Bug 114344 - buffer overflow in XFig on color select.
Summary: buffer overflow in XFig on color select.
Status: RESOLVED FIXED
Alias: None
Product: SUSE LINUX 10.0
Classification: openSUSE
Component: X11 Applications (show other bugs)
Version: Beta 3
Hardware: i686 SUSE Other
: P5 - None : Major
Target Milestone: ---
Assignee: Dr. Werner Fink
QA Contact: Stefan Dirsch
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-08-31 07:52 UTC by Daniel Bornkessel
Modified: 2005-08-31 11:50 UTC (History)
2 users (show)

See Also:
Found By: Development
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
xfig.patch (466 bytes, patch)
2005-08-31 10:43 UTC, Marcus Meissner 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Bornkessel 2005-08-31 07:52:18 UTC 
On SUSE 10, beta 3, a reproducable XFig crash happens:
Open XFig,
Select 'RECT drawing' (or other),
click 'Pen Color'
--> crash

(did not happen on SUSE9.3)
Comment 1 Marcus Meissner 2005-08-31 09:47:53 UTC 
*** buffer overflow detected ***: /usr/X11R6/bin/xfig.bin terminated 
 
Program received signal SIGABRT, Aborted. 
0x00002aaaabd0f3ca in raise () from /lib64/tls/libc.so.6 
(gdb) bt 
#0  0x00002aaaabd0f3ca in raise () from /lib64/tls/libc.so.6 
#1  0x00002aaaabd10800 in abort () from /lib64/tls/libc.so.6 
#2  0x00002aaaabd44fde in __libc_message () from /lib64/tls/libc.so.6 
#3  0x00002aaaabdaf81f in __chk_fail () from /lib64/tls/libc.so.6 
#4  0x00002aaaabdaee09 in _IO_str_chk_overflow () from /lib64/tls/libc.so.6 
#5  0x00002aaaabd48036 in _IO_default_xsputn_internal () 
   from /lib64/tls/libc.so.6 
#6  0x00002aaaabd21e4e in vfprintf () from /lib64/tls/libc.so.6 
#7  0x00002aaaabdaeeb9 in __vsprintf_chk () from /lib64/tls/libc.so.6 
#8  0x00002aaaabdaedf0 in __sprintf_chk () from /lib64/tls/libc.so.6 
#9  0x000000000047ea83 in count_user_colors () at w_color.c:1078 
#10 0x0000000000482bd3 in create_color_panel (form=0x7b5e60,  
    label=<value optimized out>, cancel=0x7ca350, isw=0x633d60) 
    at w_color.c:518 
#11 0x00000000004a0be4 in popup_choice_panel (isw=0x633d60) 
    at w_indpanel.c:1677 
#12 0x00002aaaab3fa1e0 in XtDispatchEventToWidget () 
   from /usr/X11R6/lib64/libXt.so.6 
#13 0x00002aaaab3fa861 in _XtOnGrabList () from /usr/X11R6/lib64/libXt.so.6 
#14 0x00002aaaab3fa9ce in XtDispatchEvent () from /usr/X11R6/lib64/libXt.so.6 
#15 0x000000000044815b in main (argc=1, argv=<value optimized out>) 
    at main.c:1503 
#16 0x00002aaaabcfd55a in __libc_start_main () from /lib64/tls/libc.so.6 
---Type <return> to continue, or q <return> to quit---
Comment 2 Dr. Werner Fink 2005-08-31 10:33:00 UTC 
Please provide a patch due to the fact that I'm heavily overworked.
Comment 3 Dr. Werner Fink 2005-08-31 10:34:51 UTC 
Maybe this is X11 releated.  Stefan?
Comment 4 Marcus Meissner 2005-08-31 10:43:39 UTC 
Created attachment 48286 [details]
xfig.patch

this fixes the single byte bufferoverflow.

(the resulting string is 10 chars + 1 NUL byte)
Comment 5 Dr. Werner Fink 2005-08-31 11:29:57 UTC 
Thanks
Comment 6 Dr. Werner Fink 2005-08-31 11:50:28 UTC 
Patch appended to xfig.3.2.4-gcc4.dif