Re: [cdesktopenv-devel] [PATCH] dtcreate: fix exit with TT_ERR_PTYPE and fix several sprintf related segfaults.

William Schaub Sat, 11 Aug 2012 01:17:06 -0700

On 08/11/2012 03:56 AM, William Schaub wrote:

On 08/11/2012 03:18 AM, Marc Balmer wrote:

A few comments:


Since sizeof(char) is 1, it is not needed to write

malloc(... + 5 * sizeof(char))

but just

malloc(... + 5)

And actually, only 4 extra characters are needed, so don't waste that
byte ;)

And never use a multiplication in a malloc, never, ever.  It has been
the source of remote-root exploits (due to integer overflow).  Simple
rule:  If there is a multiplication needed, use calloc:

malloc(n * sizeof whatever)    /* never, ever */

use

calloc(n, sizeof whatever)    /* this is the way to go */

The original code contains a nice bug:

     title = XtMalloc(strlen(pre) + strlen(suf) + 2);
     sprintf(title, "%s - %s", pre, suf);

The format string alone adds 3 characters to the final string (' - '),
and then there is the NUL terminating characters, so the target buffer
needs to be at least strlen(pre) + strlen(suf) + 4 characters long, but
here a smaller buffer is allocated.  This nicely demonstrates the
evilness of sprintf...

I'm waiting on CDE to rebuild at the moment but as soon as I verifythat my changes still result in a working dtcreate I will reply tothis message with a new patch with the changes you suggested.


Ok Here is the revised patch.

>From ef9d65a74cf7a69401e06299e34474b9e335f34e Mon Sep 17 00:00:00 2001
From: William Schaub <wsch...@genesi-tech.com>
Date: Sat, 11 Aug 2012 04:02:17 -0400
Subject: [PATCH] dtcreate: fix exit with TT_ERR_PTYPE and fix several sprintf related segfaults.

---
 cde/programs/dtcreate/AddFiletype.c          |    6 ++++--
 cde/programs/dtcreate/CreateActionAppShell.c |    7 ++++---
 cde/programs/dtcreate/ca_aux.c               |   19 ++++++++++++-------
 cde/programs/dtcreate/main.c                 |    3 +++
 4 files changed, 23 insertions(+), 12 deletions(-)

diff --git a/cde/programs/dtcreate/AddFiletype.c b/cde/programs/dtcreate/AddFiletype.c
index 8d70b2a..15d78e9 100644
--- a/cde/programs/dtcreate/AddFiletype.c
+++ b/cde/programs/dtcreate/AddFiletype.c
@@ -261,6 +261,7 @@ static Widget   _Uxbuild_AddFiletype(void)
 	char		     *pre, *suf, *title;
 
 	XmString	      emptyString;
+    int len;
 
 #define TIGHTNESS             20
 #define ICON_MIN_HEIGHT       83
@@ -276,8 +277,9 @@ static Widget   _Uxbuild_AddFiletype(void)
 
         pre = GETMESSAGE(3, 10, "Create Action");
         suf = GETMESSAGE(7, 10, "Add Datatype");
-        title = XtMalloc(strlen(pre) + strlen(suf) + 2);
-        sprintf(title, "%s - %s", pre, suf);
+        len = strlen(pre) + strlen(suf) + 4;
+        title = XtMalloc(len);
+        snprintf(title,len - 1, "%s - %s", pre, suf);
 
         _UxParent = XtVaCreatePopupShell( "AddFiletype_shell",
                         xmDialogShellWidgetClass, _UxParent,
diff --git a/cde/programs/dtcreate/CreateActionAppShell.c b/cde/programs/dtcreate/CreateActionAppShell.c
index 5396a8c..4233e41 100644
--- a/cde/programs/dtcreate/CreateActionAppShell.c
+++ b/cde/programs/dtcreate/CreateActionAppShell.c
@@ -345,6 +345,7 @@ static  void    activateCB_CA_FiletypesDelete( Widget UxWidget,
   int           cnt;
   Boolean       bFound;
   char          *msgPtr1, *msgPtr2, *fmtPtr, *errPtr;
+  int           len;
 
   /**************************************************************************/
   /* Determine the filetypes to delete and delete them.                     */
@@ -411,9 +412,9 @@ static  void    activateCB_CA_FiletypesDelete( Widget UxWidget,
      msgPtr2 = XtNewString(GETMESSAGE(5, 125,
 		  "Please select the Datatype you would like to Delete."));
      fmtPtr = "%s\n%s";
-     errPtr = XtMalloc((strlen(msgPtr1) + strlen(msgPtr2) +
-			strlen(fmtPtr) + 1) * sizeof(char));
-     sprintf(errPtr, fmtPtr, msgPtr1, msgPtr2);
+     len = (strlen(msgPtr1) + strlen(msgPtr2) + strlen(fmtPtr) + 2);
+     errPtr = XtMalloc(len);
+     snprintf(errPtr,len - 1, fmtPtr, msgPtr1, msgPtr2);
      XtFree(msgPtr2);
      XtFree(msgPtr1);
      display_error_message(CreateActionAppShell, errPtr);
diff --git a/cde/programs/dtcreate/ca_aux.c b/cde/programs/dtcreate/ca_aux.c
index afd105a..3092b58 100644
--- a/cde/programs/dtcreate/ca_aux.c
+++ b/cde/programs/dtcreate/ca_aux.c
@@ -849,6 +849,7 @@ void activateCB_add_filetype (Widget wid, XtPointer client_data,
   char         *ptr;
   char          tmpbuf[50];
   char	       *pre, *suf, *title;
+  int          len;
 
   if (!CreateActionAppShellCheckFields()) {
 
@@ -893,8 +894,9 @@ void activateCB_add_filetype (Widget wid, XtPointer client_data,
 
     pre = GETMESSAGE(3, 10, "Create Action");
     suf = GETMESSAGE(7, 10, "Add Datatype");
-    title = XtMalloc(strlen(pre) + strlen(suf) + 2);
-    sprintf(title, "%s - %s", pre, suf);
+    len = strlen(pre) + strlen(suf) + 4;
+    title = XtMalloc(len);
+    snprintf(title,len - 1,"%s - %s", pre, suf);
 
     XtVaSetValues (AddFiletype,
                    RES_CONVERT (XmNdialogTitle, title ),
@@ -924,11 +926,13 @@ void activateCB_edit_filetype (Widget wid, XtPointer client_data,
   int          selecteditem;
   char         *msgPtr1, *msgPtr2, *fmtPtr, *errPtr;
   char	       *pre, *suf, *title;
+  int len;
 
   pre = GETMESSAGE(3, 10, "Create Action");
   suf = GETMESSAGE(7, 11, "Edit Datatype");
-  title = XtMalloc(strlen(pre) + strlen(suf) + 2);
-  sprintf(title, "%s - %s", pre, suf);
+  len = strlen(pre) + strlen(suf) + 4;
+  title = XtMalloc(len);
+  snprintf(title,len - 1, "%s - %s", pre, suf);
 
   /**************************************************************************/
   /* Determine the selected list item.                                      */
@@ -959,9 +963,10 @@ void activateCB_edit_filetype (Widget wid, XtPointer client_data,
      msgPtr2 = XtNewString(GETMESSAGE(5, 130,
 		  "Please select the Datatype you would like to Edit."));
      fmtPtr = "%s\n%s";
-     errPtr = XtMalloc((strlen(msgPtr1) + strlen(msgPtr2) +
-			strlen(fmtPtr) + 1) * sizeof(char));
-     sprintf(errPtr, fmtPtr, msgPtr1, msgPtr2);
+     len = (strlen(msgPtr1) + strlen(msgPtr2) +
+             strlen(fmtPtr) + 3);
+     errPtr = XtMalloc(len);
+     snprintf(errPtr,len - 1, fmtPtr, msgPtr1, msgPtr2);
      XtFree(msgPtr2);
      XtFree(msgPtr1);
      display_error_message(CreateActionAppShell, errPtr);
diff --git a/cde/programs/dtcreate/main.c b/cde/programs/dtcreate/main.c
index 168cd88..1b56e3f 100644
--- a/cde/programs/dtcreate/main.c
+++ b/cde/programs/dtcreate/main.c
@@ -548,6 +548,9 @@ DieFromToolTalkError(Widget parent, char *errfmt, Tt_status status)
     if (! tt_is_err(status)) return;
 
     statmsg = tt_status_message(status);
+    /* Solaris dtcreate ignores this so we should too */
+    if(!strncmp("TT_ERR_PTYPE",statmsg,12))
+            return;
     errmsg = XtMalloc(strlen(errfmt) + strlen(statmsg) + 2);
     sprintf(errmsg, errfmt, statmsg);
 
-- 
1.7.2.5

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
cdesktopenv-devel mailing list
cdesktopenv-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cdesktopenv-devel

Re: [cdesktopenv-devel] [PATCH] dtcreate: fix exit with TT_ERR_PTYPE and fix several sprintf related segfaults.

Reply via email to