Bug 138743 - xmodmap segfault due to buffer overflow
Summary: xmodmap segfault due to buffer overflow
Status: CLOSED DUPLICATE of bug 138458
Alias: None
Product: Fedora
Classification: Fedora
Component: xorg-x11   
(Show other bugs)
Version: 3
Hardware: i686
OS: Linux
Target Milestone: ---
Assignee: X/OpenGL Maintenance List
QA Contact: David Lawrence
Depends On:
TreeView+ depends on / blocked
Reported: 2004-11-10 22:48 UTC by Rob Mayoff
Modified: 2007-11-30 22:10 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-02-21 19:06:54 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Rob Mayoff 2004-11-10 22:48:20 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/125.5.5 (KHTML, 
like Gecko) Safari/125.11

Description of problem:
xmodmap segfaults on some input, for example:

echo 'keycode 111 = Print' | xmodmap -

(Example stolen from freedesktop.org's bugzilla #1818.)  The problem is that the xorg-
x11-6.8.1-xmodmap-overflows.patch introduces a buffer overflow in xmodmap's 
process_line function.  Specifically, the patch introduces these lines:

+    len = strlen(buffer);
+    cp = chk_malloc(len);
+    strcpy(cp, buffer);

This is a classic C buffer overflow: the program mallocs enough space for the characters in 
the string (buffer), but not for the NUL terminator, so the strcpy writes one byte past the 
end of the buffer.

These lines would solve the problem:

+    len = strlen(buffer);
+    cp = chk_malloc(len + 1);
+    strcpy(cp, buffer);

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.  echo 'keycode 111 = Print' | xmodmap -
2.  ???
3.  Profit!

Actual Results:  Segmentation fault

Expected Results:  Not a segmentation fault.

Additional info:

Comment 1 Kristian Høgsberg 2004-11-11 15:45:29 UTC
Yikes, good catch, nice bug report, thanks.  I've applied your
suggested bug fix to our RPM, will be available in 6.8.1-13.


Comment 2 Mike A. Harris 2004-11-18 02:21:20 UTC
Reopening to close as dupe of the bug I made the master dupe for this
issue, since it is frequently reported and it's nice to have all
dupes in one place.

Comment 3 Mike A. Harris 2004-11-18 02:22:22 UTC

*** This bug has been marked as a duplicate of 138458 ***

Comment 4 Red Hat Bugzilla 2006-02-21 19:06:54 UTC
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.

Note You need to log in before you can comment on or make changes to this bug.