D2X-XL

The following is a buffer overflow from Mandriva 2009.1 in D2X-XL

(gdb) bt

#0 0x00007f0fb3490a15 in raise (sig=<value optimized out>) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1 0x00007f0fb3492243 in abort () at abort.c:88

#2 0x00007f0fb34cc388 in __libc_message (do_abort=2, fmt=0x7f0fb358d11b
"*** %s ***: %s terminated\n") at
../sysdeps/unix/sysv/linux/libc_fatal.c:170
#3 0x00007f0fb3553107 in __fortify_fail (msg=0x7f0fb358d0ea "buffer
overflow detected") at fortify_fail.c:32

#4 0x00007f0fb3550eb0 in __chk_fail () at chk_fail.c:29

#5 0x00000000004a2104 in SelectAndLoadMission (bMulti=0, bAnarchyOnly=0x0)
at /usr/include/bits/string3.h:106
#6 0x00000000004a3dd1 in NewGameMenu () at newgamemenu.cpp:340

#7 0x000000000047ac86 in ExecMainMenuOption (nChoice=-1286055232) at
mainmenu.cpp:311

#8 0x000000000047b886 in MainMenu () at mainmenu.cpp:218

#9 0x0000000000406b32 in MainLoop () at descent.cpp:449

#10 0x00000000004086ab in main (argc=<value optimized out>, argv=<value
optimized out>) at descent.cpp:911

(gdb) bt full

#0 0x00007f0fb3490a15 in raise (sig=<value optimized out>) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64

pid = <value optimized out>

selftid = <value optimized out>

#1 0x00007f0fb3492243 in abort () at abort.c:88

act = {__sigaction_handler = {sa_handler = 0x7fffbc7b46e0,
sa_sigaction = 0x7fffbc7b46e0}, sa_mask = {__val = {140736355583856,
94489280512, 140736355583920, 140736355606684,
17, 139705410179299, 3, 140736355583914, 6, 139705410179303, 2,
140736355583902, 2, 139705410180371, 1, 139705410179299}}, sa_flags = 3,
sa_restorer = 0x7fffbc7b47a4}
sigs = {__val = {32, 0 <repeats 15 times>}}


#2 0x00007f0fb34cc388 in __libc_message (do_abort=2, fmt=0x7f0fb358d11b
"*** %s ***: %s terminated\n") at
../sysdeps/unix/sysv/linux/libc_fatal.c:170

ap = {{gp_offset = 32, fp_offset = 48, overflow_arg_area =
0x7fffbc7b5080, reg_save_area = 0x7fffbc7b4f90}}

ap_copy = {{gp_offset = 16, fp_offset = 48, overflow_arg_area =
0x7fffbc7b5080, reg_save_area = 0x7fffbc7b4f90}}

fd = 22


on_2 = <value optimized out>


list = <value optimized out>


nlist = <value optimized out>


cp = <value optimized out>


written = 6


#3 0x00007f0fb3553107 in __fortify_fail (msg=0x7f0fb358d0ea "buffer
overflow detected") at fortify_fail.c:32

No locals.


#4 0x00007f0fb3550eb0 in __chk_fail () at chk_fail.c:29


No locals.


#5 0x00000000004a2104 in SelectAndLoadMission (bMulti=0, bAnarchyOnly=0x0)
at /usr/include/bits/string3.h:106

i = <value optimized out>


nMissions = 11


nDefaultMission = 0


nNewMission = 0


msnNames = {<CArray<char*>> = {<CQuickSort<char*>> = {<No data
fields>}, m_data = {buffer = 0xef107c0, null = 0x0, length = 300, pos = 0,
nMode = 0, bWrap = false}},
m_tos = 11, m_growth = 0}


lb = {<CMenu> = {<CStack<CMenuItem>> = {<CArray<CMenuItem>> =
{<CQuickSort<CMenuItem>> = {<No data fields>}, m_data = {buffer = 0x0, null
= {m_nType = 0, m_value = 0,
m_minValue = 0, m_maxValue = 0, m_group = 0, m_nTextLen = 0,
m_color = 0, m_nKey = 0, m_x = 0, m_y = 0, m_xSave = 0, m_ySave = 0, m_w =
0, m_h = 0, m_rightOffset = 0,
m_bRedraw = 0 '\0', m_bRebuild = 0 '\0', m_bNoScroll = 0 '\0',
m_bUnavailable = 0 '\0', m_bCentered = 0 '\0', m_text = '\0' <repeats 1000
times>,
m_savedText = '\0' <repeats 1000 times>, m_pszText = 0x0,
m_bmText = {0x0, 0x0}, m_szHelp = 0x0}, length = 0, pos = 0, nMode = 0,
bWrap = false}}, m_tos = 0,
m_growth = 10}, _vptr.CMenu = 0x64c3b0, m_props = {scWidth = 0,
scHeight = 0, x = 0, y = 0, xOffs = 0, yOffs = 0, width = 0, height = 0, w
= 0, h = 0, aw = 0, tw = 0, th = 0,
ty = 0, twidth = 0, rightOffset = 0, nStringHeight = 0, bTinyMode =
0, nMenus = 0, nOthers = 0, nMaxNoScroll = 0, nMaxOnMenu = 0,
nMaxDisplayable = 0, nScrollOffset = 0,
bIsScrollBox = 0, nDisplayMode = 0, bValid = 0}, m_nGroup = 0,
m_bStart = 0, m_nLastScrollCheck = 0, m_bRedraw = 0, m_bCloseBox = 0,
m_bDontRestore = 0, m_bAllText = 0,
m_tEnter = 0, m_nChoice = 1, m_nKey = 28, m_callback = 0}, m_nFirstItem
= 0, m_nVisibleItems = 10, m_nWidth = 476, m_nHeight = 260, m_xOffset =
162, m_yOffset = 184,
m_nTitleHeight = 29, m_items = 0x7fffbc7b50c0}


menuTitles = {0xdabf8e1 "New game", 0xdac35c7 "New Descent 1
Game\n\nSelect mission", 0xdac35eb "New Descent 2 Game\n\nSelect mission",
0xdabf8e1 "New game"}
#6 0x00000000004a3dd1 in NewGameMenu () at newgamemenu.cpp:340


menu = {<CStack<CMenuItem>> = {<CArray<CMenuItem>> =
{<CQuickSort<CMenuItem>> = {<No data fields>}, m_data = {buffer =
0xef44b48, null = {m_nType = 0, m_value = 0,
m_minValue = 0, m_maxValue = 0, m_group = 0, m_nTextLen = 0,
m_color = 0, m_nKey = 0, m_x = 0, m_y = 0, m_xSave = 0, m_ySave = 0, m_w =
0, m_h = 0, m_rightOffset = 0,
m_bRedraw = 0 '\0', m_bRebuild = 0 '\0', m_bNoScroll = 0 '\0',
m_bUnavailable = 0 '\0', m_bCentered = 0 '\0', m_text = '\0' <repeats 1000
times>,
m_savedText = '\0' <repeats 1000 times>, m_pszText = 0x0,
m_bmText = {0x0, 0x0}, m_szHelp = 0x0}, length = 15, pos = 0, nMode = 0,
bWrap = false}}, m_tos = 6,
m_growth = 10}, _vptr.CMenu = 0x64c500, m_props = {scWidth = 800,
scHeight = 600, x = 160, y = 173, xOffs = 190, yOffs = 203, width = -1,
height = -1, w = 480, h = 253, aw = 22,
tw = 146, th = 43, ty = 203, twidth = 0, rightOffset = 0, nStringHeight
= 24, bTinyMode = 0, nMenus = 2, nOthers = 1, nMaxNoScroll = 0, nMaxOnMenu
= 15, nMaxDisplayable = 6,
nScrollOffset = 0, bIsScrollBox = 0, nDisplayMode = 3, bValid = 1},
m_nGroup = 0, m_bStart = 0, m_nLastScrollCheck = -1, m_bRedraw = 1,
m_bCloseBox = 1, m_bDontRestore = 0,
m_bAllText = 0, m_tEnter = 0, m_nChoice = 0, m_nKey = 28, m_callback =
0x4a0d50 <NewGameMenuCallback(CMenu&, int&, int, int)>}
optSelMsn = 0
---Type <return> to continue, or q <return> to quit---
optLevelText = <value optimized out>
optLevel = -1
optLaunch = <value optimized out>
optLoadout = 5
nMission = -1
bMsnLoaded = 0
i = <value optimized out>
choice = 0
szDifficulty = "\000Difficulty:
Hotshot\000\020\000\000\000\000\000\000\000\000\000\000\003\000\000\000\000
\000\000\000\001\000\000\000\001\000\000\000\000"
szLevelText = "
\003\000\000X\002\000\000\001\000\000\000\t\000\000\000\t\000\000\000\000\0
00\000\000\002\000\000\000\000\000\000"
szLevel = "0\003\000\000\227"
nPlayerMaxLevel = 1
nLevel = 0
#7 0x000000000047ac86 in ExecMainMenuOption (nChoice=-1286055232) at
mainmenu.cpp:311
fs = {<CMenu> = {<CStack<CMenuItem>> = {<CArray<CMenuItem>> =
{<CQuickSort<CMenuItem>> = {<No data fields>}, m_data = {buffer = 0x0, null
= {m_nType = 0, m_value = 0,
m_minValue = 0, m_maxValue = 0, m_group = 0, m_nTextLen = 0,
m_color = 0, m_nKey = 0, m_x = 0, m_y = 0, m_xSave = 0, m_ySave = 0, m_w =
0, m_h = 0, m_rightOffset = 0,
m_bRedraw = 0 '\0', m_bRebuild = 0 '\0', m_bNoScroll = 0 '\0',
m_bUnavailable = 0 '\0', m_bCentered = 0 '\0', m_text = '\0' <repeats 1000
times>,
m_savedText = '\0' <repeats 1000 times>, m_pszText = 0x0,
m_bmText = {0x0, 0x0}, m_szHelp = 0x0}, length = 0, pos = 0, nMode = 0,
bWrap = false}}, m_tos = 0,
m_growth = 10}, _vptr.CMenu = 0x64c240, m_props = {scWidth =
-1132760208, scHeight = 32767, x = -1132761392, y = 32767, xOffs =
-1132761086, yOffs = 32767, width = -1268312240,
height = 32527, w = 0, h = 0, aw = -1, tw = -1, th = 6599524, ty = 0,
twidth = 6599520, rightOffset = 0, nStringHeight = 0, bTinyMode = 0, nMenus
= -1132760552,
nOthers = 32767, nMaxNoScroll = 1, nMaxOnMenu = 11, nMaxDisplayable =
-1132759776, nScrollOffset = 32767, bIsScrollBox = 6718882, nDisplayMode =
0, bValid = 0}, m_nGroup = 0,
m_bStart = 1, m_nLastScrollCheck = 0, m_bRedraw = 0, m_bCloseBox = 0,
m_bDontRestore = 0, m_bAllText = 0, m_tEnter = 0, m_nChoice = -9, m_nKey =
0,
m_callback = 0x650a89 <__cxa_pure_virtual+2401841>}, m_nFirstItem =
6621728, m_nVisibleItems = 0, m_bPlayerMode = -1286987469, m_nLeft = 32527,
m_nTop = 32, m_nWidth = 0,
m_nHeight = 1929379840, m_xOffset = 0, m_yOffset = 0, m_nFileCount = 0,
m_filenames = {<CQuickSort<CFilename>> = {<No data fields>}, m_data =
{buffer = 0x0, null = {
m_buffer = '\0' <repeats 255 times>}, length = 0, pos = 0, nMode =
0, bWrap = false}}}
#8 0x000000000047b886 in MainMenu () at mainmenu.cpp:218
m = {<CStack<CMenuItem>> = {<CArray<CMenuItem>> =
{<CQuickSort<CMenuItem>> = {<No data fields>}, m_data = {buffer =
0xef37f48, null = {m_nType = 0, m_value = 0,
m_minValue = 0, m_maxValue = 0, m_group = 0, m_nTextLen = 0,
m_color = 0, m_nKey = 0, m_x = 0, m_y = 0, m_xSave = 0, m_ySave = 0, m_w =
0, m_h = 0, m_rightOffset = 0,
m_bRedraw = 0 '\0', m_bRebuild = 0 '\0', m_bNoScroll = 0 '\0',
m_bUnavailable = 0 '\0', m_bCentered = 0 '\0', m_text = '\0' <repeats 1000
times>,
m_savedText = '\0' <repeats 1000 times>, m_pszText = 0x0,
m_bmText = {0x0, 0x0}, m_szHelp = 0x0}, length = 25, pos = 0, nMode = 0,
bWrap = false}}, m_tos = 15,
m_growth = 10}, _vptr.CMenu = 0x64c500, m_props = {scWidth = 800,
scHeight = 600, x = 217, y = 82, xOffs = 247, yOffs = 112, width = -1,
height = -1, w = 366, h = 435, aw = 22,
tw = 0, th = 0, ty = 112, twidth = 0, rightOffset = 0, nStringHeight =
24, bTinyMode = 0, nMenus = 12, nOthers = 0, nMaxNoScroll = 3, nMaxOnMenu =
17, nMaxDisplayable = 15,
nScrollOffset = 3, bIsScrollBox = 0, nDisplayMode = 3, bValid = 1},
m_nGroup = 0, m_bStart = 0, m_nLastScrollCheck = -1, m_bRedraw = 1,
m_bCloseBox = 0, m_bDontRestore = 0,
m_bAllText = 0, m_tEnter = 0, m_nChoice = 4, m_nKey = 28, m_callback =
0x478f40 <AutoDemoMenuCheck(CMenu&, int&, int, int)>}
i = 4
nChoice = 4
#9 0x0000000000406b32 in MainLoop () at descent.cpp:449
No locals.
#10 0x00000000004086ab in main (argc=<value optimized out>, argv=<value
optimized out>) at descent.cpp:911
No locals.