Bug 33152 - Uninitialized memory reference in lib/Xaw/TextAction.c
Uninitialized memory reference in lib/Xaw/TextAction.c
Product: Red Hat Linux
Classification: Retired
Component: XFree86 (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Mike A. Harris
David Lawrence
Depends On:
  Show dependency treegraph
Reported: 2001-03-25 21:02 EST by Jonathan Kamens
Modified: 2007-04-18 12:32 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-03-27 08:00:41 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch to fix this in 4.0.3-3. (400 bytes, patch)
2001-03-26 11:02 EST, Jonathan Kamens
no flags Details | Diff
New patch for this problem (2.89 KB, patch)
2001-03-27 08:00 EST, Jonathan Kamens
no flags Details | Diff

  None (edit)
Description Jonathan Kamens 2001-03-25 21:02:35 EST
In Xfree86-4.0.2-9, I found that the function MoveLine in
lib/Xaw/TextAction.c sometimes attempts to read uninitialized memory when I
hit ctrl-N in a Text widget to move to the next line.

This occurs because the call to XawTextSourceRead returns a text block whos
"length" field is set to "-1".  I couldn't figure out whether this
indicates a bug in the ReadText function in lib/Xaw/AsciiSrc.c.  It was
occurring there because of the line near the end "count = piece->used -
(pos - start)"; in this case, piece->used was 703, pos was 704, and start
was 0, thus causing "count" and thus subsequently text->length to be set to

Like I said, I don't know whether this is a bug in AsciiSrc.c, so I instead
fixed it in TextAction.c -- I changed the line after "XawTextSourceRead" so
that instead of reading "if (block.length)" it reads "if (block.length >
Comment 1 Mike A. Harris 2001-03-26 04:41:09 EST
Does this problem still exist if you try XFree86 4.0.3-3 from:

Comment 2 Jonathan Kamens 2001-03-26 11:01:42 EST
Yes, this is still a problem in 4.0.3-3.  You can duplicate it by running under
Purify or Checker or something (so that you'll catch the uninitialized memory
reference), bringing up a Text widget, typing a single line of Text in the
widget with a newline at the end of it (i.e., such that the newline is the last
character in the widget), going to the end of that line and typing ctrl-n.

I'll attach a patch for 4.0.3-3.
Comment 3 Jonathan Kamens 2001-03-26 11:02:12 EST
Created attachment 13684 [details]
Patch to fix this in 4.0.3-3.
Comment 4 Mike A. Harris 2001-03-27 00:53:00 EST
Applied in 4.0.3-4 in rawhide. Thanks for supplying all the patches
you've been sending in.  Very much appreciated.
Comment 5 Jonathan Kamens 2001-03-27 08:00:03 EST
Sorry to cause you trouble :-), but I've concluded that the patch I submitted is
not the correct way to fix this problem.  The bug isn't in MoveLine, it's in
ReadText.  I'm attaching a new patch, which does the following:

1) Fix the ReadText functions in AsciiSrc.c and MultiSrc.c so that they return
correct information when they were unable to read any data (i.e., they were
asked to read data from the end of the source).

2) Fix the comments above the ReadText functions so that they correctly document
their return values.

3) Fix the documentation in xc/doc/specs/Xaw so that it correctly documents what
text source read functions are supposed to return.

The patch I sent you doesn't do any harm, but it's also unnecessary once this
new, corrected patch is applied, so you might as well back it out.
Comment 6 Jonathan Kamens 2001-03-27 08:00:38 EST
Created attachment 13804 [details]
New patch for this problem
Comment 7 Mike A. Harris 2001-03-28 01:32:50 EST
Old patch replaced with new patch.  I'm going to clean up my tree
and build the 4.0.3-4 release now.  Thanks.

Note You need to log in before you can comment on or make changes to this bug.