Test case to illustrate bug in df_FindPixelLength in DataF.c in Motif
2.2.2.

To test:
        make
        setenv LANG en_US.UTF-8 (or another multibyte lang)
        Run dataf_bug in a debugger.
        Step into the call to XmDataFieldSetString.
        Step down into df_ValidateString.
        Step down into df_FindPixelLength.
        Watch how it stores a 0 at &tmp+1.

I didn''t readily find a way to reveal a visible program error,
but the bug can be seen with a debugger or through inspection.
The problem is that df_ValidateString allocates a single wchar_t tmp,
passes the address of tmp into df_FindPixelLength, then df_FindPixelLength
stores a 0 at &tmp + 1 in an attempt to terminate the wchar_t string.
I found this after finding a similar bug in PrintableString in TextF.c.

Code in df_ValidateString:

    	 } else {
--->	    wchar_t tmp;
    	    int num_conv;
    	    num_conv = mbtowc(&tmp, curr_str, XmTextF_max_char_size(tf));
--->        if (num_conv >= 0 && df_FindPixelLength(tf, (char*) &tmp,
1)) {
    	       for (j = 0; j < num_conv; j++) {
                  *temp_str = *curr_str;
                  temp_str++;
    		  curr_str++;
    		  i++; 
    		}

Code in df_FindPixelLength (string = &tmp, length = 1):

         wchar_t *wc_string = (wchar_t*)string;
    	 wchar_t wc_tmp = wc_string[length];
    	 char stack_cache[400], *tmp;
    	 int num_bytes, ret_len = 0;
    
--->	 wc_string[length] = 0L; <--- Stores the 0 outside tmp