Bug 138743 - xmodmap segfault due to buffer overflow
xmodmap segfault due to buffer overflow
Status: CLOSED DUPLICATE of bug 138458
Product: Fedora
Classification: Fedora
Component: xorg-x11 (Show other bugs)
3
i686 Linux
medium Severity high
: ---
: ---
Assigned To: X/OpenGL Maintenance List
David Lawrence
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-11-10 17:48 EST by Rob Mayoff
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-02-21 14:06:54 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Rob Mayoff 2004-11-10 17:48:20 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/125.5.5 (KHTML, 
like Gecko) Safari/125.11

Description of problem:
xmodmap segfaults on some input, for example:

echo 'keycode 111 = Print' | xmodmap -

(Example stolen from freedesktop.org's bugzilla #1818.)  The problem is that the xorg-
x11-6.8.1-xmodmap-overflows.patch introduces a buffer overflow in xmodmap's 
process_line function.  Specifically, the patch introduces these lines:

+    len = strlen(buffer);
+    cp = chk_malloc(len);
+    strcpy(cp, buffer);

This is a classic C buffer overflow: the program mallocs enough space for the characters in 
the string (buffer), but not for the NUL terminator, so the strcpy writes one byte past the 
end of the buffer.

These lines would solve the problem:

+    len = strlen(buffer);
+    cp = chk_malloc(len + 1);
+    strcpy(cp, buffer);



Version-Release number of selected component (if applicable):
xorg-x11-6.8.1-12

How reproducible:
Always

Steps to Reproduce:
1.  echo 'keycode 111 = Print' | xmodmap -
2.  ???
3.  Profit!


Actual Results:  Segmentation fault

Expected Results:  Not a segmentation fault.


Additional info:
Comment 1 Kristian Høgsberg 2004-11-11 10:45:29 EST
Yikes, good catch, nice bug report, thanks.  I've applied your
suggested bug fix to our RPM, will be available in 6.8.1-13.

cheers,
Kristian
Comment 2 Mike A. Harris 2004-11-17 21:21:20 EST
Reopening to close as dupe of the bug I made the master dupe for this
issue, since it is frequently reported and it's nice to have all
dupes in one place.
Comment 3 Mike A. Harris 2004-11-17 21:22:22 EST

*** This bug has been marked as a duplicate of 138458 ***
Comment 4 Red Hat Bugzilla 2006-02-21 14:06:54 EST
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.

Note You need to log in before you can comment on or make changes to this bug.