Bug#748400: [gnuplot:bugs] #1413 Buffer overflow in epslatex terminal

Anton Gladky gladk at debian.org
Thu May 29 18:24:57 UTC 2014 

Hi Ethan,

I can reproduce it:

gnuplot -e "set terminal epslatex header sprintf('%.850f',0)"
*** buffer overflow detected ***: gnuplot terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x6ea2f)[0x7f8ba77baa2f]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7f8ba7840dd7]
/lib/x86_64-linux-gnu/libc.so.6(+0xf3e50)[0x7f8ba783fe50]
/lib/x86_64-linux-gnu/libc.so.6(+0xf2deb)[0x7f8ba783edeb]
gnuplot(+0xce408)[0x7f8ba9481408]
gnuplot(+0x96818)[0x7f8ba9449818]
gnuplot(+0x2468d)[0x7f8ba93d768d]
gnuplot(+0x24878)[0x7f8ba93d7878]
gnuplot(+0x1899b)[0x7f8ba93cb99b]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7f8ba776db45]
gnuplot(+0x18e3c)[0x7f8ba93cbe3c]
======= Memory map: ========
...
...

Our compilation-flags are relatively strict [1]:

-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security

[1] https://buildd.debian.org/status/fetch.php?pkg=gnuplot&arch=i386&ver=4.6.5-1&stamp=1393630615

Thanks

Anton


2014-05-29 19:39 GMT+02:00 Ethan Merritt <sfeam at users.sf.net>:
> I can't reproduce this in any of
> gnuplot_4.4.4
> gnuplot_4.6.3
> gnuplot_4.6.4
> gnuplot_4.6.5
> gnuplot_5.0.rc1
>
> I also tested issuing the commands
> gnuplot> FOO = sprintf('%.850f',0)
> gnuplot> print strlen(FOO)
> 852
>
> I also tested current gnuplot under valgrind to see if there was indeed an
> overflow, detected or not. Valgrind reported no problems.
>
> I believe that error message comes from libc itself. Could there be an issue
> with buffer size limits in the environment? Does a simple-minded C program
> that issues the same sprintf() statement cause the same error message?
>
> ________________________________
>
> [bugs:#1413] Buffer overflow in epslatex terminal
>
> Status: open
> Group: 5.0
> Created: Thu May 29, 2014 11:41 AM UTC by Anonymous
> Last Updated: Thu May 29, 2014 12:10 PM UTC
> Owner: nobody
>
> Dear Gnuplot developers,
>
> the following bug has been reported on Debian Bug-Tracker. I would like you
> to ask to have a look at it [1].
>
> ========================
> gnuplot -e "set terminal epslatex header sprintf('%.850f',0)"
>
> gives
>
> buffer overflow detected : gnuplot terminated
>
> But actually I really want to set a header as long as this. Longer then
> 852 characters.
> ========================
>
> [1] https://bugs.debian.org/748400
>
> Thank you
>
> Anton
>
> ________________________________
>
> Sent from sourceforge.net because you indicated interest in
> https://sourceforge.net/p/gnuplot/bugs/1413/
>
> To unsubscribe from further messages, please visit
> https://sourceforge.net/auth/subscriptions/

More information about the debian-science-maintainers mailing list