#1040372 edenmath.app: Aborts with stack smashing when calculation result is large enough

Package:
edenmath.app
Source:
edenmath.app
Description:
Scientific calculator for GNUstep
Submitter:
Yavor Doganov
Date:
2026-06-01 06:05:02 UTC
Severity:
normal
#1040372#5
Date:
2023-07-05 05:38:40 UTC
From:
To:
Type "40", then press the button "10^x" (second button from right to
left on the lowest row); EdenMath aborts with:
*** stack smashing detected *** terminated.

Backtrace:

Program received signal SIGABRT, Aborted.
__pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, 
    no_tid=no_tid@entry=0) at ./nptl/pthread_kill.c:44
44	./nptl/pthread_kill.c: Няма такъв файл или директория.
(gdb) bt
#0  __pthread_kill_implementation
    (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0)
    at ./nptl/pthread_kill.c:44
#1  0x00007ffff6ea815f in __pthread_kill_internal (signo=6, threadid=<optimized out>)
    at ./nptl/pthread_kill.c:78
#2  0x00007ffff6e5a472 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3  0x00007ffff6e444b2 in __GI_abort () at ./stdlib/abort.c:79
#4  0x00007ffff6e451ed in __libc_message
    (fmt=fmt@entry=0x7ffff6fb7543 "*** %s ***: terminated\n")
    at ../sysdeps/posix/libc_fatal.c:150
#5  0x00007ffff6f362c5 in __GI___fortify_fail
    (msg=msg@entry=0x7ffff6fb752b "stack smashing detected")
    at ./debug/fortify_fail.c:24
#6  0x00007ffff6f362b0 in __stack_chk_fail () at ./debug/stack_chk_fail.c:24
#7  0x000055555555d0a6 in -[EMController updateDisplay]
    (self=<optimized out>, _cmd=<optimized out>) at ./EMController.m:227
#8  0x00007ffff7a5dabe in -[NSApplication sendAction:to:from:]
    (self=<optimized out>, _cmd=<optimized out>, aSelector=0x5555557edf20, aTarget=<optimized out>, sender=0x555556e18050) at ./Source/NSApplication.m:2273
#9  0x00007ffff7a8f313 in -[NSButton sendAction:to:]
    (self=0x555556e18050, _cmd=<optimized out>, theAction=0x5555557edf20, theTarget=0x555556e2ff30) at ./Source/NSButton.m:588
#10 0x00007ffff7a9b01d in -[NSCell trackMouse:inRect:ofView:untilMouseUp:]
    (self=self@entry=0x555556e1f690, _cmd=_cmd@entry=0x7ffff7da0d50 <_OBJC_SELECTOR_TABLE+1712>, theEvent=<optimized out>,
    theEvent@entry=0x555556e23a30, cellFrame=..., controlView=controlView@entry=0x555556e18050, flag=0 '\000') at ./Source/NSCell.m:1807
#11 0x00007ffff7abd56b in -[NSControl mouseDown:]
    (self=0x555556e18050, _cmd=<optimized out>, theEvent=<optimized out>)
    at ./Source/NSControl.m:931
#12 0x00007ffff7bfd354 in -[NSWindow sendEvent:]
    (self=0x5555568b4480, _cmd=<optimized out>, theEvent=0x555556e23a30)
    at ./Source/NSWindow.m:4154
#13 0x00007ffff7a63f5e in -[NSApplication run]
    (self=0x555555808a40, _cmd=<optimized out>) at ./Source/NSApplication.m:1585
#14 0x00007ffff7a43ec9 in NSApplicationMain
    (argc=<optimized out>, argv=<optimized out>) at ./Source/Functions.m:119
#15 0x00007ffff6e456ca in __libc_start_call_main
    (main=main@entry=0x55555555b1f0 <main>, argc=argc@entry=1, argv=argv@entry=0x7fffffffead8) at ../sysdeps/nptl/libc_start_call_main.h:58
#16 0x00007ffff6e45785 in __libc_start_main_impl
    (main=0x55555555b1f0 <main>, argc=1, argv=0x7fffffffead8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffeac8)
    at ../csu/libc-start.c:360
#17 0x000055555555b231 in _start ()

Cannot be reproduced when built with -fno-stack-protector.  I guess the
culprit is a buffer overflow in -[EMController updateDisplay] where
buffer size is limited to 32 bytes.

#1040372#10
Date:
2025-09-16 14:45:41 UTC
From:
To:
Hello,
attaching a debugger and stopping where the stack canary gets overwritten
confirms, at least I guess, there is an overflow with variable final_string.

Kind regards,
Bernhard



(rr) reverse-stepi

Hardware watchpoint 2: *0x7ffc73ff6138

Old value = 985413424
New value = 985413376
0x000055e811b99098 in -[EMController updateDisplay] (self=0x55e81a3d65a0, _cmd=<optimized out>) at ./EMController.m:212
212                     final_string[j] = c_string[j];
1: x/i $pc
=> 0x55e811b99098 <-[EMController updateDisplay]+696>:  mov    %al,(%rcx,%rdx,1)
(rr) x/1xg 0x7ffc73ff6138
0x7ffc73ff6138: 0x2d9b1b813abc3700
(rr) bt
#0  0x000055e811b99098 in -[EMController updateDisplay] (self=0x55e81a3d65a0, _cmd=<optimized out>) at ./EMController.m:212
#1  0x00007fa069e80072 in -[NSApplication sendAction:to:from:] (self=<optimized out>, _cmd=<optimized out>, aSelector=0x55e819290d10, aTarget=<optimized out>, sender=0x55e81a3c21d0) at ./Source/NSApplication.m:2277
#2  0x00007fa069eb3c95 in -[NSButton sendAction:to:] (self=0x55e81a3c21d0, _cmd=<optimized out>, theAction=0x55e819290d10, theTarget=0x55e81a3d65a0) at ./Source/NSButton.m:588
#3  0x00007fa069ebfcad in -[NSCell trackMouse:inRect:ofView:untilMouseUp:] (self=self@entry=0x55e81a3c97b0, _cmd=_cmd@entry=0x7fa06a1f48c0 <_OBJC_SELECTOR_TABLE+1728>, theEvent=<optimized out>, theEvent@entry=0x55e81a3bf8f0, cellFrame=..., controlView=controlView@entry=0x55e81a3c21d0, flag=0 '\000') at ./Source/NSCell.m:1807
#4  0x00007fa069ee945b in -[NSControl mouseDown:] (self=0x55e81a3c21d0, _cmd=<optimized out>, theEvent=<optimized out>) at ./Source/NSControl.m:932
#5  0x00007fa06a0380f6 in -[NSWindow sendEvent:] (self=0x55e8193d3120, _cmd=<optimized out>, theEvent=0x55e81a3bf8f0) at ./Source/NSWindow.m:4155
#6  0x00007fa069e8625e in -[NSApplication run] (self=0x55e819206c00, _cmd=<optimized out>) at ./Source/NSApplication.m:1588
#7  0x00007fa069e6608d in NSApplicationMain (argc=<optimized out>, argv=<optimized out>) at ./Source/Functions.m:119

(rr) print final_string
$1 = "10000000000000000303786028427003"

#1040372#17
Date:
2026-06-01 06:04:20 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
edenmath.app, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1040372@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yavor Doganov <yavor@gnu.org> (supplier of updated edenmath.app package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 01 Jun 2026 07:42:05 +0300
Source: edenmath.app
Architecture: source
Version: 1.2.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian GNUstep maintainers <pkg-gnustep-maintainers@lists.alioth.debian.org>
Changed-By: Yavor Doganov <yavor@gnu.org>
Closes: 1040372
Changes:
 edenmath.app (1.2.2-1) unstable; urgency=medium
 .
   * New upstream release:
     + Fixes buffer overflow (Closes: #1040372).
   * debian/control (Build-Depends): Add xcode-tools.  Replace imagemagick
     with icnsutils.
     (Recommends): Remove helpviewer.app.
     (Homepage): Switch to the official one.
     (Description): Don't mention the GNUstep port; it's the original app.
     (Priority): Remove; redundant.
     (Standards-Version): Claim compliance with 4.7.4.
   * debian/rules (d_app): New variable.
     (DEB_OBJCFLAGS_MAINT_APPEND): Define to -Wno-unknown-pragmas.
     (override_dh_auto_build): Generate the makefile with buildtool.  Use
     icns2png to extract icon for the .desktop file.
     (override_dh_clean): Delete the generated files.
     (execute_before_dh_link): Put extracted icon in /usr/share/GNUstep.
     (override_dh_compress): Remove override.
     (execute_before_dh_fixperms): Remove executable bit for .icns and
     .strings files; convert the latter to UTF-8.
   * debian/patches/include-help.patch: Delete; no longer relevant.
   * debian/docs: Likewise.
   * debian/install: Remove icon entry.
   * debian/EdenMath.desktop: Amend icon location.
   * debian/EdenMath.1: Remove HelpViewer link.
   * debian/copyright: Use GitHub page as Source.  Remove Upstream-Contact;
     there's only a web form available.  Update copyright holders/years.
     Use the canonical URL instead of FSF's old postal address.
   * debian/watch: Upgrade to version 5; use new location.
Checksums-Sha1:
 6824ca96fc307cfa41e44acb7eecfa7cfd9a934e 2067 edenmath.app_1.2.2-1.dsc
 c3ebb6f3c2380dd1cd506d2279b1f263b801d8f2 9299012 edenmath.app_1.2.2.orig.tar.gz
 08c84feccf5a9568d82efc9a426415cda295b024 4732 edenmath.app_1.2.2-1.debian.tar.xz
 e9bb1910673d9b7c8324dc7a1d26a73ca8c099cc 10832 edenmath.app_1.2.2-1_source.buildinfo
Checksums-Sha256:
 3caadfc3120a8215f1944472fe1edcf13cbd99b268434bc55b780f4cf20eae8f 2067 edenmath.app_1.2.2-1.dsc
 c73fd727253b4aacc64eff79c0d9ad3bbea470e49c98ad034c72ae09f34179a3 9299012 edenmath.app_1.2.2.orig.tar.gz
 4264f7acb3bf42f0365566bcaedcd75e1cf15ec7bdcc172027ebec33b1415528 4732 edenmath.app_1.2.2-1.debian.tar.xz
 bc34de444f2244e3edf303a7cb8f14b92f402afadcc0b066fa3c8678e51e3ade 10832 edenmath.app_1.2.2-1_source.buildinfo
Files:
 3f75ba366318fbdd9a0e7c3ae34d16cd 2067 math optional edenmath.app_1.2.2-1.dsc
 1122416d1a6600317a75a0a3a49109bd 9299012 math optional edenmath.app_1.2.2.orig.tar.gz
 be75d8d2cd0c67dd9732eaf2612c196a 4732 math optional edenmath.app_1.2.2-1.debian.tar.xz
 051501b7d2e5a4bda377f4f1c41cb6f9 10832 math optional edenmath.app_1.2.2-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtgob82PcExn/Co6JEWhSvN91FcAFAmodHhgACgkQEWhSvN91
FcASpA/9GPeBaQIGiV8fXfheJqhHEeVjU1atNeDmWPPTnMECwJIR9P1PzGp+Kvhs
FKajPuvBm8BHNOQATuA1XOfT82t0RCrfg5uu/HssmOL122Klrpviw2MuHNy9YnDI
nIadcm31zIhbesQ0DB9EgOo5xWDwKrlKmq0/zi8MBUiUioF6rYvnm3sBRZuON3z0
91ZEc5b5tgD044eC3NFNOmziaycciuM/Mq6qsGtUanTu0kl4KHH6b9iJtjrVWb/A
/Tr4cGjy3QAga3nQaiDXTKjSnHeoWJ66uSjONR68yhjUlFX9AqEDEHfwvJVB+ccU
pYglQ17ThDkV10ZPxVkTqsgbcqO502ZGm6hvAZcwrk30LsN+BP+ilmUE+h2oebVq
QGZxfm/W+LZ9uyL/WyBexLblpDQY+G+f4xyP6UvVOrypGmpVOX9wBl1Vp1Mo8UpW
vMrwedMa3ugZGHXYA9Nj2t6BXsNTq2krxGpBh80aYXnHWCfAZAJp2CkvGJsN6xGw
NqZWyMuHZ2tNjTX5kmV3HdkxS/n3hPh6gLD0RcOm8pz1EiKiNGGYfFf6yL+HV5gn
qKVkXA3gOLiwvc8Mt7+AFtxlevsZ5bQISc65NMONy/fpZadYVXqChIO8vPG98Gvg
NUa9ktEhX+3/1EnYhRCz8HzMPyp7ZeOE0HMkUis9Ge7ljkI25cI=
=9fCn
-----END PGP SIGNATURE-----