Buffer overflow with gcc optimization -O1 or higher

Bug #609482 reported by mark
42
This bug affects 7 people
Affects Status Importance Assigned to Milestone
Cuneiform for Linux
Confirmed
Undecided
Unassigned

Bug Description

If cuneiform-linux 1.0.0 is compiled with gcc (Gentoo 4.4.4-r1 p1.0, pie-0.4.5) 4.4.4 using CFLAGS/CXXFLAGS -march=athlon64-sse3 -O1 -pipe (or -O2) there is a buffer overflow problem with the attached file which contains two columns with the first column in german and the second one in english, if cuneiform is invoked with "-l ger". If this option is omitted, then there is no overflow.

Cuneiform for Linux 1.0.0
*** buffer overflow detected ***: cuneiform terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x37)[0x7f1ce0e1f197]
/lib/libc.so.6(+0xe4ff0)[0x7f1ce0e1cff0]
/usr/lib/libfon32.so.1.0.0(+0x1f191)[0x7f1ce31ac191]
/usr/lib/libfon32.so.1.0.0(+0x1f77c)[0x7f1ce31ac77c]
/usr/lib/libfon32.so.1.0.0(FONRecog2Glue+0x19a)[0x7f1ce319c9cd]
/usr/lib/libpass2.so.1.0.0(+0x7130)[0x7f1ce3c8e130]
/usr/lib/libpass2.so.1.0.0(+0x743b)[0x7f1ce3c8e43b]
/usr/lib/libpass2.so.1.0.0(+0x9503)[0x7f1ce3c90503]
/usr/lib/libpass2.so.1.0.0(p2_proc+0x8fd)[0x7f1ce3c917a9]
/usr/lib/librstr.so.1.0.0(+0x8b51b)[0x7f1ce435d51b]
/usr/lib/librstr.so.1.0.0(RSTRRecognizeMain+0x376)[0x7f1ce436e2d3]
/usr/lib/librstr.so.1.0.0(RSTRRecognize+0x19)[0x7f1ce436eb66]
/usr/lib/librstr.so.1.0.0(RSTR_Recog+0x9)[0x7f1ce436eba2]
/usr/lib/libcuneiform.so.1.0.0(+0xd43c)[0x7f1ce7e6343c]
/usr/lib/libcuneiform.so.1.0.0(PUMA_XFinalRecognition+0x9b)[0x7f1ce7e64620]
cuneiform[0x4048dd]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7f1ce0d56bbd]
cuneiform[0x4035f9]
======= Memory map: ========
00400000-00406000 r-xp 00000000 09:02 1818430 /usr/bin/cuneiform
00605000-00606000 r--p 00005000 09:02 1818430 /usr/bin/cuneiform
00606000-00607000 rw-p 00006000 09:02 1818430 /usr/bin/cuneiform
01f46000-03113000 rw-p 00000000 00:00 0 [heap]
7f1cd76df000-7f1cd76e3000 r-xp 00000000 09:02 102891675 /usr/lib64/ImageMagick-6.6.2/modules-Q16/coders/dib.so
7f1cd76e3000-7f1cd78e2000 ---p 00004000 09:02 102891675 /usr/lib64/ImageMagick-6.6.2/modules-Q16/coders/dib.so
7f1cd78e2000-7f1cd78e3000 r--p 00003000 09:02 102891675 /usr/lib64/ImageMagick-6.6.2/modules-Q16/coders/dib.so
7f1cd78e3000-7f1cd78e4000 rw-p 00004000 09:02 102891675 /usr/lib64/ImageMagick-6.6.2/modules-Q16/coders/dib.so
7f1cd78e4000-7f1cd78e5000 ---p 00000000 00:00 0
7f1cd78e5000-7f1cd80e5000 rw-p 00000000 00:00 0
7f1cdd351000-7f1cdd793000 rw-p 00000000 00:00 0
7f1cdd793000-7f1cdd7b8000 r-xp 00000000 09:02 67634962 /usr/lib64/libpng14.so.14.3.0
7f1cdd7b8000-7f1cdd9b7000 ---p 00025000 09:02 67634962 /usr/lib64/libpng14.so.14.3.0
7f1cdd9b7000-7f1cdd9b8000 r--p 00024000 09:02 67634962 /usr/lib64/libpng14.so.14.3.0
7f1cdd9b8000-7f1cdd9b9000 rw-p 00025000 09:02 67634962 /usr/lib64/libpng14.so.14.3.0
7f1cdd9b9000-7f1cdd9d6000 r-xp 00000000 09:02 103217233 /usr/lib64/ImageMagick-6.6.2/modules-Q16/coders/png.so
7f1cdd9d6000-7f1cddbd5000 ---p 0001d000 09:02 103217233 /usr/lib64/ImageMagick-6.6.2/modules-Q16/coders/png.so
7f1cddbd5000-7f1cddbd6000 r--p 0001c000 09:02 103217233 /usr/lib64/ImageMagick-6.6.2/modules-Q16/coders/png.so
7f1cddbd6000-7f1cddbd7000 rw-p 0001d000 09:02 103217233 /usr/lib64/ImageMagick-6.6.2/modules-Q16/coders/png.so
7f1cddbd7000-7f1cddbdf000 r-xp 00000000 09:02 101492218 /lib64/librt-2.11.2.so
7f1cddbdf000-7f1cdddde000 ---p 00008000 09:02 101492218 /lib64/librt-2.11.2.so
7f1cdddde000-7f1cddddf000 r--p 00007000 09:02 101492218 /lib64/librt-2.11.2.so
7f1cddddf000-7f1cddde0000 rw-p 00008000 09:02 101492218 /lib64/librt-2.11.2.so
7f1cddde0000-7f1cddded000 r-xp 00000000 09:02 100750932 /usr/lib64/gcc/x86_64-pc-linux-gnu/4.4.4/libgomp.so.1.0.0
7f1cddded000-7f1cddfec000 ---p 0000d000 09:02 100750932 /usr/lib64/gcc/x86_64-pc-linux-gnu/4.4.4/libgomp.so.1.0.0
7f1cddfec000-7f1cddfed000 r--p 0000c000 09:02 100750932 /usr/lib64/gcc/x86_64-pc-linux-gnu/4.4.4/libgomp.so.1.0.0
7f1cddfed000-7f1cddfee000 rw-p 0000d000 09:02 100750932 /usr/lib64/gcc/x86_64-pc-linux-gnu/4.4.4/libgomp.so.1.0.0
7f1cddfee000-7f1cddff3000 r-xp 00000000 09:02 35733947 /usr/lib64/libXdmcp.so.6.0.0
7f1cddff3000-7f1cde1f2000 ---p 00005000 09:02 35733947 /usr/lib64/libXdmcp.so.6.0.0
7f1cde1f2000-7f1cde1f3000 r--p 00004000 09:02 35733947 /usr/lib64/libXdmcp.so.6.0.0
7f1cde1f3000-7f1cde1f4000 rw-p 00005000 09:02 35733947 /usr/lib64/libXdmcp.so.6.0.0
7f1cde1f4000-7f1cde1f6000 r-xp 00000000 09:02 33698285 /usr/lib64/libXau.so.6.0.0
7f1cde1f6000-7f1cde3f6000 ---p 00002000 09:02 33698285 /usr/lib64/libXau.so.6.0.0
7f1cde3f6000-7f1cde3f7000 r--p 00002000 09:02 33698285 /usr/lib64/libXau.so.6.0.0
7f1cde3f7000-7f1cde3f8000 rw-p 00003000 09:02 33698285 /usr/lib64/libXau.so.6.0.0
7f1cde3f8000-7f1cde415000 r-xp 00000000 09:02 33631687 /usr/lib64/libxcb.so.1.1.0
7f1cde415000-7f1cde614000 ---p 0001d000 09:02 33631687 /usr/lib64/libxcb.so.1.1.0
7f1cde614000-7f1cde615000 r--p 0001c000 09:02 33631687 /usr/lib64/libxcb.so.1.1.0
7f1cde615000-7f1cde616000 rw-p 0001d000 09:02 33631687 /usr/lib64/libxcb.so.1.1.0
7f1cde616000-7f1cde74a000 r-xp 00000000 09:02 68372758 /usr/lib64/libX11.so.6.3.0
7f1cde74a000-7f1cde94a000 ---p 00134000 09:02 68372758 /usr/lib64/libX11.so.6.3.0
7f1cde94a000-7f1cde94b000 r--p 00134000 09:02 68372758 /usr/lib64/libX11.so.6.3.0
7f1cde94b000-7f1cde950000 rw-p 00135000 09:02 68372758 /usr/lib64/libX11.so.6.3.0
7f1cde950000-7f1cde968000 r-xp 00000000 09:02 36300569 /usr/lib64/libICE.so.6.3.0
7f1cde968000-7f1cdeb67000 ---p 00018000 09:02 36300569 /usr/lib64/libICE.so.6.3.0
7f1cdeb67000-7f1cdeb68000 r--p 00017000 09:02 36300569 /usr/lib64/libICE.so.6.3.0
7f1cdeb68000-7f1cdeb69000 rw-p 00018000 09:02 36300569 /usr/lib64/libICE.so.6.3.0
7f1cdeb69000-7f1cdeb6d000 rw-p 00000000 00:00 0
7f1cdeb6d000-7f1cdeb71000 r-xp 00000000 09:02 100799751 /lib64/libuuid.so.1.3.0
7f1cdeb71000-7f1cded70000 ---p 00004000 09:02 100799751 /lib64/libuuid.so.1.3.0
7f1cded70000-7f1cded71000 r--p 00003000 09:02 100799751 /lib64/libuuid.so.1.3.0
7f1cded71000-7f1cded72000 rw-p 00004000 09:02 100799751 /lib64/libuuid.so.1.3.0Abgebrochen

Revision history for this message
mark (mark-tvk) wrote :
Revision history for this message
Jussi Pakkanen (jpakkane) wrote :

Happens on OSX too.

Changed in cuneiform-linux:
status: New → Confirmed
Revision history for this message
Harald Glatt (hachre) wrote :

Yea I can also confirm this bug on Ubuntu Linux.

Revision history for this message
Guiodic (Guido Iodice) (guido-iodice) wrote :
Download full text (6.2 KiB)

I confirm:

Cuneiform for Linux 1.0.0
*** buffer overflow detected ***: cuneiform terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x50)[0x9f1390]
/lib/tls/i686/cmov/libc.so.6(+0xe12ca)[0x9f02ca]
/usr/lib/cuneiform/libfon32.so.1.0.0(+0x2299b)[0x4d599b]
/usr/lib/cuneiform/libfon32.so.1.0.0(+0x231c4)[0x4d61c4]
/usr/lib/cuneiform/libfon32.so.1.0.0(FONRecog2Glue+0x217)[0x4c1397]
/usr/lib/cuneiform/libpass2.so.1.0.0(+0x64d8)[0xb9e4d8]
/usr/lib/cuneiform/libpass2.so.1.0.0(+0x67fa)[0xb9e7fa]
/usr/lib/cuneiform/libpass2.so.1.0.0(+0x955d)[0xba155d]
/usr/lib/cuneiform/libpass2.so.1.0.0(p2_proc+0xb4c)[0xba2d5c]
/usr/lib/cuneiform/librstr.so.1.0.0(+0xa5329)[0xff5329]
/usr/lib/cuneiform/librstr.so.1.0.0(RSTRRecognizeMain+0x237)[0x1009077]
/usr/lib/cuneiform/librstr.so.1.0.0(RSTRRecognize+0x2c)[0x1009e1c]
/usr/lib/cuneiform/librstr.so.1.0.0(RSTR_Recog+0x24)[0x1009e84]
/usr/lib/cuneiform/libcuneiform.so.1.0.0(+0xc310)[0x422310]
/usr/lib/cuneiform/libcuneiform.so.1.0.0(PUMA_XFinalRecognition+0xf3)[0x423c73]
cuneiform[0x804b83b]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0x925bd6]
cuneiform[0x804a6e1]
======= Memory map: ========
00110000-00139000 r-xp 00000000 08:02 136346 /usr/lib/cuneiform/librfrmt.so.1.0.0
00139000-0013a000 r--p 00028000 08:02 136346 /usr/lib/cuneiform/librfrmt.so.1.0.0
0013a000-0013b000 rw-p 00029000 08:02 136346 /usr/lib/cuneiform/librfrmt.so.1.0.0
0013b000-0013f000 rw-p 00000000 00:00 0
0013f000-00148000 r-xp 00000000 08:02 136458 /usr/lib/cuneiform/librpic.so.1.0.0
00148000-00149000 r--p 00008000 08:02 136458 /usr/lib/cuneiform/librpic.so.1.0.0
00149000-0014a000 rw-p 00009000 08:02 136458 /usr/lib/cuneiform/librpic.so.1.0.0
0014a000-0014b000 r-xp 00000000 08:02 136450 /usr/lib/cuneiform/libcpu32.so.1.0.0
0014b000-0014c000 r--p 00000000 08:02 136450 /usr/lib/cuneiform/libcpu32.so.1.0.0
0014c000-0014d000 rw-p 00001000 08:02 136450 /usr/lib/cuneiform/libcpu32.so.1.0.0
0014e000-0015a000 r-xp 00000000 08:02 136430 /usr/lib/cuneiform/libcimage.so.1.0.0
0015a000-0015b000 r--p 0000b000 08:02 136430 /usr/lib/cuneiform/libcimage.so.1.0.0
0015b000-0015c000 rw-p 0000c000 08:02 136430 /usr/lib/cuneiform/libcimage.so.1.0.0
0015c000-00164000 r-xp 00000000 08:02 136455 /usr/lib/cuneiform/librcorrkegl.so.1.0.0
00164000-00165000 r--p 00007000 08:02 136455 /usr/lib/cuneiform/librcorrkegl.so.1.0.0
00165000-00166000 rw-p 00008000 08:02 136455 /usr/lib/cuneiform/librcorrkegl.so.1.0.0
00166000-001ab000 rw-p 00000000 00:00 0
001ab000-001bb000 r-xp 00000000 08:02 136342 /usr/lib/cuneiform/librout.so.1.0.0
001bb000-001bc000 r--p 0000f000 08:02 136342 /usr/lib/cuneiform/librout.so.1.0.0
001bc000-001bf000 rw-p 00010000 08:02 136342 /usr/lib/cuneiform/librout.so.1.0.0
001bf000-001c1000 rw-p 00000000 00:00 0
001c1000-001e3000 r-xp 00000000 08:02 136459 /usr/lib/cuneiform/librselstr.so.1.0.0
001e3000-001e4000 r--p 00022000 08:02 136459 /usr/lib/cuneiform/librselstr.so.1.0.0
001e4000-001e5000 rw-p 00023000 08:02 136459 /usr/lib/cuneiform/librselstr.so.1.0.0
001e5000-001ea000 rw-p 00000000 00:00 0
001ea000-001fd000 r-xp 00000000 08:02 1...

Read more...

Revision history for this message
antoine Barbeyer (abartravail) wrote :

error with command: cuneiform -l fra -o 003.notes.txt 003.notes.bmp

Cuneiform for Linux 1.0.0
*** buffer overflow detected ***: cuneiform terminated

work with command: cuneiform -o 003.notes.txt 003.notes.bmp

Revision history for this message
barna (daniel-barna) wrote :

Hi,
I am playing with cuneiform now, to ocr pdf documents: convert pdf pages to ppm, run cuneiform on the ppm file, etc. I also observed this buffer overflow problem. My experience is that if I decrease the resolution of the ppm file, the problem disappears. Try down-converting the resolution of your image file.....

Revision history for this message
mark (mark-tvk) wrote :

I scaled the attached file down to 75% and cuneiform did not crash this time.
But I don't know if this result is comparable, as I had to change the modus to grayscale (or else I got "Magick: invalid colormap index `Zu_den_Stücken_scal.png' @ error/image.c/SyncImage/3934") and I now use gcc (Gentoo 4.5.2 p1.0, pie-0.4.5) 4.5.2.
But nonetheless it seems to be a workaround.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.