Ubuntu
cuneiform package

cuneiform crash due to buffer overflow

Bug #996309 reported by buguldey
22
This bug affects 4 people
Affects Status Importance Assigned to Milestone
cuneiform (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

I ran ocrfeeder with cuneiform backend and scanned a few images. Then looked at the term, there was a tracelog.

*** buffer overflow detected ***: /usr/bin/cuneiform terminated
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x45)[0xb753fdd5]
/lib/i386-linux-gnu/libc.so.6(+0xfebaa)[0xb753ebaa]
/usr/lib/i386-linux-gnu/cuneiform/libfon32.so.0(+0x22269)[0xb6abc269]
/usr/lib/i386-linux-gnu/cuneiform/libfon32.so.0(+0x224ec)[0xb6abc4ec]
/usr/lib/i386-linux-gnu/cuneiform/libfon32.so.0(FONRecog2Glue+0x1e0)[0xb6aa8580]
/usr/lib/i386-linux-gnu/cuneiform/libpass2.so.0(+0x5ea6)[0xb6a45ea6]
/usr/lib/i386-linux-gnu/cuneiform/libpass2.so.0(+0x60e7)[0xb6a460e7]
/usr/lib/i386-linux-gnu/cuneiform/libpass2.so.0(+0x93e7)[0xb6a493e7]
/usr/lib/i386-linux-gnu/cuneiform/libpass2.so.0(p2_proc+0xadf)[0xb6a4a14f]
/usr/lib/i386-linux-gnu/cuneiform/librstr.so.0(+0x9b68b)[0xb709068b]
/usr/lib/i386-linux-gnu/cuneiform/librstr.so.0(RSTRRecognizeMain+0x21c)[0xb70a3bbc]
/usr/lib/i386-linux-gnu/cuneiform/librstr.so.0(RSTRRecognize+0x2e)[0xb70a413e]
/usr/lib/i386-linux-gnu/cuneiform/librstr.so.0(RSTR_Recog+0x23)[0xb70a41a3]
/usr/lib/i386-linux-gnu/libcuneiform.so.0(+0xb304)[0xb7759304]
/usr/lib/i386-linux-gnu/libcuneiform.so.0(PUMA_XFinalRecognition+0xfc)[0xb775aeac]
/usr/bin/cuneiform[0x804a309]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xb74594d3]
/usr/bin/cuneiform[0x804a641]
======= Memory map: ========
08048000-0804c000 r-xp 00000000 08:24 427996 /usr/bin/cuneiform
0804c000-0804d000 r--p 00003000 08:24 427996 /usr/bin/cuneiform
0804d000-0804e000 rw-p 00004000 08:24 427996 /usr/bin/cuneiform
09065000-09312000 rw-p 00000000 00:00 0 [heap]
b515c000-b536d000 rw-p 00000000 00:00 0
b536d000-b536e000 ---p 00000000 00:00 0
b536e000-b5b6e000 rw-p 00000000 00:00 0
b5cb5000-b60e6000 rw-p 00000000 00:00 0
b60e6000-b6218000 r--p 00857000 08:24 402068 /usr/lib/locale/locale-archive
b6218000-b6418000 r--p 00000000 08:24 402068 /usr/lib/locale/locale-archive
b6418000-b641d000 rw-p 00000000 00:00 0
b641d000-b6422000 r-xp 00000000 08:24 397880 /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
b6422000-b6423000 r--p 00004000 08:24 397880 /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
b6423000-b6424000 rw-p 00005000 08:24 397880 /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
b6424000-b6426000 r-xp 00000000 08:24 397869 /usr/lib/i386-linux-gnu/libXau.so.6.0.0
b6426000-b6427000 r--p 00001000 08:24 397869 /usr/lib/i386-linux-gnu/libXau.so.6.0.0
b6427000-b6428000 rw-p 00002000 08:24 397869 /usr/lib/i386-linux-gnu/libXau.so.6.0.0
b6428000-b642f000 r-xp 00000000 08:24 1049591 /lib/i386-linux-gnu/librt-2.15.so
b642f000-b6430000 r--p 00006000 08:24 1049591 /lib/i386-linux-gnu/librt-2.15.so
b6430000-b6431000 rw-p 00007000 08:24 1049591 /lib/i386-linux-gnu/librt-2.15.so
b6431000-b6432000 rw-p 00000000 00:00 0
b6432000-b6451000 r-xp 00000000 08:24 398468 /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
b6451000-b6452000 r--p 0001f000 08:24 398468 /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
b6452000-b6453000 rw-p 00020000 08:24 398468 /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
b6453000-b645a000 r-xp 00000000 08:24 427907 /usr/lib/i386-linux-gnu/cuneiform/libr3532.so.1.1.0
b645a000-b645b000 r--p 00006000 08:24 427907 /usr/lib/i386-linux-gnu/cuneiform/libr3532.so.1.1.0
b645b000-b645c000 rw-p 00007000 08:24 427907 /usr/lib/i386-linux-gnu/cuneiform/libr3532.so.1.1.0
b645c000-b645f000 rw-p 00000000 00:00 0
b645f000-b6460000 r-xp 00000000 08:24 427925 /usr/lib/i386-linux-gnu/cuneiform/libcpu32.so.1.1.0
b6460000-b6461000 r--p 00000000 08:24 427925 /usr/lib/i386-linux-gnu/cuneiform/libcpu32.so.1.1.0
b6461000-b6462000 rw-p 00001000 08:24 427925 /usr/lib/i386-linux-gnu/cuneiform/libcpu32.so.1.1.0
b6462000-b6463000 r-xp 00000000 08:24 427917 /usr/lib/i386-linux-gnu/cuneiform/libmmx32.so.1.1.0
b6463000-b6464000 r--p 00000000 08:24 427917 /usr/lib/i386-linux-gnu/cuneiform/libmmx32.so.1.1.0
b6464000-b6465000 rw-p 00001000 08:24 427917 /usr/lib/i386-linux-gnu/cuneiform/libmmx32.so.1.1.0
b6465000-b64a6000 rw-p 00000000 00:00 0
b64a6000-b64b9000 r-xp 00000000 08:24 427930 /usr/lib/i386-linux-gnu/cuneiform/librlings.so.1.1.0
b64b9000-b64ba000 ---p 00013000 08:24 427930 /usr/lib/i386-linux-gnu/cuneiform/librlings.so.1.1.0
b64ba000-b64bb000 r--p 00013000 08:24 427930 /usr/lib/i386-linux-gnu/cuneiform/librlings.so.1.1.0
b64bb000-b64bc000 rw-p 00014000 08:24 427930 /usr/lib/i386-linux-gnu/cuneiform/librlings.so.1.1.0
b64bc000-b64ce000 rw-p 00000000 00:00 0
b64ce000-b64e8000 r-xp 00000000 08:24 427892 /usr/lib/i386-linux-gnu/cuneiform/libdif32.so.1.1.0
b64e8000-b64e9000 r--p 00019000 08:24 427892 /usr/lib/i386-linux-gnu/cuneiform/libdif32.so.1.1.0
b64e9000-b64ed000 rw-p 0001a000 08:24 427892 /usr/lib/i386-linux-gnu/cuneiform/libdif32.so.1.1.0
b64ed000-b64f0000 rw-p 00000000 00:00 0
b64f0000-b64f8000 r-xp 00000000 08:24 398236 /usr/lib/i386-linux-gnu/libltdl.so.7.3.0
b64f8000-b64f9000 r--p 00008000 08:24 398236 /usr/lib/i386-linux-gnu/libltdl.so.7.3.0
b64f9000-b64fa000 rw-p 00009000 08:24 398236 /usr/lib/i386-linux-gnu/libltdl.so.7.3.0
b64fa000-b6508000 r-xp 00000000 08:24 398117 /usr/lib/i386-linux-gnu/libgomp.so.1.0.0
b6508000-b6509000 r--p 0000d000 08:24 398117 /usr/lib/i386-linux-gnu/libgomp.so.1.0.0
b6509000-b650a000 rw-p 0000e000 08:24 398117 /usr/lib/i386-linux-gnu/libgomp.so.1.0.0
b650a000-b650b000 rw-p 00000000 00:00 0
b650b000-b651f000 r-xp 00000000 08:24 1049616 /lib/i386-linux-gnu/libz.so.1.2.3.4
b651f000-b6520000 r--p 00013000 08:24 1049616 /lib/i386-linux-gnu/libz.so.1.2.3.4
b6520000-b6521000 rw-p 00014000 08:24 1049616 /lib/i386-linux-gnu/libz.so.1.2.3.4
b6521000-b6668000 r-xp 00000000 08:24 398470 /usr/lib/i386-linux-gnu/libxml2.so.2.7.8
b6668000-b666c000 r--p 00147000 08:24 398470 /usr/lib/i386-linux-gnu/libxml2.so.2.7.8
b666c000-b666d000 rw-p 0014b000 08:24 398470 /usr/lib/i386-linux-gnu/libxml2.so.2.7.8
b666d000-b666e000 rw-p 00000000 00:00 0
b666e000-b667d000 r-xp 00000000 08:24 1049504 /lib/i386-linux-gnu/libbz2.so.1.0.4
b667d000-b667e000 r--p 0000e000 08:24 1049504 /lib/i386-linux-gnu/libbz2.so.1.0.4
b667e000-b667f000 rw-p 0000f000 08:24 1049504 /lib/i386-linux-gnu/libbz2.so.1.0.4
b667f000-b67af000 r-xp 00000000 08:24 397867 /usr/lib/i386-linux-gnu/libX11.so.6.3.0
b67af000-b67b0000 r--p 0012f000 08:24 397867 /usr/lib/i386-linux-gnu/libX11.so.6.3.0
b67b0000-b67b2000 rw-p 00130000 08:24 397867 /usr/lib/i386-linux-gnu/libX11.so.6.3.0Ok

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: cuneiform 1.1.0+dfsg-2
ProcVersionSignature: Ubuntu 3.2.0-24.37-generic-pae 3.2.14
Uname: Linux 3.2.0-24-generic-pae i686
NonfreeKernelModules: nvidia
ApportVersion: 2.0.1-0ubuntu7
Architecture: i386
Date: Tue May 8 12:23:52 2012
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release i386 (20120423)
ProcEnviron:
 LANGUAGE=ru:en
 TERM=xterm
 PATH=(custom, user)
 LANG=ru_RU.UTF-8
 SHELL=/bin/bash
SourcePackage: cuneiform
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
buguldey (buguldey) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in cuneiform (Ubuntu):
status: New → Confirmed
Revision history for this message
Jeffrey Ratcliffe (jeffreyratcliffe) wrote :
Download full text (15.0 KiB)

Here's my core dump, plus the image that caused it.

$ cuneiform -l eng -f hocr -o hocr.txt "/home/jeff/Desktop/test images/Word list (French)_page0002_2R.tif"
Cuneiform for Linux 1.1.0
*** buffer overflow detected ***: cuneiform terminated
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x65)[0xb74bd065]
/lib/i386-linux-gnu/libc.so.6(+0x102e1a)[0xb74bbe1a]
/usr/lib/i386-linux-gnu/cuneiform/libfon32.so.0(+0x221ab)[0xb6a281ab]
/usr/lib/i386-linux-gnu/cuneiform/libfon32.so.0(+0x223e4)[0xb6a283e4]
/usr/lib/i386-linux-gnu/cuneiform/libfon32.so.0(FONRecog2Glue+0x1d2)[0xb6a143b2]
/usr/lib/i386-linux-gnu/cuneiform/libpass2.so.0(+0x5e7a)[0xb69b1e7a]
/usr/lib/i386-linux-gnu/cuneiform/libpass2.so.0(+0x61fa)[0xb69b21fa]
/usr/lib/i386-linux-gnu/cuneiform/libpass2.so.0(+0x928c)[0xb69b528c]
/usr/lib/i386-linux-gnu/cuneiform/libpass2.so.0(p2_proc+0xa5f)[0xb69b60ef]
/usr/lib/i386-linux-gnu/cuneiform/librstr.so.0(+0x9af2f)[0xb7009f2f]
/usr/lib/i386-linux-gnu/cuneiform/librstr.so.0(RSTRRecognizeMain+0x21c)[0xb701c8ec]
/usr/lib/i386-linux-gnu/cuneiform/librstr.so.0(RSTRRecognize+0x2e)[0xb701ce5e]
/usr/lib/i386-linux-gnu/cuneiform/librstr.so.0(RSTR_Recog+0x23)[0xb701cec3]
/usr/lib/i386-linux-gnu/libcuneiform.so.0(+0xb4b4)[0xb76db4b4]
/usr/lib/i386-linux-gnu/libcuneiform.so.0(PUMA_XFinalRecognition+0xfc)[0xb76dd08c]
cuneiform[0x804a379]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xb73d24d3]
cuneiform[0x804a691]
======= Memory map: ========
08048000-0804c000 r-xp 00000000 08:13 1831729 /usr/bin/cuneiform
0804c000-0804d000 r--p 00003000 08:13 1831729 /usr/bin/cuneiform
0804d000-0804e000 rw-p 00004000 08:13 1831729 /usr/bin/cuneiform
093b7000-09810000 rw-p 00000000 00:00 0 [heap]
b576c000-b5b6a000 rw-p 00000000 00:00 0
b5c4e000-b6338000 rw-p 00000000 00:00 0
b6338000-b633d000 r-xp 00000000 08:13 1966020 /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
b633d000-b633e000 r--p 00004000 08:13 1966020 /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
b633e000-b633f000 rw-p 00005000 08:13 1966020 /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
b633f000-b6340000 rw-p 00000000 00:00 0
b6340000-b6342000 r-xp 00000000 08:13 1962272 /usr/lib/i386-linux-gnu/libXau.so.6.0.0
b6342000-b6343000 r--p 00001000 08:13 1962272 /usr/lib/i386-linux-gnu/libXau.so.6.0.0
b6343000-b6344000 rw-p 00002000 08:13 1962272 /usr/lib/i386-linux-gnu/libXau.so.6.0.0
b6344000-b634b000 r-xp 00000000 08:13 2001966 /lib/i386-linux-gnu/librt-2.15.so
b634b000-b634c000 r--p 00006000 08:13 2001966 /lib/i386-linux-gnu/librt-2.15.so
b634c000-b634d000 rw-p 00007000 08:13 2001966 /lib/i386-linux-gnu/librt-2.15.so
b634d000-b636d000 r-xp 00000000 08:13 1963465 /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
b636d000-b636e000 r--p 0001f000 08:13 1963465 /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
b636e000-b636f000 rw-p 00020000 08:13 1963465 /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
b636f000-b6393000 r-xp 00000000 08:13 1964436 /lib/i386-linux-gnu/liblzma.so.5.0.0
b6393000-b6394000 r--p 00024000 08:13 1964436 /lib/i386-linux-gnu/liblzma.so.5.0.0
b6394000-b6395000 rw-p 00025000 08:13 1964436 /lib/i386-linux-gnu/liblzma.so.5.0.0
b6395000-b6396000 rw-p ...

Revision history for this message
Jeffrey Ratcliffe (jeffreyratcliffe) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cuneiform - 1.1.0+dfsg-6

---------------
cuneiform (1.1.0+dfsg-6) unstable; urgency=medium

  [ Andreas Beckmann ]
  * QA upload.
  * Incorporate changes from Ubuntu.
  * gcc-6.patch: New, fix more FTBFS issues with GCC 6.
  * typos.patch: New, fix typos.

  [ Bhavani Shankar ]
  * Fix double FTBFS with unsigned char and GCC 6. (LP: #791305)
    (Closes: #787207, #837360)
  * Incorporate patch to fix buffer overflow during crash. Thanks
    Sławomir Nizio. Hopefully fix (LP: #978183), (LP: #593409), (LP: #791864),
    (LP: #996309). (Closes: #781354)

 -- Andreas Beckmann <email address hidden> Sun, 23 Apr 2017 14:02:07 +0200

Changed in cuneiform (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.