Bug 124961 - XmDataField: data out-of-bounds bug in df_FindPixelLength
XmDataField: data out-of-bounds bug in df_FindPixelLength
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: openmotif (Show other bugs)
3.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Thomas Woerner
:
Depends On:
Blocks: 116727
  Show dependency treegraph
 
Reported: 2004-06-01 12:40 EDT by Brad Despres
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-06-08 12:11:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
tar file containing test case (20.00 KB, application/octet-stream)
2004-06-01 12:41 EDT, Brad Despres
no flags Details

  None (edit)
Description Brad Despres 2004-06-01 12:40:51 EDT
Test case to illustrate bug in df_FindPixelLength in DataF.c in Motif
2.2.2.

To test:
        make
        setenv LANG en_US.UTF-8 (or another multibyte lang)
        Run dataf_bug in a debugger.
        Step into the call to XmDataFieldSetString.
        Step down into df_ValidateString.
        Step down into df_FindPixelLength.
        Watch how it stores a 0 at &tmp+1.

I didn''t readily find a way to reveal a visible program error,
but the bug can be seen with a debugger or through inspection.
The problem is that df_ValidateString allocates a single wchar_t tmp,
passes the address of tmp into df_FindPixelLength, then df_FindPixelLength
stores a 0 at &tmp + 1 in an attempt to terminate the wchar_t string.
I found this after finding a similar bug in PrintableString in TextF.c.

Code in df_ValidateString:

    	 } else {
--->	    wchar_t tmp;
    	    int num_conv;
    	    num_conv = mbtowc(&tmp, curr_str, XmTextF_max_char_size(tf));
--->        if (num_conv >= 0 && df_FindPixelLength(tf, (char*) &tmp,
1)) {
    	       for (j = 0; j < num_conv; j++) {
                  *temp_str = *curr_str;
                  temp_str++;
    		  curr_str++;
    		  i++; 
    		}

Code in df_FindPixelLength (string = &tmp, length = 1):

         wchar_t *wc_string = (wchar_t*)string;
    	 wchar_t wc_tmp = wc_string[length];
    	 char stack_cache[400], *tmp;
    	 int num_bytes, ret_len = 0;
    
--->	 wc_string[length] = 0L; <--- Stores the 0 outside tmp
Comment 1 Brad Despres 2004-06-01 12:41:48 EDT
Created attachment 100749 [details]
tar file containing test case
Comment 2 Brad Despres 2004-06-01 12:43:05 EDT
This has been reported to bugs.motifzone.net as bug # 1258.
Comment 3 Thomas Woerner 2004-06-03 10:45:26 EDT
Please have a look at

http://people.redhat.com/twoerner/SRPMS/3.0E/openmotif-2.2.3-2.RHEL3.src.rpm
http://people.redhat.com/twoerner/RPMS/3.0E/openmotif-2.2.3-2.RHEL3.i386.rpm
http://people.redhat.com/twoerner/RPMS/3.0E/openmotif-debuginfo-2.2.3-2.RHEL3.i386.rpm
http://people.redhat.com/twoerner/RPMS/3.0E/openmotif-devel-2.2.3-2.RHEL3.i386.rpm

This is the new OpenMotif 2.2.3 version with a patch for #124960 and
#124961. If ICS gives the ok for these patches, this version will
become the next update.
Comment 4 Thomas Woerner 2004-06-08 12:11:43 EDT
ICS gave the ok, here are the final packages, that will be in U3:

http://people.redhat.com/twoerner/SRPMS/3.0E/openmotif-2.2.3-3.RHEL3.src.rpm
http://people.redhat.com/twoerner/RPMS/3.0E/openmotif-2.2.3-3.RHEL3.i386.rpm
http://people.redhat.com/twoerner/RPMS/3.0E/openmotif-devel-2.2.3-3.RHEL3.i386.rpm

It has an additional patch for a popup timeout problem: #123027
Comment 5 Jay Turner 2004-09-01 22:21:38 EDT
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2004-243.html

Note You need to log in before you can comment on or make changes to this bug.