Bug#774673: xfig crashes with stack smash detected when attempting to change arrow size
hello,
I had the same problem. It comes from retrieving Xt ressource with a
bad type variable.
xfig-3.2.5.c/w_indpanel.c:1293:
FirstArg(XtNradioData, &which);
GetValues(w);
"which" is declared as a int (32b) whereas "radioData" waits for a
XPointer (64b).
Find enclosed a patch that corrects it. I also changed some others
variables from "unsigned long" to "Pixel" to follow the documentation
althougth the both types are equal.
Sincerly,
--
Julien
<< Vous n'avez rien a dire... Parlons-en! >>
diff -ru xfig-3.2.5.c.orig/resources.c xfig-3.2.5.c/resources.c
--- xfig-3.2.5.c.orig/resources.c 2015-01-08 17:53:26.0 +0100
+++ xfig-3.2.5.c/resources.c 2015-01-12 18:53:06.968120279 +0100
@@ -172,9 +172,9 @@
Pixmap fill_pm[NUMFILLPATS],fill_but_pm[NUMPATTERNS];
float fill_pm_zoom[NUMFILLPATS],fill_but_pm_zoom[NUMFILLPATS];
XColor x_fg_color, x_bg_color;
-unsigned long but_fg, but_bg;
-unsigned long ind_but_fg, ind_but_bg;
-unsigned long mouse_but_fg, mouse_but_bg;
+Pixel but_fg, but_bg;
+Pixel ind_but_fg, ind_but_bg;
+Pixel mouse_but_fg, mouse_but_bg;
float ZOOM_FACTOR; /* assigned in main.c */
float PIC_FACTOR; /* assigned in main.c, updated in unit_panel_set() and
diff -ru xfig-3.2.5.c.orig/resources.h xfig-3.2.5.c/resources.h
--- xfig-3.2.5.c.orig/resources.h 2011-02-18 20:35:42.0 +0100
+++ xfig-3.2.5.c/resources.h 2015-01-12 18:53:06.968120279 +0100
@@ -378,9 +378,9 @@
extern Pixmap fill_pm[NUMFILLPATS],fill_but_pm[NUMPATTERNS];
extern float fill_pm_zoom[NUMFILLPATS],fill_but_pm_zoom[NUMFILLPATS];
extern XColor x_fg_color, x_bg_color;
-extern unsigned long but_fg, but_bg;
-extern unsigned long ind_but_fg, ind_but_bg;
-extern unsigned long mouse_but_fg, mouse_but_bg;
+extern Pixel but_fg, but_bg;
+extern Pixel ind_but_fg, ind_but_bg;
+extern Pixel mouse_but_fg, mouse_but_bg;
/* will contain environment variable XFIGTMPDIR, if any */
extern char*TMPDIR;
diff -ru xfig-3.2.5.c.orig/w_grid.c xfig-3.2.5.c/w_grid.c
--- xfig-3.2.5.c.orig/w_grid.c 2011-09-30 21:27:36.0 +0200
+++ xfig-3.2.5.c/w_grid.c 2015-01-12 18:57:31.984079710 +0100
@@ -34,7 +34,7 @@
static char null_bits[null_width * null_height / 8] = {0};
static Pixmap null_pm, grid_pm = 0;
-static unsigned long bg, fg;
+static Pixel bg, fg;
diff -ru xfig-3.2.5.c.orig/w_indpanel.c xfig-3.2.5.c/w_indpanel.c
--- xfig-3.2.5.c.orig/w_indpanel.c 2011-09-30 21:27:36.0 +0200
+++ xfig-3.2.5.c/w_indpanel.c 2015-01-12 18:53:06.968120279 +0100
@@ -1266,6 +1266,7 @@
set_arrow_size_state(Widget w, XtPointer closure, XtPointer call_data)
{
Boolean state;
+XPointer xtwhich;
int which;
Pixel bg1, bg2, fg1, fg2;
@@ -1290,8 +1291,9 @@
XtSetSensitive(abstoggle, state);
/* which button */
-FirstArg(XtNradioData, &which);
+FirstArg(XtNradioData, &xtwhich);
GetValues(w);
+which=(int)xtwhich;
if (which == 1) /* "multiple button", invert state */
state = !state;
diff -ru xfig-3.2.5.c.orig/w_print.c xfig-3.2.5.c/w_print.c
--- xfig-3.2.5.c.orig/w_print.c 2012-07-12 18:50:23.0 +0200
+++ xfig-3.2.5.c/w_print.c 2015-01-12 18:53:06.968120279 +0100
@@ -625,7 +625,7 @@
Widget image;
Widget entry,mag_spinner, below, fitpage;
Pixmap p;
- unsignedlong fg, bg;
+ Pixel fg, bg;
char *printer_val;
char buf[100];
char *unit;
diff -ru xfig-3.2.5.c.orig/w_rulers.c xfig-3.2.5.c/w_rulers.c
--- xfig-3.2.5.c.orig/w_rulers.c 2011-09-30 21:27:36.0 +0200
+++ xfig-3.2.5.c/w_rulers.c 2015-01-12 18:53:06.968120279 +0100
@@ -1050,7 +1050,7 @@
void setup_topruler(void)
{
-unsigned long bg, fg;
+Pixel bg, fg;
XGCValues gcv;
unsigned long gcmask;
XFontStruct *font;
@@ -1358,7 +1358,7 @@
void setup_sideruler(void)
{
-unsigned long bg, fg;
+Pixel bg, fg;
XGCValues gcv;
unsigned long gcmask;
XFontStruct *font;
signature.asc
Description: Digital signature
Bug#416538: lesstif2: bug in XIM chained list
Package: lesstif2
Version: 1:0.94.4-2
Severity: important
Tags: patch
*** Please type your report below this line ***
Sorry for my english!
Bug reproduction with "plan" application and a malloc debugger :
- edit a day ; select a text case, then a another and then a another => SEGV
Explication:
In lesstif2-0.94.4/lib/Xm-2.1/XmIm.c , there is a chained list of
XmICStuff objects that point on XIM objects. Many XmICStuff can point
on the same XIM. So the first allocated XmICStuff object store a
counter of XIM reference and others have a link (in "orig_xim"
attribute) on this XmICStuff object.
When XmICStuff object must be closed, the function XmImCloseXIM()
checks the XIM counter (possibly on the original XmICStuff by
following orig_xim) to know if it can free the XIM object. However it
always unlinks and frees the XmICStuff object.
If another XmICStuff had a "orig_xim" on the freed XmICStuff then,
when it'll be closed, it'll try to access the freed XmICStuff by its
"orig_xim" attribute and involve a SEGV.
It seems to me that the XIM counter should be in XIM object. But
nevertheless, I made patch (cf. attachement), that workarounds the
problem.
-- System Information:
Debian Release: 4.0
APT prefers testing
APT policy: (900, 'testing'), (50, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17.3
Locale: LANG=C, LC_CTYPE=fr_FR.iso8859-1 (charmap=ISO-8859-1)
Versions of packages lesstif2 depends on:
ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries
ii libice6 1:1.0.1-2 X11 Inter-Client Exchange library
ii libsm61:1.0.1-3 X11 Session Management library
ii libx11-6 2:1.0.3-6 X11 client-side library
ii libxext6 1:1.0.1-2 X11 miscellaneous extension librar
ii libxp61:1.0.0.xsf1-1 X Printing Extension (Xprint) clie
ii libxt61:1.0.2-2 X11 toolkit intrinsics library
lesstif2 recommends no packages.
-- no debconf information
Sincerly,
--
Julien
<< Vous n'avez rien a dire... Parlons-en! >>
diff -ru lesstif2-0.94.4-old/lib/Xm-2.1/XmIm.c lesstif2-0.94.4/lib/Xm-2.1/XmIm.c
--- lesstif2-0.94.4-old/lib/Xm-2.1/XmIm.c 2004-10-20 21:32:11.0 +0200
+++ lesstif2-0.94.4/lib/Xm-2.1/XmIm.c 2007-03-28 14:39:27.0 +0200
@@ -133,7 +133,10 @@
p->next = q->next;
}
- XtFree((char *)stuff);
+ /* if count!=0 then someone uses the stuff as orig_xim
+ so unlink it but not free it */
+ if (!stuff->count)
+ XtFree((char *)stuff);
}
/*
@@ -1060,6 +1063,8 @@
XCloseIM(stuff->xim);
DEBUGOUT(_LtDebug(__FILE__, w, "XCloseIM(%p)\n", stuff->xim));
stuff->orig_xim->xim = NULL;
+ /* stuff->orig_xim is now useless */
+ XtFree(stuff->orig_xim);
} else {
DEBUGOUT(_LtDebug(__FILE__, w, "XmImCloseXIM(%p), count -> %d\n",
stuff->xim, stuff->orig_xim->count));
signature.asc
Description: Digital signature
Bug#416382: plan: bug in parse language file
Package: plan
Version: 1.9-6.2
Severity: important
Tags: patch
*** Please type your report below this line ***
the function read_language_file() copy the content of file in memory without
adding a null character at the end. However the following loop expects a null
character to stop (cf. patch in attachment)
-- System Information:
Debian Release: 4.0
APT prefers testing
APT policy: (900, 'testing'), (50, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17.3
Locale: LANG=C, LC_CTYPE=fr_FR.iso8859-1 (charmap=ISO-8859-1)
Versions of packages plan depends on:
ii debconf [debconf-2.0] 1.5.11 Debian configuration management sy
ii lesstif21:0.94.4-2 OSF/Motif 2.1 implementation relea
ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries
ii libice6 1:1.0.1-2X11 Inter-Client Exchange library
ii libsm6 1:1.0.1-3X11 Session Management library
ii libx11-62:1.0.3-6X11 client-side library
ii libxext61:1.0.1-2X11 miscellaneous extension librar
ii libxpm4 1:3.5.5-2X11 pixmap library
ii libxt6 1:1.0.2-2X11 toolkit intrinsics library
plan recommends no packages.
-- debconf information excluded
Sincerly,
--
Julien
<< Vous n'avez rien a dire... Parlons-en! >>
--- /tmp/plan-1.9/src/language.c 2005-01-09 11:01:36.0 +0100
+++ plan-1.9/src/language.c 2007-03-27 14:50:48.0 +0200
@@ -138,9 +138,10 @@
if (!nstrings)
nstrings = nline;
/* create list */
- if (!(list = (char **)malloc(nline * sizeof(char *) + fsize)))
+ if (!(list = (char **)malloc(nline * sizeof(char *) + fsize+1)))
fatal("no memory for language file");
memcpy(list[0] = p = (char *)&list[nline], file, fsize);
+ p[fsize]='\0';
/* eval "\n", eoln=0 */
for (q=p; *p; p++, q++)
if (*p == '\n') *q = 0;
signature.asc
Description: Digital signature
Bug#329094: libpam-mount: fails to check already mounted volume when links are used
Package: libpam-mount
Version: 0.9.25-3
Severity: normal
Tags: patch
if the mount point contains links then only the real path is stored in mtab.
So, at the next check, process fails to see that volume is already mounted and
mounts it twice.
Patch included doubles the path check : with original volume path and its
realpath.
In case of match with realpath, return the original volume path.
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.11.11
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages libpam-mount depends on:
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii libglib2.0-0 2.6.4-1 The GLib library of C routines
ii libssl0.9.70.9.7e-3 SSL shared libraries
ii mount 2.12p-4 Tools for mounting and manipulatin
ii zlib1g 1:1.2.2-4.sarge.2 compression library - runtime
-- no debconf information
diff -ru pam_mount-0.9.25/src/mount.c libpam-mount-0.9.25-x/src/mount.c
--- pam_mount-0.9.25/src/mount.c 2005-05-16 06:11:30.0 +0200
+++ libpam-mount-0.9.25-x/src/mount.c 2005-09-19 15:46:53.0 +0200
@@ -128,6 +128,7 @@
fmt_ptrn_t *vinfo)
{
char match[PATH_MAX + 1];
+ char realvolmntpt[PATH_MAX + 1];
int mounted = 0;
#if defined(__linux__)
FILE *mtab;
@@ -186,6 +187,15 @@
l0g("pam_mount: %s\n", "could not open /etc/mtab");
return -1;
}
+ if (!realpath(config->volume[vol].mountpoint, realvolmntpt)) {
+ w4rn("pam_mount: can't get realpath of volume (%s)\n", config->volume[vol].mountpoint);
+ strncpy(realvolmntpt, config->volume[vol].mountpoint, PATH_MAX);
+ realvolmntpt[PATH_MAX] = 0x00;
+ } else {
+ realvolmntpt[PATH_MAX] = 0x00;
+ w4rn("pam_mount: realpath of volume (%s) is (%s)\n", config->volume[vol].mountpoint, realvolmntpt);
+ }
+
w4rn("pam_mount: checking to see if %s is already mounted at %s\n",
match, config->volume[vol].mountpoint);
while ((mtab_record = getmntent(mtab)) != NULL) {
@@ -215,9 +225,14 @@
strncpy(mntpt, mtab_record->mnt_dir, PATH_MAX);
mntpt[PATH_MAX] = 0x00;
mounted = 1;
- if (!strcmp(mtab_record->mnt_dir,
-config->volume[vol].mountpoint)) {
-strncpy(mntpt, mtab_record->mnt_dir,
+ if (
+(!strcmp(mtab_record->mnt_dir,
+config->volume[vol].mountpoint))
+||
+(!strcmp(mtab_record->mnt_dir,
+realvolmntpt))
+) {
+strncpy(mntpt, config->volume[vol].mountpoint,
PATH_MAX);
mntpt[PATH_MAX] = 0x00;
break;
