[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[help-gv] Understanding the buffer overflow exploit in gv 3.6.2
From: |
Munawar Hafiz |
Subject: |
[help-gv] Understanding the buffer overflow exploit in gv 3.6.2 |
Date: |
Wed, 10 Oct 2007 02:58:19 -0700 (PDT) |
Hi,
I have been doing research on how to transform programs to
remove buffer overflow vulnerabilities. I have been trying to
understand the buffer overflow exploit documented in Bugtraq
20978 in securityfocus.
http://www.securityfocus.com/bid/20978/info
The following link has some proof of concept code that shows the buffer
overflow error,
http://www.securityfocus.com/bid/20978/exploit
It
contains a ps file. When gv is asked to open the file, it gets a
segmentation fault. I understand that the segmentation fault occurs
because the doc->media data structure is corrupted in the
struct document *
psscan(fileP,filename,filename_raw,filename_dscP,cmd_scan_pdf,filename_uncP,cmd_uncompress,scanstyle)
function at line 653 in the ps.c file.
The reason for this corruption is the call to the
static char * ps_gettext(line, next_char)
function in line 1382 of ps.c file where the buffer overflow occurs.
I
tried to replace the bad string function strcpy in line 1382 with a
safe string function g_strlcpy provided by the glib library.
Replaced
strcpy(cp, text);
with
g_strlcpy(cp, text, malloc_usable_size(cp));
I
got everything to compile and now the segmentation fault is gone.
Instead now I am getting a SIGILL, illegal instruction signal and gv
stops when it is asked to open the corrupt ps file.
Apparently the buffer is still overwritten and the function
cannot return. Hence the replacement of the strcpy with g_strlcpy has
not effect on the buffer overflow.
But my question is, why am I
getting a SIGILL then instead of the SIGSEGV that I got before the
change? Can someone please help me by explaining the buffer overflow
vulnerability ?
Thanks in advance.
Munawar Hafiz
Graduate Student
University of Illinois
Send instant messages to your online friends http://uk.messenger.yahoo.com
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [help-gv] Understanding the buffer overflow exploit in gv 3.6.2,
Munawar Hafiz <=