[Spice-devel] [PATCH vd_agent_win] Use sprintf_s instead of sprintf to not crash
Frediano Ziglio
fziglio at redhat.com
Wed May 24 09:57:00 UTC 2017
>
> >
> > >
> > > On Tue, 2017-05-23 at 07:01 -0400, Frediano Ziglio wrote:
> > > > >
> > > > > On Wed, May 17, 2017 at 12:57:34PM -0400, Frediano Ziglio wrote:
> > > > > > >
> > > > > > > >
> > > > > > > > ---
> > > > > > > > vdagent/file_xfer.cpp | 4 ++--
> > > > > > > > 1 file changed, 2 insertions(+), 2 deletions(-)
> > > > > > > >
> > > > > > > > diff --git a/vdagent/file_xfer.cpp b/vdagent/file_xfer.cpp
> > > > > > > > index de1aea1..de98d50 100644
> > > > > > > > --- a/vdagent/file_xfer.cpp
> > > > > > > > +++ b/vdagent/file_xfer.cpp
> > > > > > > > @@ -113,8 +113,8 @@ void
> > > > > > > > FileXfer::handle_start(VDAgentFileXferStartMessage*
> > > > > > > > start,
> > > > > > > > if (attempt == 0) {
> > > > > > > > strcpy(dest_filename, file_name);
> > > > > > > > } else {
> > > > > > > > - sprintf(dest_filename, "%.*s (%d)%s",
> > > > > > > > int(extension -
> > > > > > > > file_name), file_name,
> > > > > > > > - attempt, extension);
> > > > > > > > + sprintf_s(dest_filename,
> > > > > > > > SPICE_N_ELEMENTS(file_name) +
> > > > > > > > POSTFIX_LEN,
> > > > > > > > + "%.*s (%d)%s", int(extension -
> > > > > > > > file_name),
> > > > > > > > file_name,
> > > > > > > > attempt, extension);
> > > > > > > > }
> > > > > > > > if ((MultiByteToWideChar(CP_UTF8, 0, dest_filename,
> > > > > > > > -1,
> > > > > > > > file_path
> > > > > > > > +
> > > > > > > > wlen, MAX_PATH - wlen)) == 0) {
> > > > > > > > vd_printf("failed converting file_name:%s to
> > > > > > > > WideChar",
> > > > > > > > dest_filename);
> > > > > > >
> > > > > > > As far as I know dest_filename is allocate big enough to avoid
> > > > > > > the
> > > > > > > overflow.
> > > > > > > Did it crash for you or just a warning from the compiler?
> > > > > > >
> > > > > > > This would be easier
> > > > > > >
> > > > > > > sprintf_s(dest_filename,
> > > > > > > SPICE_N_ELEMENTS(dest_filename),
> > > > > > > "%.*s (%d)%s", int(extension -
> > > > > > > file_name),
> > > > > > > file_name,
> > > > > > > attempt, extension);
> > > > > > >
> > > > > > > without computing again the length.
> > > > > > >
> > > > > >
> > > > > > Got some discussion with Jakub and Pavel on IRC.
> > > > > > They confirmed that with Fedora 26 and 27 the crash happens.
> > > > > > I tried to do some tests (removed the CreateFile and some calls
> > > > > > to have
> > > > > > a test function) with Fedora 25 but didn't manage to reproduce.
> > > > > > Jakub reported that this happens with small names.
> > > > > >
> > > > > > Maybe is an issue with MingW with newer Fedora? Worth
> > > > > > investigating.
> > > > >
> > > > > This is pushed already, but this should have been added to the
> > > > > commit
> > > > > log.
> > > > >
> > > > > Christophe
> > > > >
> > > >
> > > > I think would be better to open a bug trying to understand where the
> > > > problem
> > > > is. The source should not crash with old code.
> > > > I spent last 2 hours trying to compile the agent using mock (my
> > > > machine
> > >
> > > you can use our copr, it is built in all supported Fedoras there. msi
> > > should be in the rpm
> > >
> > > https://copr.fedorainfracloud.org/coprs/g/spice/nightly/package/mingw-
> > > spice-vdagent/
> > >
> > > > is using Fedora 25) but not managed so far.
> > > > I was trying to write a patch to build a test case but with Fedora
> > > > 25
> > > > and Wine the test case works correctly.
> > > >
> > > > Frediano
> >
> > Thanks.
> >
> > I'm actually setup a virtual machine. So far is working. Which is the good
> > news.
> > The bad news is that removing -flto -fwhole-program options from the
> > options
> > fix the issue :-( so... is a compiler bug or if these options are enabled
> > something inside the includes provide different (wrong) implementation?
> > Another good news is that wine is failing too (so no need to copy and test
> > on Windows).
> >
> > Frediano
>
> With the lto options I get (xxx is a version of FileXfer::handle_start
> stripped of FileXfer stuff):
>
> 4017c8: e8 00 00 00 00 callq 4017cd <_Z3xxxPKc+0x1fd>
>
> while without I get
>
> 40934b: e8 00 ba 12 00 callq 534d50 <_Z7sprintfPcPKcz>
>
> (the sprintf call)
>
> Weirdly I cannot find any relocation for 4017c9. Not that I'm actually
> expecting any. I would expect an indirect call for an imported function
> or a relative call with no relocation (maybe to the import function).
> So... it is a bug on the compiler or binutils? I can note a bug in
> objdump not showing correctly relocations. I used even dumpbin , this
> has not the relocation bug as objdump but it confirms that there's
> no relocation on 4017c9.
>
> Some more digging. Looks like using -save-temps, strace and removing
> -pipe options g++ calls "as" with a proper .s file with the correct call
> (sprintf) and "as" correctly produce an .o file with reference to
> sprintf but after this ld take this .o file and produce a wrong
> executable. So looks like is either ld of the lto plugin (passed to
> ld).
>
Opened https://sourceforge.net/p/mingw/bugs/2346/
Frediano
More information about the Spice-devel
mailing list