Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#1207 gprintf buffer overflow

closed-fixed
nobody
2D plot (258)
5
2015-03-23
2013-02-08
No

Gnuplot version: 4.4.4, 4.6.0
Function "gprintf" from file "util.c" does not check for buffer boundaries. Neither does the calling function "gen_tics" in "axis.c". Long format string causes stack smashing.

Reproducer:
set format x "%e%E%g%G%x%O%t%l%s"
plot "data"

data:
1 10
3 30

This leads to a tick label 54 bytes long (you can always make it longer with longer format string). Buffer is fixed 50 bytes long "char label[MAX_ID_LEN];" Gprintf does not consistently use its parameter "size_t count". Also, there is no return value to indicate an error. I do not know the architecture of gnuplot source code. How does error handling in gnuplot work? I can try to fix it if someone gives me a hint, where and how this should be fixed. Dynamic buffer reallocation? Boundary checking and error-indicating return code? Computing the needed length of the buffer before actually calling gprintf? Allowing only short format strings?

Installing Perl interface to gnuplot from CPAN triggers this bug. There is a set of self-tests, one of them uses a very long format string and crashes the whole installation.

Discussion

  • Ethan Merritt
    Ethan Merritt
    2013-02-08

    Thank you for the bug report.
    I am almost certain that this is the same issue reported in Bug #3577439 and fixed last year. The fix will be in 4.6.2, which is scheduled for release next month.

    Here is the ChangeLog entry for that fix:

    2012-11-04 Ethan A Merritt <merritt@u.washington.edu>
    * src/util.c (gprintf): Ever since the gprintf routine was added
    (sometime before version 3.7) the count parameter that should limit how
    many characters are written on output has been silently ignored.
    Obviously this can lead to buffer overflows, the simplest case being a
    format consisting of a string constant with length > MAX_ID_LEN.
    Revise gprintf() to use snprintf() and safe_strncpy() throughout.
    Bug #3577439

     
  • Ethan Merritt
    Ethan Merritt
    2013-02-08

    • status: open --> open-duplicate
     
  • Ethan Merritt
    Ethan Merritt
    2013-02-19

    • status: open-duplicate --> closed-fixed
    • milestone: --> 5.0