Bug 166144

Summary: "*** buffer overflow detected ***" abort in MrmOpenHierarchyPerDisplay()
Product: [Fedora] Fedora Reporter: Dmitry Bolkhovityanov <d.yu.bolkhovityanov>
Component: openmotifAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: medium    
Version: 4CC: beccuti
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-09-02 16:17:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
A test case
none
A text "screenshot" of the abort none

Description Dmitry Bolkhovityanov 2005-08-17 11:59:35 UTC 
Description of problem:
When a UIL-based program calls MrmOpenHierarchyPerDisplay(), it is immediately
aborted with "*** buffer overflow detected ***" message.
This happens with any of UIL-based programs from demos/programs/ too. (Yes, one
has to build them manually, since demos/ are cut-off from .rpm.)

Version-Release number of selected component (if applicable):
2.2.3-10

How reproducible:
Always

Steps to Reproduce:
1. Unpack and build the minimal test case attached below -- tar xfz
mrm-test.tgz; cd mrm-test; make
2. Run it -- ./mrm
  
Actual results:
The program aborts with "*** buffer overflow detected ***: ./mrm terminated"
message.

Expected results:
The program should run and display a window with a single label.

Additional info:
Note 1:
Interestingly, this bug is present ONLY in FC4 rpm -- pristine 2.2.3 sources are
okay.
For example, if one builds OpenMotif libraries from openMotif-2.2.3.tar.gz,
contained in openmotif-2.2.3-10.src.rpm (./configure; make) and uses that
libraries (LD_LIBRARY_PATH=.../openMotif-2.2.3/lib/Mrm/ ./mrm), then everything
works as expected.
And, if using in the same manner libraries, produced via "rpmbuild -ba", then
the bug IS present.

Note 2:
"diff" shows that NONE of .rpm's patches touches lib/Mrm/.
So, probably the buffer overflow is triggered as a side effect of some other
patch, or is caused by different compile options.
Comment 1 Dmitry Bolkhovityanov 2005-08-17 11:59:36 UTC 
Created attachment 117831 [details]
A test case
Comment 2 Dmitry Bolkhovityanov 2005-08-17 12:06:45 UTC 
Created attachment 117833 [details]
A text "screenshot" of the abort
Comment 3 Arjan van de Ven 2005-08-22 07:50:46 UTC 
question: can you make sure that your local openmotif build uses
"-D_FORTIFY_SOURCE=2" as part of the CFLAGs ? That is to compare apples to
apples, eg enable buffer overflow checking as well in your local build
Comment 4 Arjan van de Ven 2005-08-22 08:13:49 UTC 
This was a bug in the Motif code (patch below)
It did XtNumber on a char pointer, which isn't allowed, XtNumber() is only
allowed on static sized buffers not on dynamic sized ones.

diff -u openMotif-2.2.3/lib/Mrm/MrmIheader.c~ openMotif-2.2.3/lib/Mrm/MrmIheader.c
--- openMotif-2.2.3/lib/Mrm/MrmIheader.c~       2005-08-22 10:13:49.712349972 +0200
+++ openMotif-2.2.3/lib/Mrm/MrmIheader.c        2005-08-22 10:13:49.712349972 +0200
@@ -228,9 +228,11 @@

   {
     /* sscanf() may call ungetc(), which would write the XmConst string. */
-    char buf[strlen(idb__database_version) + 1];
+    char *buf;
+    buf = XtMalloc(strlen(idb__database_version) + 1);
     strcpy(buf, idb__database_version);
     sscanf(buf, "URM %d.%d", &db_major, &db_minor);
+    XtFree(buf);
   }

   if ((file_major > db_major) ||
Comment 5 Arjan van de Ven 2005-08-22 08:15:03 UTC 
woops wrong patch:

--- openMotif-2.2.3/lib/Mrm/MrmIheader.c.org    2005-08-22 10:11:08.951763921 +0200
+++ openMotif-2.2.3/lib/Mrm/MrmIheader.c        2005-08-22 10:13:49.712349972 +0200
@@ -228,9 +228,11 @@

   {
     /* sscanf() may call ungetc(), which would write the XmConst string. */
-    char buf[XtNumber(idb__database_version) + 1];
+    char *buf;
+    buf = XtMalloc(strlen(idb__database_version) + 1);
     strcpy(buf, idb__database_version);
     sscanf(buf, "URM %d.%d", &db_major, &db_minor);
+    XtFree(buf);
   }

   if ((file_major > db_major) ||
Comment 6 Dmitry Bolkhovityanov 2005-08-22 08:49:00 UTC 
Yes, patch at comment#5 cures the problem.
I've filed a bugreport to OpenMotif's Bugzilla too --
http://bugs.motifzone.net/show_bug.cgi?id=1304
Comment 7 Thomas Woerner 2005-09-02 15:18:44 UTC 
*** Bug 167094 has been marked as a duplicate of this bug. ***
Comment 8 Thomas Woerner 2005-09-02 16:17:48 UTC 
Fixed in 

FC3-updates in rpm openmotif-2.2.3-10.FC3.1
FC4-updates in rpm openmotif-2.2.3-10.FC4.1
rawhide in rpm openmotif-2.2.3-11