Bugzilla – Attachment 54750 Details for
Bug 127552
Buffer Overflow Bug in OpenMotif 2.2.3
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
IDP Log In
|
Forgot Password
motif bug known for years- with solution
openmotif-bug-solution.txt (text/plain), 6.67 KB, created by
Forgotten User PZ4wA53Xsq
on 2005-10-19 11:55:39 UTC
(
hide
)
Description:
motif bug known for years- with solution
Filename:
MIME Type:
Creator:
Forgotten User PZ4wA53Xsq
Created:
2005-10-19 11:55:39 UTC
Size:
6.67 KB
patch
obsolete
> Home | Bazaar | The Motif Developer | Motif Help | Bug Home sponsored by ICS >Full Text Bug Listing > >XmTextField: "Character xxx not supported in font" errors, bug in multibyte code >Bug#: 1257 Product: OpenMotif Version: 2.2.2 Platform: x86 >OS/Version: Linux Status: RESOLVED Severity: major Priority: High >Resolution: FIXED Assigned To: openmotif-devel@motifzone.net Reported By: brad@sd.aonix.com >Component: MotifCode >URL: >Summary: XmTextField: "Character xxx not supported in font" errors, bug in multibyte code >Description: > >RedHat Enterprise Linux 3.0 with Motif 2.2.3 gets the following errors all over >the place: > Warning: > Name: textField > Class: XmTextField > Character '\163' not supported in font. Discarded. > >Below I have included a C file and a Makefile for a test case. >Also I provided a suggested fix for the problem. > > >-------------------------------------------------------------------------------- >README >-------------------------------------------------------------------------------- > >Test case to illustrate bug in PrintableString in TextF.c in Motif 2.2.3. > >How to test: > make > setenv LANG en_US.UTF-8 (or another multibyte lang) > textf_bug > > The following error messages will appear: > > Warning: > Name: textField > Class: XmTextField > Character '\163' not supported in font. Discarded. > > Warning: > Name: textField > Class: XmTextField > Character '\157' not supported in font. Discarded. > ... > > If you do not see the errors, try setting LANG to another multibyte encoding, > such as ja_JP.ujis. > >The test case makes a simple GUI with a XmTextField widget and >puts a regular single-byte string into it. >The bug causes the text field to reject the string character by character >and print the error messages. > > >The bug is new for Motif 2.2 and was not present in Motif 2.1. >The error lies in a new block of code added to the end of PrintableString in >TextF.c: > > tmp_str = (wchar_t *)str; > ret_val = wctomb(tmp, *tmp_str); > count = 0; > while ( (ret_val > 0)&& (buf_size >= MB_CUR_MAX) && (count < n) ) > { > count += 1; > tmp += ret_val; > buf_size -= ret_val; > tmp_str > ret_val = wctomb(tmp, *tmp_str); > } > if (ret_val == -1) /* bad character */ > return (False); > is_printable = XTextWidth(TextF_Font(tf), cache_ptr, tmp - cache_ptr); > >The problem is that ValidateString passes the address of a single wchar_t tmp. >The str parameter in PrintableString is consequently set to &tmp. >n is passed in as 1. >str is copied to tmp_str. >The code runs wctomb on *tmp_str, increments tmp_str and then calls wctomb >on *tmp_str again. >At this point tmp_str points to other stuff on the stack - whatever happens to >occupy &tmp+1. > >I (think I) fixed the problem by changing the code to: > > tmp_str = (wchar_t *)str; > count = 0; > do { > ret_val = wctomb(tmp, *tmp_str); > count += 1; > tmp += ret_val; > buf_size -= ret_val; > tmp_str++; > } while ( (ret_val > 0)&& (buf_size >= MB_CUR_MAX) && (count < n) ) ; > if (ret_val == -1) /* bad character */ > return (False); > is_printable = > ( XTextWidth(TextF_Font(tf), cache_ptr, tmp - cache_ptr) != 0 ) ; > >Apparently RedHat does not define SUPPORT_ZERO_WIDTH in their version of Motif. > >The bug does not always show itself. >Depending on the libXm build, sometimes the address at &tmp+1 is another >variable, and other times it is just uninitialized junk. >This test case attempts to write gibberish to the stack area, so that the >bug will show up in the case that &tmp+1 is not used by another variable. >If another variable lands on &tmp+1, then the problem is revealed only if >this other variable is set to something that wctomb doesn''t like. >I built Motif 2.2.2 on RHLinux8 and the &tmp+1 address was given to the >start_tmp variable. >The pointer value given to start_tmp did not cause wctomb to complain, >so this test case didn''t reveal the problem on RH8. >The test case shows the problem with RedHat Enterprise Linux 3.0. > >This test case is intended to run on a 32 bit Intel platform. >It may not work on other platforms. > >Brad Despres >Aonix > >-------------------------------------------------------------------------------- >Makefile >-------------------------------------------------------------------------------- >all: textf_bug > >textf_bug: textf_bug.c > cc -g -Wall \ > -I/usr/X11R6/include \ > textf_bug.c \ > -o textf_bug \ > -L/usr/X11R6/lib \ > -lXm \ > -lXp \ > -lXt \ > -lXext \ > -lXpm \ > -lSM \ > -lICE \ > -lX11 \ > -lpthread > > >clean: > -rm -f textf_bug textf_bug.o > >-------------------------------------------------------------------------------- >textf_bug.c >-------------------------------------------------------------------------------- >#include <locale.h> >#include <Xm/TextF.h> > >int main ( > int argc , > char * argv [] >) >{ > Widget toplevel , textf ; > XtAppContext app ; > int i , fill_size = 1024 ; > unsigned char fill_byte = 0xA5 ; > unsigned fill_pattern ; > unsigned * pu ; > > /* Read the locale env variables. */ > setlocale ( LC_ALL , "" ) ; > > toplevel = XtVaAppInitialize ( & app , "TestCase" , NULL , 0 , > & argc , argv , NULL , NULL ) ; > > textf = XtVaCreateWidget ( "textField" , > xmTextFieldWidgetClass , toplevel , > NULL ) ; > > XtManageChild ( textf ) ; > > { /* > * Write jibberish into the unused area below the stack. > * Hopefully this will cause the bug to show up. > */ > > /* Push a variable so we know where the sp is. */ > unsigned u ; > > /* Set up the fill pattern, e.g. 0xA5A5A5A5 */ > memset ( ( void * ) & fill_pattern , fill_byte , sizeof ( u ) ) ; > > /* Fill the unused stack area with this pattern. */ > for ( i = 0 , pu = & u ; i < fill_size ; i ++ , pu -- ) { > * pu = fill_pattern ; > /* The problem is masked if you fill it with zeros instead. */ > } > } > XmTextFieldSetString ( textf , "some text" ) ; > XtRealizeWidget ( toplevel ) ; > XtAppMainLoop ( app ) ; > > /* Not reached. */ > return ( 0 ) ; >} > > > >------- Additional Comments From brad@sd.aonix.com 2004-05-27 11:33 ------- > >Created an attachment (id=45) >Tar file containing test case for bug. > > > >------- Additional Comments From yura@ics.com 2004-06-30 05:28 ------- > >Fixed as proposed. Thanks for the report and patch. > > > >Update this bug >Submit a Patch for this bug >Note: All patches are submitted under the MIT License.
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=54750">View the attachment on a separate page</a>.</b>
Actions:
View
Attachments on
bug 127552
:
53817
| 54750