Bug 33152 - Uninitialized memory reference in lib/Xaw/TextAction.c
Summary: Uninitialized memory reference in lib/Xaw/TextAction.c
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: XFree86
Version: 7.0
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Mike A. Harris
QA Contact: David Lawrence
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-03-26 02:02 UTC by Jonathan Kamens
Modified: 2007-04-18 16:32 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2001-03-27 13:00:41 UTC
Embargoed:

Attachments (Terms of Use)
Patch to fix this in 4.0.3-3. (400 bytes, patch)
2001-03-26 16:02 UTC, Jonathan Kamens 		no flags Details | Diff
New patch for this problem (2.89 KB, patch)
2001-03-27 13:00 UTC, Jonathan Kamens 		no flags Details | Diff
View All

Description Jonathan Kamens 2001-03-26 02:02:35 UTC 
In Xfree86-4.0.2-9, I found that the function MoveLine in
lib/Xaw/TextAction.c sometimes attempts to read uninitialized memory when I
hit ctrl-N in a Text widget to move to the next line.

This occurs because the call to XawTextSourceRead returns a text block whos
"length" field is set to "-1".  I couldn't figure out whether this
indicates a bug in the ReadText function in lib/Xaw/AsciiSrc.c.  It was
occurring there because of the line near the end "count = piece->used -
(pos - start)"; in this case, piece->used was 703, pos was 704, and start
was 0, thus causing "count" and thus subsequently text->length to be set to
-1.

Like I said, I don't know whether this is a bug in AsciiSrc.c, so I instead
fixed it in TextAction.c -- I changed the line after "XawTextSourceRead" so
that instead of reading "if (block.length)" it reads "if (block.length >
0)".
Comment 1 Mike A. Harris 2001-03-26 09:41:09 UTC 
Does this problem still exist if you try XFree86 4.0.3-3 from:

ftp://people.redhat.com/mharris
Comment 2 Jonathan Kamens 2001-03-26 16:01:42 UTC 
Yes, this is still a problem in 4.0.3-3.  You can duplicate it by running under
Purify or Checker or something (so that you'll catch the uninitialized memory
reference), bringing up a Text widget, typing a single line of Text in the
widget with a newline at the end of it (i.e., such that the newline is the last
character in the widget), going to the end of that line and typing ctrl-n.

I'll attach a patch for 4.0.3-3.
Comment 3 Jonathan Kamens 2001-03-26 16:02:12 UTC 
Created attachment 13684 [details]
Patch to fix this in 4.0.3-3.
Comment 4 Mike A. Harris 2001-03-27 05:53:00 UTC 
Applied in 4.0.3-4 in rawhide. Thanks for supplying all the patches
you've been sending in.  Very much appreciated.
Comment 5 Jonathan Kamens 2001-03-27 13:00:03 UTC 
Sorry to cause you trouble :-), but I've concluded that the patch I submitted is
not the correct way to fix this problem.  The bug isn't in MoveLine, it's in
ReadText.  I'm attaching a new patch, which does the following:

1) Fix the ReadText functions in AsciiSrc.c and MultiSrc.c so that they return
correct information when they were unable to read any data (i.e., they were
asked to read data from the end of the source).

2) Fix the comments above the ReadText functions so that they correctly document
their return values.

3) Fix the documentation in xc/doc/specs/Xaw so that it correctly documents what
text source read functions are supposed to return.

The patch I sent you doesn't do any harm, but it's also unnecessary once this
new, corrected patch is applied, so you might as well back it out.
Comment 6 Jonathan Kamens 2001-03-27 13:00:38 UTC 
Created attachment 13804 [details]
New patch for this problem
Comment 7 Mike A. Harris 2001-03-28 06:32:50 UTC 
Old patch replaced with new patch.  I'm going to clean up my tree
and build the 4.0.3-4 release now.  Thanks.
Note You need to log in before you can comment on or make changes to this bug.