Bug 138743

Summary: xmodmap segfault due to buffer overflow
Product: [Fedora] Fedora Reporter: Rob Mayoff <redhat>
Component: xorg-x11Assignee: X/OpenGL Maintenance List <xgl-maint>
Status: CLOSED DUPLICATE QA Contact: David Lawrence <dkl>
Severity: high Docs Contact:
Priority: medium    
Version: 3CC: richardl
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-02-21 19:06:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rob Mayoff 2004-11-10 22:48:20 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/125.5.5 (KHTML, 
like Gecko) Safari/125.11

Description of problem:
xmodmap segfaults on some input, for example:

echo 'keycode 111 = Print' | xmodmap -

(Example stolen from freedesktop.org's bugzilla #1818.)  The problem is that the xorg-
x11-6.8.1-xmodmap-overflows.patch introduces a buffer overflow in xmodmap's 
process_line function.  Specifically, the patch introduces these lines:

+    len = strlen(buffer);
+    cp = chk_malloc(len);
+    strcpy(cp, buffer);

This is a classic C buffer overflow: the program mallocs enough space for the characters in 
the string (buffer), but not for the NUL terminator, so the strcpy writes one byte past the 
end of the buffer.

These lines would solve the problem:

+    len = strlen(buffer);
+    cp = chk_malloc(len + 1);
+    strcpy(cp, buffer);



Version-Release number of selected component (if applicable):
xorg-x11-6.8.1-12

How reproducible:
Always

Steps to Reproduce:
1.  echo 'keycode 111 = Print' | xmodmap -
2.  ???
3.  Profit!


Actual Results:  Segmentation fault

Expected Results:  Not a segmentation fault.


Additional info:
Comment 1 Kristian Høgsberg 2004-11-11 15:45:29 UTC 
Yikes, good catch, nice bug report, thanks.  I've applied your
suggested bug fix to our RPM, will be available in 6.8.1-13.

cheers,
Kristian
Comment 2 Mike A. Harris 2004-11-18 02:21:20 UTC 
Reopening to close as dupe of the bug I made the master dupe for this
issue, since it is frequently reported and it's nice to have all
dupes in one place.
Comment 3 Mike A. Harris 2004-11-18 02:22:22 UTC 

*** This bug has been marked as a duplicate of 138458 ***
Comment 4 Red Hat Bugzilla 2006-02-21 19:06:54 UTC 
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.