Test case to illustrate bug in df_FindPixelLength in DataF.c in Motif 2.2.2. To test: make setenv LANG en_US.UTF-8 (or another multibyte lang) Run dataf_bug in a debugger. Step into the call to XmDataFieldSetString. Step down into df_ValidateString. Step down into df_FindPixelLength. Watch how it stores a 0 at &tmp+1. I didn''t readily find a way to reveal a visible program error, but the bug can be seen with a debugger or through inspection. The problem is that df_ValidateString allocates a single wchar_t tmp, passes the address of tmp into df_FindPixelLength, then df_FindPixelLength stores a 0 at &tmp + 1 in an attempt to terminate the wchar_t string. I found this after finding a similar bug in PrintableString in TextF.c. Code in df_ValidateString: } else { ---> wchar_t tmp; int num_conv; num_conv = mbtowc(&tmp, curr_str, XmTextF_max_char_size(tf)); ---> if (num_conv >= 0 && df_FindPixelLength(tf, (char*) &tmp, 1)) { for (j = 0; j < num_conv; j++) { *temp_str = *curr_str; temp_str++; curr_str++; i++; } Code in df_FindPixelLength (string = &tmp, length = 1): wchar_t *wc_string = (wchar_t*)string; wchar_t wc_tmp = wc_string[length]; char stack_cache[400], *tmp; int num_bytes, ret_len = 0; ---> wc_string[length] = 0L; <--- Stores the 0 outside tmp
Created attachment 100749 [details] tar file containing test case
This has been reported to bugs.motifzone.net as bug # 1258.
Please have a look at http://people.redhat.com/twoerner/SRPMS/3.0E/openmotif-2.2.3-2.RHEL3.src.rpm http://people.redhat.com/twoerner/RPMS/3.0E/openmotif-2.2.3-2.RHEL3.i386.rpm http://people.redhat.com/twoerner/RPMS/3.0E/openmotif-debuginfo-2.2.3-2.RHEL3.i386.rpm http://people.redhat.com/twoerner/RPMS/3.0E/openmotif-devel-2.2.3-2.RHEL3.i386.rpm This is the new OpenMotif 2.2.3 version with a patch for #124960 and #124961. If ICS gives the ok for these patches, this version will become the next update.
ICS gave the ok, here are the final packages, that will be in U3: http://people.redhat.com/twoerner/SRPMS/3.0E/openmotif-2.2.3-3.RHEL3.src.rpm http://people.redhat.com/twoerner/RPMS/3.0E/openmotif-2.2.3-3.RHEL3.i386.rpm http://people.redhat.com/twoerner/RPMS/3.0E/openmotif-devel-2.2.3-3.RHEL3.i386.rpm It has an additional patch for a popup timeout problem: #123027
An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2004-243.html