Bug 124961 - XmDataField: data out-of-bounds bug in df_FindPixelLength
Summary: XmDataField: data out-of-bounds bug in df_FindPixelLength
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: openmotif
Version: 3.0
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: 116727
TreeView+ depends on / blocked
 
Reported: 2004-06-01 16:40 UTC by Brad Despres
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

(edit)
Clone Of:
(edit)
Last Closed: 2004-06-08 16:11:43 UTC


Attachments (Terms of Use)
tar file containing test case (20.00 KB, application/octet-stream)
2004-06-01 16:41 UTC, Brad Despres
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2004:243 normal SHIPPED_LIVE Updated OpenMotif packages fix several bugs 2004-09-01 04:00:00 UTC

Description Brad Despres 2004-06-01 16:40:51 UTC
Test case to illustrate bug in df_FindPixelLength in DataF.c in Motif
2.2.2.

To test:
        make
        setenv LANG en_US.UTF-8 (or another multibyte lang)
        Run dataf_bug in a debugger.
        Step into the call to XmDataFieldSetString.
        Step down into df_ValidateString.
        Step down into df_FindPixelLength.
        Watch how it stores a 0 at &tmp+1.

I didn''t readily find a way to reveal a visible program error,
but the bug can be seen with a debugger or through inspection.
The problem is that df_ValidateString allocates a single wchar_t tmp,
passes the address of tmp into df_FindPixelLength, then df_FindPixelLength
stores a 0 at &tmp + 1 in an attempt to terminate the wchar_t string.
I found this after finding a similar bug in PrintableString in TextF.c.

Code in df_ValidateString:

    	 } else {
--->	    wchar_t tmp;
    	    int num_conv;
    	    num_conv = mbtowc(&tmp, curr_str, XmTextF_max_char_size(tf));
--->        if (num_conv >= 0 && df_FindPixelLength(tf, (char*) &tmp,
1)) {
    	       for (j = 0; j < num_conv; j++) {
                  *temp_str = *curr_str;
                  temp_str++;
    		  curr_str++;
    		  i++; 
    		}

Code in df_FindPixelLength (string = &tmp, length = 1):

         wchar_t *wc_string = (wchar_t*)string;
    	 wchar_t wc_tmp = wc_string[length];
    	 char stack_cache[400], *tmp;
    	 int num_bytes, ret_len = 0;
    
--->	 wc_string[length] = 0L; <--- Stores the 0 outside tmp

Comment 1 Brad Despres 2004-06-01 16:41:48 UTC
Created attachment 100749 [details]
tar file containing test case

Comment 2 Brad Despres 2004-06-01 16:43:05 UTC
This has been reported to bugs.motifzone.net as bug # 1258.

Comment 3 Thomas Woerner 2004-06-03 14:45:26 UTC
Please have a look at

http://people.redhat.com/twoerner/SRPMS/3.0E/openmotif-2.2.3-2.RHEL3.src.rpm
http://people.redhat.com/twoerner/RPMS/3.0E/openmotif-2.2.3-2.RHEL3.i386.rpm
http://people.redhat.com/twoerner/RPMS/3.0E/openmotif-debuginfo-2.2.3-2.RHEL3.i386.rpm
http://people.redhat.com/twoerner/RPMS/3.0E/openmotif-devel-2.2.3-2.RHEL3.i386.rpm

This is the new OpenMotif 2.2.3 version with a patch for #124960 and
#124961. If ICS gives the ok for these patches, this version will
become the next update.


Comment 4 Thomas Woerner 2004-06-08 16:11:43 UTC
ICS gave the ok, here are the final packages, that will be in U3:

http://people.redhat.com/twoerner/SRPMS/3.0E/openmotif-2.2.3-3.RHEL3.src.rpm
http://people.redhat.com/twoerner/RPMS/3.0E/openmotif-2.2.3-3.RHEL3.i386.rpm
http://people.redhat.com/twoerner/RPMS/3.0E/openmotif-devel-2.2.3-3.RHEL3.i386.rpm

It has an additional patch for a popup timeout problem: #123027

Comment 5 Jay Turner 2004-09-02 02:21:38 UTC
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2004-243.html



Note You need to log in before you can comment on or make changes to this bug.