[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[help-gv] Understanding the buffer overflow exploit in gv 3.6.2

From: Munawar Hafiz
Subject: [help-gv] Understanding the buffer overflow exploit in gv 3.6.2
Date: Wed, 10 Oct 2007 02:58:19 -0700 (PDT)


I have been doing research on how to transform programs to
remove buffer overflow vulnerabilities. I have been trying to
understand the buffer overflow exploit documented in Bugtraq
20978 in securityfocus.

The following link has some proof of concept code that shows the buffer 
overflow error,

contains a ps file. When gv is asked to open the file, it gets a
segmentation fault. I understand that the segmentation fault occurs
because the doc->media data structure is corrupted in the 

          struct document * 
function at line 653 in the ps.c file.

The reason for this corruption is the call to the 

           static char * ps_gettext(line, next_char)
function in line 1382 of ps.c file where the buffer overflow occurs.

tried to replace the bad string function strcpy in line 1382 with a
safe string function g_strlcpy provided by the glib library. 
         strcpy(cp, text);
         g_strlcpy(cp, text, malloc_usable_size(cp));

got everything to compile and now the segmentation fault is gone.
Instead now I am getting a SIGILL, illegal instruction signal and gv
stops when it is asked to open the corrupt ps file.

Apparently the buffer is still overwritten and the function
cannot return. Hence the replacement of the strcpy with g_strlcpy has
not effect on the buffer overflow.

But my question is, why am I
getting a SIGILL then instead of the SIGSEGV that I got before the
change? Can someone please help me by explaining the buffer overflow
vulnerability ?

Thanks in advance.

Munawar Hafiz
Graduate Student
University of Illinois

Send instant messages to your online friends

reply via email to

[Prev in Thread] Current Thread [Next in Thread]