"*** buffer overflow detected ***" abort in MrmOpenHierarchyPerDisplay()

Bug #374907 reported by Frédéric Delanoy on 2009-05-11
32
This bug affects 5 people
Affects Status Importance Assigned to Milestone
openmotif (Fedora)
Fix Released
High
openmotif (Ubuntu)
Undecided
Unassigned

Bug Description

When a UIL-based program calls MrmOpenHierarchyPerDisplay(), it is immediately
aborted with "*** buffer overflow detected ***" message.

This problem has already been reported and fixed on RedHat: a test case (which I tried) and a fix (which I didn't (yet)) are available:
See https://bugzilla.redhat.com/show_bug.cgi?id=166144

Happens with Jaunty (didn't occur in intrepid)
Default Linux 2.6.28-11-generic #42-Ubuntu SMP Fri Apr 17 01:57:59 UTC 2009 i686 GNU/Linux
libmotif-dev 2.2.3-4

Steps to reproduce, expectations, ..., are explained in the above URL.

Description of problem:
When a UIL-based program calls MrmOpenHierarchyPerDisplay(), it is immediately
aborted with "*** buffer overflow detected ***" message.
This happens with any of UIL-based programs from demos/programs/ too. (Yes, one
has to build them manually, since demos/ are cut-off from .rpm.)

Version-Release number of selected component (if applicable):
2.2.3-10

How reproducible:
Always

Steps to Reproduce:
1. Unpack and build the minimal test case attached below -- tar xfz
mrm-test.tgz; cd mrm-test; make
2. Run it -- ./mrm

Actual results:
The program aborts with "*** buffer overflow detected ***: ./mrm terminated"
message.

Expected results:
The program should run and display a window with a single label.

Additional info:
Note 1:
Interestingly, this bug is present ONLY in FC4 rpm -- pristine 2.2.3 sources are
okay.
For example, if one builds OpenMotif libraries from openMotif-2.2.3.tar.gz,
contained in openmotif-2.2.3-10.src.rpm (./configure; make) and uses that
libraries (LD_LIBRARY_PATH=.../openMotif-2.2.3/lib/Mrm/ ./mrm), then everything
works as expected.
And, if using in the same manner libraries, produced via "rpmbuild -ba", then
the bug IS present.

Note 2:
"diff" shows that NONE of .rpm's patches touches lib/Mrm/.
So, probably the buffer overflow is triggered as a side effect of some other
patch, or is caused by different compile options.

Created attachment 117831
A test case

Created attachment 117833
A text "screenshot" of the abort

question: can you make sure that your local openmotif build uses
"-D_FORTIFY_SOURCE=2" as part of the CFLAGs ? That is to compare apples to
apples, eg enable buffer overflow checking as well in your local build

This was a bug in the Motif code (patch below)
It did XtNumber on a char pointer, which isn't allowed, XtNumber() is only
allowed on static sized buffers not on dynamic sized ones.

diff -u openMotif-2.2.3/lib/Mrm/MrmIheader.c~ openMotif-2.2.3/lib/Mrm/MrmIheader.c
--- openMotif-2.2.3/lib/Mrm/MrmIheader.c~ 2005-08-22 10:13:49.712349972 +0200
+++ openMotif-2.2.3/lib/Mrm/MrmIheader.c 2005-08-22 10:13:49.712349972 +0200
@@ -228,9 +228,11 @@

   {
     /* sscanf() may call ungetc(), which would write the XmConst string. */
- char buf[strlen(idb__database_version) + 1];
+ char *buf;
+ buf = XtMalloc(strlen(idb__database_version) + 1);
     strcpy(buf, idb__database_version);
     sscanf(buf, "URM %d.%d", &db_major, &db_minor);
+ XtFree(buf);
   }

   if ((file_major > db_major) ||

woops wrong patch:

--- openMotif-2.2.3/lib/Mrm/MrmIheader.c.org 2005-08-22 10:11:08.951763921 +0200
+++ openMotif-2.2.3/lib/Mrm/MrmIheader.c 2005-08-22 10:13:49.712349972 +0200
@@ -228,9 +228,11 @@

   {
     /* sscanf() may call ungetc(), which would write the XmConst string. */
- char buf[XtNumber(idb__database_version) + 1];
+ char *buf;
+ buf = XtMalloc(strlen(idb__database_version) + 1);
     strcpy(buf, idb__database_version);
     sscanf(buf, "URM %d.%d", &db_major, &db_minor);
+ XtFree(buf);
   }

   if ((file_major > db_major) ||

Yes, patch at comment#5 cures the problem.
I've filed a bugreport to OpenMotif's Bugzilla too --
http://bugs.motifzone.net/show_bug.cgi?id=1304

*** Bug 167094 has been marked as a duplicate of this bug. ***

Fixed in

FC3-updates in rpm openmotif-2.2.3-10.FC3.1
FC4-updates in rpm openmotif-2.2.3-10.FC4.1
rawhide in rpm openmotif-2.2.3-11

I just tested the provided (small) patch (by fetching source, recompiling, ...)
and it seems to work.

It may seem obvious, but this bug make my application crash, so it's probably not so unimportant...

Bug seems to be fixed in openmotif already:
See http://bugs.motifzone.net/long_list.cgi?buglist=1304

Alvin (alvind) on 2009-08-10
Changed in openmotif (Ubuntu):
status: New → Confirmed
Alvin (alvind) wrote :

I see that Debian does not have a similar bug report:
http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=libmotif3;dist=unstable
Both distributions have same version of libmotif3 (2.2.3-4)
Maybe they have a patched version, or are unaware of this bug?

I haven't seen that bug on debian web page either... the big problem is that libmotif3 hasn't been updated for years (since the bug was fixed somewhere end 2005/start 2006).
A simple package upgrade should resolve the issue... don't know why it hasn't been done yet, though

Actually the http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494375 (libmotif3: new version available upstream; 08 Aug 2008) is still "unclassified" (as all other reported bugs).
Maybe this package is not really maintained anymore in debian...

Alvin (alvind) wrote :

Added 'trivial' tag, because this looks easy to fix. A patch is already available.

tags: added: trivial
Changed in openmotif (Fedora):
status: Unknown → Fix Released
arloth (mnuahs) wrote :

This bug still exists in maverick, as it still comes with Openmotif 2.2.3. Why isn't Ubuntu shipping with OpenMotif 2.3 or later? If it's easy to fix, why isn't it fixed yet?

Graham Inggs (ginggs) wrote :

Package openmotif (2.3.3-5ubuntu1) was included in Natty (11.04).

Changed in openmotif (Ubuntu):
status: Confirmed → Fix Released
Changed in openmotif (Fedora):
importance: Unknown → High
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.