[XBoard-devel] Re: [Fwd: Re: [Bug-XBoard] Re: Winboard]

[Tim Mann]

Sorry I didn't answer this.  My 4.2.7 WinBoard release is compiled with
cygwin, yes.  I didn't strip off debugging symbols, so that accounts for
some of the size.

The xboard/winboard code is very sloppy about buffer size checking, so
there could be lots of places where it crashes due to buffer overflows. 

Someone actually posted a stack smash that you can cause by giving too
long an option on the command line as a "vulnerablity" to a security
mailing list, but it's pretty silly, since the program isn't privileged,
so you can't hurt anyone but yourself that way.  Buffer overflows from
engine (or worse, chess server) output are more serious.

On Sun, 08 Feb 2004 20:47:24 +0100, Daniel Mehrmann <address@hidden> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> Hi Tim,
> 
> i tryed to reproduced Leo's crash with winboard. It wan't be crash.
> But i saw that your offical compiled wb 4.2.7 version size is 1.950kb.
> My 4.2.7 size from latest cvs tree, compiled with MSVS 6 (debug), is
> only 1420kb. Okay we had some changes but that should not be create a
> different  of 530kb. Do you using the cygwin windows gcc compiler for
> this job ?
> 
> The point is that i try to find out why Leo have so much problems and if
> i try to reproduce it, it doesn't work. So, at the monent i have no idea
> what happend with Leo's version.
> 
> So in my despair i give him my wb version, compiled with MSVS (current
> cvs tree) and hope it works now :((
> 
> Daniel
> 
> 
> 
> 
> - -------- Original Message --------
> Subject: Re: [Bug-XBoard] Re: Winboard
> Date: Sun, 08 Feb 2004 20:12:50 +0100
> From: Daniel Mehrmann <address@hidden>
> To: Leo Dijksman <address@hidden>
> References: <address@hidden>
> <address@hidden>
> <address@hidden> <address@hidden>
> <address@hidden>
> 
> Hi Leo,
> 
> hmmm, i can't reproduced your crash. I try it with and without  3-5
> EGTB's. But i see that Tim could use the cgywin windows gcc compiler and
> i'm using Microsoft Visual Studio (MSVS). With MSVS i had never so such
> problems as you. So, as work around, i would please you to use my
> winboard version, it's the same version as public known 4.2.7 expect
> compiled with MSVS, that comes as attachment. My next steps are to ask
> Tim about his compiler. You will hear from me the next days.
> 
> Daniel
> 
> 
> 
> Leo Dijksman wrote:
> ~ > Hi Daniel,
> ~ >
> ~ > I have attached Amy 0.84 (complete), I hope you can find/fix
> ~ > the problem, yesterday I had some crashes again which were
> ~ > gone after the author at my request removed the (10) spaces
> ~ > at the begin of his output lines to WinBoard! (this was not Amy!)
> ~ >
> ~ > Best wishes,
> ~ > Leo.
> ~ >
> ~ > Sign:
> ~ > If you get emails about wbec-ridderkerk please reply only to
> ~ > address@hidden
> ~ > This because someone seems to send "WBEC Ridderkerk" messages around
> with a
> ~ > reply address which is very close to my "yahoo" email address!!
> ~ >
> ~ > ----- Original Message -----
> ~ > From: "Daniel Mehrmann" <address@hidden>
> ~ > To: "Leo Dijksman" <address@hidden>
> ~ > Sent: Sunday, February 08, 2004 12:50 AM
> ~ > Subject: Re: [Bug-XBoard] Re: Winboard
> ~ >
> ~ >
> ~ >
> | Leo Dijksman wrote:
> |
> | Hi Leo.
> | sorry for the late response.
> | Where can i get Amy 0.84 ? I want now anlyze your problem and can't find
> | a webpage. Or could you send me a windows version (0.84) ?
> |
> | Thanks
> | Daniel
> |
> | | I have reproduced the 'problem' here with Amy v0.8.4 and WinBoard 4.2.7,
> | | its reproducable with all older versions of Amy (not with v0.8.6 which
> | is a
> | | "fix"
> | | to this (at my request Thorsten increased the maximum output of Amy))
> |
> |> and
> |
> | | also
> | | with Waster and (very probably) Muriel, maby more but I have not test
> | them.
> | |
> | | I have a debug file attached where I loaded one of the games of Amy
> |
> |> 0.8.3
> |
> | | where WinBoard crashed, after loading the game I set Amy to analise and
> | | winboard comes in problems as soon the long pv appears in the debugfile.
> | |>From that moment WinBoard use more as 50% of my CPU and then crash
> | | after around 15 seconds.
> | |
> | | Its reproducable at both Win2000Pro and WinXP Pro, using WinBoard 4.2.7
> | | and all 3,4 and 5 men egtbs (Nalimov), it happen in all cases when the
> |
> |> pv
> |
> | | send
> | | by the engine is _to_ long!
> | |
> | | I hope this helps, if you need more info please let me know!
> | |
> | | Leo.
> | |
> | | ----- Original Message -----
> | | From: "Tim Mann" <address@hidden>
> | | To: "Leo Dijksman" <address@hidden>
> | | Cc: <address@hidden>; <address@hidden>
> | | Sent: Sunday, January 25, 2004 2:19 AM
> | | Subject: Re: Winboard
> | |
> | |
> | |
> | |>WinBoard 4.2.7 has a fix for one buffer overflow bug (contributed by
> | |>Daniel Mehrmann), but there are probably more still left.  I don't know
> | |>if anyone else has plans to work on buffer overflows, but I've copied
> | |>this message to address@hidden so that the other developers will be
> | |>aware of the issue too.
> | |>
> | |>If you can be more specific about exactly what engines cause the crashes
> | |>and when, that would help anyone who finds time to work on them.  A
> | |>WinBoard.debug file would help too.  Thanks.
> | |>
> | |>On Sun, 28 Dec 2003 23:58:12 +0100, "Leo Dijksman"
> | |
> | | <address@hidden> wrote:
> | |
> | |>>Hello Tim,
> | |>>
> | |>>I have a question to you :)
> | |>>I have in the past taken some engines out of my wbec ridderkerk tourney
> | |>>because they 'crashed' Winboard, now I have again problems with one
> | |>>and it seems to have to do with point 353 at the todo list:
> | |>>================================================
> | |>>**353. WinBoard can crash when the engine outputs very long PV lines
> | |>>(or debug output that looks like a PV).  In particular, lines that
> | |>>start with 4 or more blanks following a "thinking" output line are
> | |>>treated as continuation lines, and get concatenated into a 512-byte
> | |>>buffer with no checking for overflow.  Generally we need a lot more
> | |>>care to avoid buffer overflows inside both xboard and WinBoard.
> | |>>[Note: changed the buffers to be 5120 bytes as a band-aid.]
> | |>>=================================================
> | |>>
> | |>>My question is if this is something what can/will be fixed at
> | |>>Xboard/Winboard
> | |>>or is it something the engine author have to change at his engine?
> | |>>If it will be done at XB/WB, can/will you put it high at the todo list
> | |>>please?
> | |>>
> | |>>I think, but I am not sure, that I run into that 'problem' earlier as
> | |
> | | other
> | |
> | |>>users
> | |>>because of the pretty long time controle at fast computers and have
> |
> |> also
> |
> | |>>ponder=on?
> | |>>
> | |>>Thanks in advance for any answer,
> | |>>
> | |>>Leo Dijksman.
> | |>>
> | |>
> | |>
> | |>--
> | |>Tim Mann  address@hidden  http://tim-mann.org/
> | |>
> | |>
> | |>
> | |>------------------------------------------------------------------------
> | |>
> | |>_______________________________________________
> | |>Bug-XBoard mailing list
> | |>address@hidden
> | |>http://mail.gnu.org/mailman/listinfo/bug-xboard
> |
> |
> | --
> | Daniel Mehrmann
> 
> - --
> Daniel Mehrmann
> 
> 
> 
> - --
> Daniel Mehrmann
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (MingW32)
> 
> iD8DBQFAJpJMPt1V5Pj1nvYRAsvmAJ9pr0J/85zwzQBjnLe83ywvAaXgdQCfTmI7
> xqkvF2JYaSr4nAhxKWq5mOs=
> =N9zW
> -----END PGP SIGNATURE-----
> 


-- 
Tim Mann  address@hidden  http://tim-mann.org/