\000\000\000\000\225\023S\000\000\000\000\000\211\023S\000\000\000\000\000|\023S"...
       config_location = "Your personal settings and logs will be saved in /home/rich/.elc/main/\000m\004\000\000\000\000\000\000\000H\000\000\000\000\000\000\000p\000\000\000\000\000\000\000\000\004\000\000\000\000\000\000`©³ÿ:\000\000\000\220\001\000\000\000\000\000\000`©³ÿ\005\000\000\000 ¶°\001\000\000\000\000`©³ÿ:\000\000\000¨\031S\000\000\000\000\000H\000\000\000\000\000\000\000\200¼°\001\000\000\000\000\201C\001\000\000\000\000\000x\031S\000\000\000\000\000æÿ\206ÿ:\000\000\000 º°\001\000\000\000\000"...
       cfgdir = <value optimized out>
#7  0x0000000000460347 in main (argc=1, argv=0x7fff5ca1de98) at main.c:331
No locals.
(gdb)                           

[bluap]

Hmmm, nasty. Could you try increasing the buffer size in error.c lines 47/48 to 1024 and see if that helps. I noticed the string being passed to that function is potentially much bigger than the error log buffers.

 

As for library versions. On Debian (lenny) I have:

libsmpeg-dev 0.4.5+cvs20030824-2+b1

libsmpeg0 0.4.5+cvs20030824-2+b1

[Llywar]

Hmmm, nasty. Could you try increasing the buffer size in error.c lines 47/48 to 1024 and see if that helps. I noticed the string being passed to that function is potentially much bigger than the error log buffers.

 

Hmm - that didn't seem to help. I tried 1024, a few more powers of 2, and then bumped it all the way to 1M. Either there is a REALLY long error message or that isn't it...

 

I did notice there are quite a few string operations in there, including one strcat that didn't have any kind of length limitation. There are quire a few opportunities for a buffer-overflow.

 

I'll keep working on this later...

[Llywar]

Ok, I have it figured out. The problem is that for whatever reason errors.c was called with an error message with embedded C format string escape characters like "%s". That got sent to fprintf and then the C library segfaulted when it went looking in the stack for strings to go printing.

 

There are two solutions (I'd recommend doing both, actually):

 

1. Clean up the code that tries to output errors with unsubstituted %s's. That would also make the errors a bit more informative.

 

2. Use fputs to output the string to the file - you're not using any of the functionality of fprintf anyway so why worry about needing to escape junk in the string?

 

Also - I'm not an expert in such things, but I think that the strcat in this function should be fixed - you're adding up to 512 bytes to a 512-byte buffer that already contains data. And a few lines later you potentially add a newline to that.

 

Here is a patch that I think helps with the output functions. I didn't go back to the sound libraries and figure out where the %s's are coming from. Note that I subtract 2 in the strncat to allow for adding in a newline if needed. Again, I'm pretty rusty at C so feel free to fix any glaring mistakes.

 

Index: errors.c

===================================================================

RCS file: /cvsroot/elc/elc/errors.c,v

retrieving revision 1.41

diff -u -b -B -r1.41 errors.c

--- errors.c 3 Mar 2008 23:20:02 -0000 1.41

+++ errors.c 18 Jul 2008 02:21:45 -0000

@@ -68,12 +68,12 @@

time(&c_time);

l_time = localtime(&c_time);

strftime(logmsg, sizeof(logmsg), "[%H:%M:%S] ", l_time);

- strcat(logmsg, errmsg);

+ strncat(logmsg, errmsg, sizeof(logmsg)-strlen(logmsg)-2);

 

if(message[strlen(message)-1] != '\n') {

strcat(logmsg, "\n");

}

- fprintf(err_file, logmsg);

+ fputs(logmsg, err_file);

fflush (err_file);

}

[bluap]

Ok, I have it figured out...

Great. I agree that code needs a bit of care and attention so thanks for reporting the error and getting to the bottom of it. It may be a few days until one of us can get an update into CVS but at least your up and running I guess.

[Llywar]

It may be a few days until one of us can get an update into CVS but at least your up and running I guess.

 

No rush. It doesn't appear to cause problems for most. There must be something odd about my sound configuration that is causing these messages to get logged in the first place. Any gentoo users will get the patched version until cvs catches up.

[bluap]

No rush.

Committed now. Thanks.