Bug 114344

Summary: buffer overflow in XFig on color select.
Product: [openSUSE] SUSE LINUX 10.0 Reporter: Daniel Bornkessel <dbornkessel>
Component: X11 ApplicationsAssignee: Dr. Werner Fink <werner>
Status: RESOLVED FIXED QA Contact: Stefan Dirsch <sndirsch>
Severity: Major    
Priority: P5 - None CC: security-team, sndirsch
Version: Beta 3   
Target Milestone: ---   
Hardware: i686   
OS: SUSE Other   
Whiteboard:
Found By: Development Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: xfig.patch

Description Daniel Bornkessel 2005-08-31 07:52:18 UTC 
On SUSE 10, beta 3, a reproducable XFig crash happens:
Open XFig,
Select 'RECT drawing' (or other),
click 'Pen Color'
--> crash

(did not happen on SUSE9.3)
Comment 1 Marcus Meissner 2005-08-31 09:47:53 UTC 
*** buffer overflow detected ***: /usr/X11R6/bin/xfig.bin terminated 
 
Program received signal SIGABRT, Aborted. 
0x00002aaaabd0f3ca in raise () from /lib64/tls/libc.so.6 
(gdb) bt 
#0  0x00002aaaabd0f3ca in raise () from /lib64/tls/libc.so.6 
#1  0x00002aaaabd10800 in abort () from /lib64/tls/libc.so.6 
#2  0x00002aaaabd44fde in __libc_message () from /lib64/tls/libc.so.6 
#3  0x00002aaaabdaf81f in __chk_fail () from /lib64/tls/libc.so.6 
#4  0x00002aaaabdaee09 in _IO_str_chk_overflow () from /lib64/tls/libc.so.6 
#5  0x00002aaaabd48036 in _IO_default_xsputn_internal () 
   from /lib64/tls/libc.so.6 
#6  0x00002aaaabd21e4e in vfprintf () from /lib64/tls/libc.so.6 
#7  0x00002aaaabdaeeb9 in __vsprintf_chk () from /lib64/tls/libc.so.6 
#8  0x00002aaaabdaedf0 in __sprintf_chk () from /lib64/tls/libc.so.6 
#9  0x000000000047ea83 in count_user_colors () at w_color.c:1078 
#10 0x0000000000482bd3 in create_color_panel (form=0x7b5e60,  
    label=<value optimized out>, cancel=0x7ca350, isw=0x633d60) 
    at w_color.c:518 
#11 0x00000000004a0be4 in popup_choice_panel (isw=0x633d60) 
    at w_indpanel.c:1677 
#12 0x00002aaaab3fa1e0 in XtDispatchEventToWidget () 
   from /usr/X11R6/lib64/libXt.so.6 
#13 0x00002aaaab3fa861 in _XtOnGrabList () from /usr/X11R6/lib64/libXt.so.6 
#14 0x00002aaaab3fa9ce in XtDispatchEvent () from /usr/X11R6/lib64/libXt.so.6 
#15 0x000000000044815b in main (argc=1, argv=<value optimized out>) 
    at main.c:1503 
#16 0x00002aaaabcfd55a in __libc_start_main () from /lib64/tls/libc.so.6 
---Type <return> to continue, or q <return> to quit---
Comment 2 Dr. Werner Fink 2005-08-31 10:33:00 UTC 
Please provide a patch due to the fact that I'm heavily overworked.
Comment 3 Dr. Werner Fink 2005-08-31 10:34:51 UTC 
Maybe this is X11 releated.  Stefan?
Comment 4 Marcus Meissner 2005-08-31 10:43:39 UTC 
Created attachment 48286 [details]
xfig.patch

this fixes the single byte bufferoverflow.

(the resulting string is 10 chars + 1 NUL byte)
Comment 5 Dr. Werner Fink 2005-08-31 11:29:57 UTC 
Thanks
Comment 6 Dr. Werner Fink 2005-08-31 11:50:28 UTC 
Patch appended to xfig.3.2.4-gcc4.dif