A few more sprintf() to snprintf() conversion.
We need to find a proper way to replace strcpy() and strcat(), maybe
keep a local copy of strlcpy() and strlcat() from OpenBSD around
somewhere? Other suggestions?
>From 6aba055101e8b7c2f0155d76e872125dfd69ef8c Mon Sep 17 00:00:00 2001
From: Marc B
I suggest to build CDE with debug symbols on by defaul on Linux. Space
is not a concern these days, but since we are probably going to a period
of pain with this code, easy debugging for everyone would help to find bugs.
Opinions?
The attached patch would turn debugging smbols on, on Linux that
When converting sprintf() to snprintf(), don't use the idiom
char foo[BUFSIZ];
snprintf(foo, BUFSIZ, );
but
char foo[BUFSIZ];
snprintf(foo, sizeo foo, );
because this will automatically catch situations where the size of foo
is later changed, e.g. like foo[BUFSIZ + 8];
The attached pa
Signed-off-by: Robert Tomsick
---
cde/programs/dtscreen/flame.c|1 +
cde/programs/dtscreen/hopalong.c |1 +
cde/programs/dtscreen/image.c|1 +
cde/programs/dtscreen/life.c |1 +
cde/programs/dtscreen/pyro.c |2 ++
cde/programs/dtscreen/qix.c |1 +
cde
Signed-off-by: Robert Tomsick
---
cde/programs/dtscreen/dtscreen.c |1 +
1 file changed, 1 insertion(+)
diff --git a/cde/programs/dtscreen/dtscreen.c b/cde/programs/dtscreen/dtscreen.c
index 5f8c4a1..6c22786 100644
--- a/cde/programs/dtscreen/dtscreen.c
+++ b/cde/programs/dtscreen/dtscreen.
Signed-off-by: Robert Tomsick
---
cde/programs/dthelp/dthelpview/Main.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cde/programs/dthelp/dthelpview/Main.c
b/cde/programs/dthelp/dthelpview/Main.c
index d61c12a..c82e2ad 100644
--- a/cde/programs/dthelp/dthelpview/Main.c
Signed-off-by: Robert Tomsick
---
cde/programs/dthelp/dthelpview/Util.c |1 +
1 file changed, 1 insertion(+)
diff --git a/cde/programs/dthelp/dthelpview/Util.c
b/cde/programs/dthelp/dthelpview/Util.c
index 9a89f94..d7e2813 100644
--- a/cde/programs/dthelp/dthelpview/Util.c
+++ b/cde/progra
On Wed, 8 Aug 2012, Robert Tomsick wrote:
> I believe this fixes vulnerability #3 from CERT CA-1999-11.[1] The other
> uses of sprintf in DtAction seem to be safe.
Applied thanks.
--
Jon Trulson
"If the Martian rope-a-dope don't get him, he'll get himself, he'll
come in too fast and punch
On Wed, 8 Aug 2012, Robert Tomsick wrote:
> As the subject line says, two minor fixes to dtterm.
>
> -Rob
>
Applied, thanks...
--
Jon Trulson
"If the Martian rope-a-dope don't get him, he'll get himself, he'll
come in too fast and punch himself out."
- one of my brothers, refer
On Wed, 8 Aug 2012, Pascal Stumpf wrote:
> On Tue, 07 Aug 2012 21:51:14 +0200, Pascal Stumpf wrote:
>> Ohai.
>>
>> Just informing you guys that I'm currently working on an OpenBSD port.
>> Already got most stuff building and a shitload of patches (though mostly
>> just #ifdef's). I'll probably st
As the subject line says, two minor fixes to dtterm.
-Rob
From 1802d0fb59d438d5ca97507fd1cd51606b161da8 Mon Sep 17 00:00:00 2001
From: Robert Tomsick
Date: Wed, 8 Aug 2012 19:49:45 -0400
Subject: [PATCH 2/2] dtterm: logger - use socklen_t for addrlen in
serve(char, int, int)
Signed-off-by: Ro
I believe this fixes vulnerability #3 from CERT CA-1999-11.[1] The other
uses of sprintf in DtAction seem to be safe.
-Rob
[1] https://www.cert.org/advisories/CA-1999-11.html
Signed-off-by: Robert Tomsick
---
cde/programs/dtaction/Main.c |2 +-
1 file changed, 1 insertion(+), 1 deletio
On Wed, 8 Aug 2012, Frederic Koehler wrote:
> Hm, I'd be surprised if this patch had any effect: sizeof of a string literal
> should give the number of bytes in it [which is a really
> weird special case of C, see
> http://en.wikipedia.org/wiki/Sizeof#Using_sizeof_with_arrays]
> Although, strlen i
Hm, I'd be surprised if this patch had any effect: sizeof of a string literal
should give the number of bytes in it [which is a really
weird special case of C, see
http://en.wikipedia.org/wiki/Sizeof#Using_sizeof_with_arrays]
Although, strlen is a lot more obviously correct [curiously,
adding the +
On Wed, 8 Aug 2012, Douglas Mencken wrote:
> sizeof(char*) has been used in an attempt to get string's length.
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x75912dfa in _IO_vfprintf_internal (s=0x7fffdf60,
>format=, ap=0x7fffe080) at vfprintf.c:1614
> 1614vfp
And please, don't forget to mention mblamer from #cde as co-author.
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers ca
sizeof(char*) has been used in an attempt to get string's length.
Program received signal SIGSEGV, Segmentation fault.
0x75912dfa in _IO_vfprintf_internal (s=0x7fffdf60,
format=, ap=0x7fffe080) at vfprintf.c:1614
1614vfprintf.c: No such file or directory.
in vfprint
On Wed, 8 Aug 2012, Marc Balmer wrote:
> Use strlen, not sizeof, here. Fixes a segfault on Debian squeeze 64 bit
> and most probably other systems, too.
>
> (If the mailer mangles the diff, I can resend it as attachment)
>
> diff --git a/cde/lib/DtSvc/DtUtil1/DtsMM.c b/cde/lib/DtSvc/DtUtil1/DtsMM
On Wed, 8 Aug 2012, Douglas Mencken wrote:
> "%wc" is Microsoft extension, not supported in every Std C Library. So
> if we don't want to print "%wc%wc%wc%wc%..." instead of real chars, we
> shall not use it.
>
Applied, thanks for sending as attachment :)
[...]
--
Jon Trulson
"If the Martian
On Wed, 8 Aug 2012, Frederic Koehler wrote:
> Definitely nobody should use mkstemp anyway, but it's worth noting why the
> segfault happens, because it's tricky: the code calls basename but forgets
> to include the right header file -- this being C, the compiler just assumes
> its return type is i
On Wed, 8 Aug 2012, Marc Balmer wrote:
> After building CDE, and starting dtlogin for the first time, I had a
> deja-vu of the bad kind... The fonts as is are true ugly, because they
> are non-antialiased. But since CDE builds on top of OpenMotif, which
> has had antialiased fonts (and UTF8) sup
On Wed, 8 Aug 2012, Marc Balmer wrote:
> Am 08.08.12 09:05, schrieb Frederic Koehler:
[...]
>> -if (stat(TtMntTab, &mount_table_stat)) {
>> +// Must use lstat here; mtab is often a symlink
>
> I'd like to raise the question if we want such C++ style comments or if
> we shou
-Original Message-
From: Pascal Stumpf
To: Irek Szczesniak
Cc: cdesktopenv-devel
Sent: Wed, Aug 8, 2012 1:37 pm
Subject: Re: [cdesktopenv-devel] CDE dtksh updated to newer ksh93 release?
On Wed, 8 Aug 2012 19:12:07 +0200, Irek Szczesniak wrote:
> On Wed, Aug 8, 2012 at 2:14 PM, Pas
On Wed, 8 Aug 2012, Frederic Koehler wrote:
Some comments below:
> Thanks for the feedback; here are some revised patches
> and a third group of patches which fix enough segfaults
> by removing implicit function definitions
> to allow CDE to startup on x64, albeit to a very buggy desktop.
>
> ===
On Wed, 8 Aug 2012 19:12:07 +0200, Irek Szczesniak wrote:
> On Wed, Aug 8, 2012 at 2:14 PM, Pascal Stumpf wrote:
> > On Wed, 8 Aug 2012 13:57:34 +0200, Irek Szczesniak wrote:
> >> Has anyone considered updating CDE's dtksh (Destop Korn Shell, i.e.
> >> ksh93 with Dt, Motif and Xt APIs) to a newer
On Wed, Aug 8, 2012 at 2:14 PM, Pascal Stumpf wrote:
> On Wed, 8 Aug 2012 13:57:34 +0200, Irek Szczesniak wrote:
>> Has anyone considered updating CDE's dtksh (Destop Korn Shell, i.e.
>> ksh93 with Dt, Motif and Xt APIs) to a newer ksh93 release? The
>> current dtksh uses ksh93d- (the minus repres
Use strlen, not sizeof, here. Fixes a segfault on Debian squeeze 64 bit
and most probably other systems, too.
(If the mailer mangles the diff, I can resend it as attachment)
diff --git a/cde/lib/DtSvc/DtUtil1/DtsMM.c b/cde/lib/DtSvc/DtUtil1/DtsMM.c
index dd82d6f..0004afa 100644
--- a/cde/lib/DtS
"%wc" is Microsoft extension, not supported in every Std C Library. So
if we don't want to print "%wc%wc%wc%wc%..." instead of real chars, we
shall not use it.
Before:
%wc%wc%wc%wc%wc%wc%wc%wc%wc%wc%wc%wc%wc%wc%wcession[28326]:
_Tt_s_session::s_init(): 1051 (TT_ERR_INTERNAL)!
%wc%wc%wc%wc%wc%wc%w
On Wed, 8 Aug 2012 13:57:34 +0200, Irek Szczesniak wrote:
> Has anyone considered updating CDE's dtksh (Destop Korn Shell, i.e.
> ksh93 with Dt, Motif and Xt APIs) to a newer ksh93 release? The
> current dtksh uses ksh93d- (the minus representing an alpha version)
> and is far from what I'd call "s
Has anyone considered updating CDE's dtksh (Destop Korn Shell, i.e.
ksh93 with Dt, Motif and Xt APIs) to a newer ksh93 release? The
current dtksh uses ksh93d- (the minus representing an alpha version)
and is far from what I'd call "stable". Current ksh93 release is
ksh93u+ (the plus representing a
Am 08.08.12 09:05, schrieb Frederic Koehler:
> Thanks for the feedback; here are some revised patches
> and a third group of patches which fix enough segfaults
> by removing implicit function definitions
> to allow CDE to startup on x64, albeit to a very buggy desktop.
>
> ==
> Av
Thanks for the feedback; here are some revised patches
and a third group of patches which fix enough segfaults
by removing implicit function definitions
to allow CDE to startup on x64, albeit to a very buggy desktop.
==
Avoid an infinite loop in ttsession (tooltalk daemon) when /et
32 matches
Mail list logo
