Launchpad has imported 9 comments from the remote bug at https://bugzilla.redhat.com/show_bug.cgi?id=166144.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2005-08-17T11:59:35+00:00 Dmitry wrote: Description of problem: When a UIL-based program calls MrmOpenHierarchyPerDisplay(), it is immediately aborted with "*** buffer overflow detected ***" message. This happens with any of UIL-based programs from demos/programs/ too. (Yes, one has to build them manually, since demos/ are cut-off from .rpm.) Version-Release number of selected component (if applicable): 2.2.3-10 How reproducible: Always Steps to Reproduce: 1. Unpack and build the minimal test case attached below -- tar xfz mrm-test.tgz; cd mrm-test; make 2. Run it -- ./mrm Actual results: The program aborts with "*** buffer overflow detected ***: ./mrm terminated" message. Expected results: The program should run and display a window with a single label. Additional info: Note 1: Interestingly, this bug is present ONLY in FC4 rpm -- pristine 2.2.3 sources are okay. For example, if one builds OpenMotif libraries from openMotif-2.2.3.tar.gz, contained in openmotif-2.2.3-10.src.rpm (./configure; make) and uses that libraries (LD_LIBRARY_PATH=.../openMotif-2.2.3/lib/Mrm/ ./mrm), then everything works as expected. And, if using in the same manner libraries, produced via "rpmbuild -ba", then the bug IS present. Note 2: "diff" shows that NONE of .rpm's patches touches lib/Mrm/. So, probably the buffer overflow is triggered as a side effect of some other patch, or is caused by different compile options. Reply at: https://bugs.launchpad.net/ubuntu/+source/openmotif/+bug/374907/comments/0 ------------------------------------------------------------------------ On 2005-08-17T11:59:36+00:00 Dmitry wrote: Created attachment 117831 A test case Reply at: https://bugs.launchpad.net/ubuntu/+source/openmotif/+bug/374907/comments/1 ------------------------------------------------------------------------ On 2005-08-17T12:06:45+00:00 Dmitry wrote: Created attachment 117833 A text "screenshot" of the abort Reply at: https://bugs.launchpad.net/ubuntu/+source/openmotif/+bug/374907/comments/2 ------------------------------------------------------------------------ On 2005-08-22T07:50:46+00:00 Arjan wrote: question: can you make sure that your local openmotif build uses "-D_FORTIFY_SOURCE=2" as part of the CFLAGs ? That is to compare apples to apples, eg enable buffer overflow checking as well in your local build Reply at: https://bugs.launchpad.net/ubuntu/+source/openmotif/+bug/374907/comments/3 ------------------------------------------------------------------------ On 2005-08-22T08:13:49+00:00 Arjan wrote: This was a bug in the Motif code (patch below) It did XtNumber on a char pointer, which isn't allowed, XtNumber() is only allowed on static sized buffers not on dynamic sized ones. diff -u openMotif-2.2.3/lib/Mrm/MrmIheader.c~ openMotif-2.2.3/lib/Mrm/MrmIheader.c --- openMotif-2.2.3/lib/Mrm/MrmIheader.c~ 2005-08-22 10:13:49.712349972 +0200 +++ openMotif-2.2.3/lib/Mrm/MrmIheader.c 2005-08-22 10:13:49.712349972 +0200 @@ -228,9 +228,11 @@ { /* sscanf() may call ungetc(), which would write the XmConst string. */ - char buf[strlen(idb__database_version) + 1]; + char *buf; + buf = XtMalloc(strlen(idb__database_version) + 1); strcpy(buf, idb__database_version); sscanf(buf, "URM %d.%d", &db_major, &db_minor); + XtFree(buf); } if ((file_major > db_major) || Reply at: https://bugs.launchpad.net/ubuntu/+source/openmotif/+bug/374907/comments/4 ------------------------------------------------------------------------ On 2005-08-22T08:15:03+00:00 Arjan wrote: woops wrong patch: --- openMotif-2.2.3/lib/Mrm/MrmIheader.c.org 2005-08-22 10:11:08.951763921 +0200 +++ openMotif-2.2.3/lib/Mrm/MrmIheader.c 2005-08-22 10:13:49.712349972 +0200 @@ -228,9 +228,11 @@ { /* sscanf() may call ungetc(), which would write the XmConst string. */ - char buf[XtNumber(idb__database_version) + 1]; + char *buf; + buf = XtMalloc(strlen(idb__database_version) + 1); strcpy(buf, idb__database_version); sscanf(buf, "URM %d.%d", &db_major, &db_minor); + XtFree(buf); } if ((file_major > db_major) || Reply at: https://bugs.launchpad.net/ubuntu/+source/openmotif/+bug/374907/comments/5 ------------------------------------------------------------------------ On 2005-08-22T08:49:00+00:00 Dmitry wrote: Yes, patch at comment#5 cures the problem. I've filed a bugreport to OpenMotif's Bugzilla too -- http://bugs.motifzone.net/show_bug.cgi?id=1304 Reply at: https://bugs.launchpad.net/ubuntu/+source/openmotif/+bug/374907/comments/6 ------------------------------------------------------------------------ On 2005-09-02T15:18:44+00:00 Thomas wrote: *** Bug 167094 has been marked as a duplicate of this bug. *** Reply at: https://bugs.launchpad.net/ubuntu/+source/openmotif/+bug/374907/comments/7 ------------------------------------------------------------------------ On 2005-09-02T16:17:48+00:00 Thomas wrote: Fixed in FC3-updates in rpm openmotif-2.2.3-10.FC3.1 FC4-updates in rpm openmotif-2.2.3-10.FC4.1 rawhide in rpm openmotif-2.2.3-11 Reply at: https://bugs.launchpad.net/ubuntu/+source/openmotif/+bug/374907/comments/8 ** Changed in: openmotif (Fedora) Importance: Unknown => High ** Bug watch added: Motif's Mr. Samsa #1304 http://bugs.motifzone.net/show_bug.cgi?id=1304 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/374907 Title: "*** buffer overflow detected ***" abort in MrmOpenHierarchyPerDisplay() To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openmotif/+bug/374907/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
