Description of problem: When a UIL-based program calls MrmOpenHierarchyPerDisplay(), it is immediately aborted with "*** buffer overflow detected ***" message. This happens with any of UIL-based programs from demos/programs/ too. (Yes, one has to build them manually, since demos/ are cut-off from .rpm.) Version-Release number of selected component (if applicable): 2.2.3-10 How reproducible: Always Steps to Reproduce: 1. Unpack and build the minimal test case attached below -- tar xfz mrm-test.tgz; cd mrm-test; make 2. Run it -- ./mrm Actual results: The program aborts with "*** buffer overflow detected ***: ./mrm terminated" message. Expected results: The program should run and display a window with a single label. Additional info: Note 1: Interestingly, this bug is present ONLY in FC4 rpm -- pristine 2.2.3 sources are okay. For example, if one builds OpenMotif libraries from openMotif-2.2.3.tar.gz, contained in openmotif-2.2.3-10.src.rpm (./configure; make) and uses that libraries (LD_LIBRARY_PATH=.../openMotif-2.2.3/lib/Mrm/ ./mrm), then everything works as expected. And, if using in the same manner libraries, produced via "rpmbuild -ba", then the bug IS present. Note 2: "diff" shows that NONE of .rpm's patches touches lib/Mrm/. So, probably the buffer overflow is triggered as a side effect of some other patch, or is caused by different compile options.
Created attachment 117831 [details] A test case
Created attachment 117833 [details] A text "screenshot" of the abort
question: can you make sure that your local openmotif build uses "-D_FORTIFY_SOURCE=2" as part of the CFLAGs ? That is to compare apples to apples, eg enable buffer overflow checking as well in your local build
This was a bug in the Motif code (patch below) It did XtNumber on a char pointer, which isn't allowed, XtNumber() is only allowed on static sized buffers not on dynamic sized ones. diff -u openMotif-2.2.3/lib/Mrm/MrmIheader.c~ openMotif-2.2.3/lib/Mrm/MrmIheader.c --- openMotif-2.2.3/lib/Mrm/MrmIheader.c~ 2005-08-22 10:13:49.712349972 +0200 +++ openMotif-2.2.3/lib/Mrm/MrmIheader.c 2005-08-22 10:13:49.712349972 +0200 @@ -228,9 +228,11 @@ { /* sscanf() may call ungetc(), which would write the XmConst string. */ - char buf[strlen(idb__database_version) + 1]; + char *buf; + buf = XtMalloc(strlen(idb__database_version) + 1); strcpy(buf, idb__database_version); sscanf(buf, "URM %d.%d", &db_major, &db_minor); + XtFree(buf); } if ((file_major > db_major) ||
woops wrong patch: --- openMotif-2.2.3/lib/Mrm/MrmIheader.c.org 2005-08-22 10:11:08.951763921 +0200 +++ openMotif-2.2.3/lib/Mrm/MrmIheader.c 2005-08-22 10:13:49.712349972 +0200 @@ -228,9 +228,11 @@ { /* sscanf() may call ungetc(), which would write the XmConst string. */ - char buf[XtNumber(idb__database_version) + 1]; + char *buf; + buf = XtMalloc(strlen(idb__database_version) + 1); strcpy(buf, idb__database_version); sscanf(buf, "URM %d.%d", &db_major, &db_minor); + XtFree(buf); } if ((file_major > db_major) ||
Yes, patch at comment#5 cures the problem. I've filed a bugreport to OpenMotif's Bugzilla too -- http://bugs.motifzone.net/show_bug.cgi?id=1304
*** Bug 167094 has been marked as a duplicate of this bug. ***
Fixed in FC3-updates in rpm openmotif-2.2.3-10.FC3.1 FC4-updates in rpm openmotif-2.2.3-10.FC4.1 rawhide in rpm openmotif-2.2.3-11