I have been doing research on how to transform programs to remove buffer overflow vulnerabilities. I have been trying to understand the buffer overflow exploit documented in Bugtraq 20978 in securityfocus.
It contains a ps file. When gv is asked to open the file, it gets a segmentation fault. I understand that the segmentation fault occurs because the doc->media data structure is corrupted in the
struct document * psscan(fileP,filename,filename_raw,filename_dscP,cmd_scan_pdf,filename_uncP,cmd_uncompress,scanstyle) function at line 653 in the ps.c file.
The reason for this corruption is the call to the
static char * ps_gettext(line, next_char) function in line 1382 of ps.c file where the buffer overflow occurs.
I tried to replace the bad string function strcpy in line 1382 with a safe string function g_strlcpy provided by the glib library.
Replaced strcpy(cp, text); with g_strlcpy(cp, text, malloc_usable_size(cp));
I got everything to compile and now the segmentation fault is gone. Instead now I am getting a SIGILL, illegal instruction signal and gv stops when it is asked to open the corrupt ps file.
Apparently the buffer is still overwritten and the function cannot return. Hence the replacement of the strcpy with g_strlcpy has not effect on the buffer overflow.
But my question is, why am I getting a SIGILL then instead of the SIGSEGV that I got before the change? Can someone please help me by explaining the buffer overflow vulnerability ?
Thanks in advance.
Munawar Hafiz Graduate Student University of Illinois