There are a number of problems in lib/Xm/List.c in openmotif, where items outside the list would be accessed, usually causing a SEGV. Patch attached. Testcases coming as well.
Created attachment 118552 [details] openmotif-list-overrun2.patch
Created attachment 118553 [details] xmbug.c Click on one element in the list (without releasing the mouse button), then release the button when the item has been removed from the list. This usually causes a segfault.
Created attachment 118554 [details] xmrotate.c Select multiple items and extend the selection from back to top and vice-versa, a segfault should arise soon after multiple extensions or selections.
Note that this change is on purpose. start is decreased by one when called as an argument of SelectRange. start == 0 would cause the index in SelectRange to be -1... @@ -4683,7 +4693,7 @@ SelectElement(Widget wid, SelectRange(lw, item, end + 1, sel); else if ((i > end) && (i <= start)) RestoreRange(lw, end, i - 1, FALSE); - else if (i > start) + else if (i > start && start > 0) { if (sel) SelectRange(lw, end, start - 1, FALSE);
Created attachment 123873 [details] New overrun patch. Analyzing the patch and the code, I have fixed the code in a different way. Please find attached the new patch.
Created attachment 123976 [details] openMotif-2.2.3-overrun.patch Revised version from ICS (upstream) with an additional fix.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2006-0292.html