"*** buffer overflow detected ***" abort in MrmOpenHierarchyPerDisplay()

Description of problem:
When a UIL-based program calls MrmOpenHierarchyPerDisplay(), it is immediately
aborted with "*** buffer overflow detected ***" message.
This happens with any of UIL-based programs from demos/programs/ too. (Yes, one
has to build them manually, since demos/ are cut-off from .rpm.)

Version-Release number of selected component (if applicable):
2.2.3-10

How reproducible:
Always

Steps to Reproduce:
1. Unpack and build the minimal test case attached below -- tar xfz
mrm-test.tgz; cd mrm-test; make
2. Run it -- ./mrm

Actual results:
The program aborts with "*** buffer overflow detected ***: ./mrm terminated"
message.

Expected results:
The program should run and display a window with a single label.

Additional info:
Note 1:
Interestingly, this bug is present ONLY in FC4 rpm -- pristine 2.2.3 sources are
okay.
For example, if one builds OpenMotif libraries from openMotif-2.2.3.tar.gz,
contained in openmotif-2.2.3-10.src.rpm (./configure; make) and uses that
libraries (LD_LIBRARY_PATH=.../openMotif-2.2.3/lib/Mrm/ ./mrm), then everything
works as expected.
And, if using in the same manner libraries, produced via "rpmbuild -ba", then
the bug IS present.

Note 2:
"diff" shows that NONE of .rpm's patches touches lib/Mrm/.
So, probably the buffer overflow is triggered as a side effect of some other
patch, or is caused by different compile options.

Created attachment 117831
A test case

Created attachment 117833
A text "screenshot" of the abort

question: can you make sure that your local openmotif build uses
"-D_FORTIFY_SOURCE=2" as part of the CFLAGs ? That is to compare apples to
apples, eg enable buffer overflow checking as well in your local build

This was a bug in the Motif code (patch below)
It did XtNumber on a char pointer, which isn't allowed, XtNumber() is only
allowed on static sized buffers not on dynamic sized ones.

diff -u openMotif-2.2.3/lib/Mrm/MrmIheader.c~ openMotif-2.2.3/lib/Mrm/MrmIheader.c
--- openMotif-2.2.3/lib/Mrm/MrmIheader.c~ 2005-08-22 10:13:49.712349972 +0200
+++ openMotif-2.2.3/lib/Mrm/MrmIheader.c 2005-08-22 10:13:49.712349972 +0200
@@ -228,9 +228,11 @@

   {
     /* sscanf() may call ungetc(), which would write the XmConst string. */
- char buf[strlen(idb__database_version) + 1];
+ char *buf;
+ buf = XtMalloc(strlen(idb__database_version) + 1);
     strcpy(buf, idb__database_version);
     sscanf(buf, "URM %d.%d", &db_major, &db_minor);
+ XtFree(buf);
   }

   if ((file_major > db_major) ||

woops wrong patch:

--- openMotif-2.2.3/lib/Mrm/MrmIheader.c.org 2005-08-22 10:11:08.951763921 +0200
+++ openMotif-2.2.3/lib/Mrm/MrmIheader.c 2005-08-22 10:13:49.712349972 +0200
@@ -228,9 +228,11 @@

   {
     /* sscanf() may call ungetc(), which would write the XmConst string. */
- char buf[XtNumber(idb__database_version) + 1];
+ char *buf;
+ buf = XtMalloc(strlen(idb__database_version) + 1);
     strcpy(buf, idb__database_version);
     sscanf(buf, "URM %d.%d", &db_major, &db_minor);
+ XtFree(buf);
   }

   if ((file_major > db_major) ||

Yes, patch at comment#5 cures the problem.
I've filed a bugreport to OpenMotif's Bugzilla too --
http://bugs.motifzone.net/show_bug.cgi?id=1304

*** Bug 167094 has been marked as a duplicate of this bug. ***

Fixed in

FC3-updates in rpm openmotif-2.2.3-10.FC3.1
FC4-updates in rpm openmotif-2.2.3-10.FC4.1
rawhide in rpm openmotif-2.2.3-11