[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[help-gv] Help on gv 3.6.2

From: Munawar Hafiz
Subject: [help-gv] Help on gv 3.6.2
Date: Wed, 10 Oct 2007 03:59:47 -0500


I have been doing research on how to transform programs to remove buffer overflow vulnerabilities. I have been trying to understand the buffer overflow exploit documented in Bugtraq
20978 in securityfocus.

The following link has some proof of concept code that shows the buffer overflow error,

It contains a ps file. When gv is asked to open the file, it gets a segmentation fault. I understand that the segmentation fault occurs because the doc->media data structure is corrupted in the

struct document * psscan(fileP,filename,filename_raw,filename_dscP,cmd_scan_pdf,filename_uncP,cmd_uncompress,scanstyle)
function at line 653 in the ps.c file.

The reason for this corruption is the call to the

static char * ps_gettext(line, next_char)
function in line 1382 of ps.c file where the buffer overflow occurs.

I tried to replace the bad string function strcpy in line 1382 with a safe string function g_strlcpy provided by the glib library.
         strcpy(cp, text);
         g_strlcpy(cp, text, malloc_usable_size(cp));

I got everything to compile and now the segmentation fault is gone. Instead now I am getting a SIGILL, illegal instruction signal and gv stops when it is asked to open the corrupt ps file.

Apparently the buffer is still overwritten and the function cannot return. Hence the replacement of the strcpy with g_strlcpy has not effect on the buffer overflow.

But my question is, why am I getting a SIGILL then instead of the SIGSEGV that I got before the change? Can someone please help me by explaining the buffer overflow vulnerability ?
Thanks in advance.

Munawar Hafiz
Graduate Student
University of Illinois

reply via email to

[Prev in Thread] Current Thread [Next in Thread]