Bug 166144 - "*** buffer overflow detected ***" abort in MrmOpenHierarchyPerDisplay()
"*** buffer overflow detected ***" abort in MrmOpenHierarchyPerDisplay()
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: openmotif (Show other bugs)
4
i686 Linux
medium Severity high
: ---
: ---
Assigned To: Thomas Woerner
:
: 167094 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-08-17 07:59 EDT by Dmitry Bolkhovityanov
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-02 12:17:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
A test case (1.14 KB, application/x-tar-gz)
2005-08-17 07:59 EDT, Dmitry Bolkhovityanov
no flags Details
A text "screenshot" of the abort (4.03 KB, text/plain)
2005-08-17 08:06 EDT, Dmitry Bolkhovityanov
no flags Details

  None (edit)
Description Dmitry Bolkhovityanov 2005-08-17 07:59:35 EDT
Description of problem:
When a UIL-based program calls MrmOpenHierarchyPerDisplay(), it is immediately
aborted with "*** buffer overflow detected ***" message.
This happens with any of UIL-based programs from demos/programs/ too. (Yes, one
has to build them manually, since demos/ are cut-off from .rpm.)

Version-Release number of selected component (if applicable):
2.2.3-10

How reproducible:
Always

Steps to Reproduce:
1. Unpack and build the minimal test case attached below -- tar xfz
mrm-test.tgz; cd mrm-test; make
2. Run it -- ./mrm
  
Actual results:
The program aborts with "*** buffer overflow detected ***: ./mrm terminated"
message.

Expected results:
The program should run and display a window with a single label.

Additional info:
Note 1:
Interestingly, this bug is present ONLY in FC4 rpm -- pristine 2.2.3 sources are
okay.
For example, if one builds OpenMotif libraries from openMotif-2.2.3.tar.gz,
contained in openmotif-2.2.3-10.src.rpm (./configure; make) and uses that
libraries (LD_LIBRARY_PATH=.../openMotif-2.2.3/lib/Mrm/ ./mrm), then everything
works as expected.
And, if using in the same manner libraries, produced via "rpmbuild -ba", then
the bug IS present.

Note 2:
"diff" shows that NONE of .rpm's patches touches lib/Mrm/.
So, probably the buffer overflow is triggered as a side effect of some other
patch, or is caused by different compile options.
Comment 1 Dmitry Bolkhovityanov 2005-08-17 07:59:36 EDT
Created attachment 117831 [details]
A test case
Comment 2 Dmitry Bolkhovityanov 2005-08-17 08:06:45 EDT
Created attachment 117833 [details]
A text "screenshot" of the abort
Comment 3 Arjan van de Ven 2005-08-22 03:50:46 EDT
question: can you make sure that your local openmotif build uses
"-D_FORTIFY_SOURCE=2" as part of the CFLAGs ? That is to compare apples to
apples, eg enable buffer overflow checking as well in your local build
Comment 4 Arjan van de Ven 2005-08-22 04:13:49 EDT
This was a bug in the Motif code (patch below)
It did XtNumber on a char pointer, which isn't allowed, XtNumber() is only
allowed on static sized buffers not on dynamic sized ones.

diff -u openMotif-2.2.3/lib/Mrm/MrmIheader.c~ openMotif-2.2.3/lib/Mrm/MrmIheader.c
--- openMotif-2.2.3/lib/Mrm/MrmIheader.c~       2005-08-22 10:13:49.712349972 +0200
+++ openMotif-2.2.3/lib/Mrm/MrmIheader.c        2005-08-22 10:13:49.712349972 +0200
@@ -228,9 +228,11 @@

   {
     /* sscanf() may call ungetc(), which would write the XmConst string. */
-    char buf[strlen(idb__database_version) + 1];
+    char *buf;
+    buf = XtMalloc(strlen(idb__database_version) + 1);
     strcpy(buf, idb__database_version);
     sscanf(buf, "URM %d.%d", &db_major, &db_minor);
+    XtFree(buf);
   }

   if ((file_major > db_major) ||
Comment 5 Arjan van de Ven 2005-08-22 04:15:03 EDT
woops wrong patch:

--- openMotif-2.2.3/lib/Mrm/MrmIheader.c.org    2005-08-22 10:11:08.951763921 +0200
+++ openMotif-2.2.3/lib/Mrm/MrmIheader.c        2005-08-22 10:13:49.712349972 +0200
@@ -228,9 +228,11 @@

   {
     /* sscanf() may call ungetc(), which would write the XmConst string. */
-    char buf[XtNumber(idb__database_version) + 1];
+    char *buf;
+    buf = XtMalloc(strlen(idb__database_version) + 1);
     strcpy(buf, idb__database_version);
     sscanf(buf, "URM %d.%d", &db_major, &db_minor);
+    XtFree(buf);
   }

   if ((file_major > db_major) ||
Comment 6 Dmitry Bolkhovityanov 2005-08-22 04:49:00 EDT
Yes, patch at comment#5 cures the problem.
I've filed a bugreport to OpenMotif's Bugzilla too --
http://bugs.motifzone.net/show_bug.cgi?id=1304
Comment 7 Thomas Woerner 2005-09-02 11:18:44 EDT
*** Bug 167094 has been marked as a duplicate of this bug. ***
Comment 8 Thomas Woerner 2005-09-02 12:17:48 EDT
Fixed in 

FC3-updates in rpm openmotif-2.2.3-10.FC3.1
FC4-updates in rpm openmotif-2.2.3-10.FC4.1
rawhide in rpm openmotif-2.2.3-11

Note You need to log in before you can comment on or make changes to this bug.