Red Hat Bugzilla – Bug 167701
Fix for XmList out of bound accesses
Last modified: 2007-11-30 17:07:20 EST
There are a number of problems in lib/Xm/List.c in openmotif, where items
outside the list would be accessed, usually causing a SEGV.
Patch attached. Testcases coming as well.
Created attachment 118552 [details]
Created attachment 118553 [details]
Click on one element in the list (without releasing the mouse button), then
release the button when the item has been removed from the list.
This usually causes a segfault.
Created attachment 118554 [details]
Select multiple items and extend the selection from back to top and vice-versa,
a segfault should arise soon after multiple extensions or selections.
Note that this change is on purpose. start is decreased by one when called as an
argument of SelectRange. start == 0 would cause the index in SelectRange to be -1...
@@ -4683,7 +4693,7 @@ SelectElement(Widget wid,
SelectRange(lw, item, end + 1, sel);
else if ((i > end) && (i <= start))
RestoreRange(lw, end, i - 1, FALSE);
- else if (i > start)
+ else if (i > start && start > 0)
SelectRange(lw, end, start - 1, FALSE);
Created attachment 123873 [details]
New overrun patch.
Analyzing the patch and the code, I have fixed the code in a different way.
Please find attached the new patch.
Created attachment 123976 [details]
Revised version from ICS (upstream) with an additional fix.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.