sam-fans - fans of the sam editor
 help / color / mirror / Atom feed
From: schwartz+sam-fans@bio.cse.psu.edu
To: sam-fans@hawkwind.utcs.toronto.edu
Subject: 9term buffer overflow
Date: Tue, 27 Jan 1998 16:47:56 -0500	[thread overview]
Date: Tue, 27 Jan 1998 16:47:55 -0500	[thread overview]
Message-ID: <19980127214756.19841.qmail@bio.cse.psu.edu> (raw)

9term "1.6.6 Nov 1995" (the latest?) has a problem in display.c, where
a static buffer can overflow.  (The font improvements for libXg that I
posted a while ago can exercise this; since no one has complained I
guess no one has tried those either (hmmm.))

*** /tmp/T0a004pS	Tue Jan 27 16:43:03 1998
--- display.c	Tue Jan 27 16:33:46 1998
***************
*** 121,126 ****
--- 121,137 ----
  		_killpg(SIGHUP);
  }
  
+ static char *
+ str_ndup(char *p, unsigned int n)
+ {
+ 	char *s = malloc(n+1);
+ 	if (!s)
+ 		error("malloc failure");
+ 	strncpy(s, p, n);
+ 	s[n] = 0;
+ 	return s;
+ }
+ 
  /*
   *	try to extract an X resource under a variety of names
   */
***************
*** 128,134 ****
  get_resource(char *resource, char *class, char *rname, char *cname)
  {
  	char str1[256], str2[256];
- 	static char result[512];
  	XrmValue value;
  	char *str_type;
  
--- 139,144 ----
***************
*** 137,144 ****
  	if (XrmGetResource(
  			XrmGetDatabase(_dpy),
  			str1, str2, &str_type, &value) == True) {
! 		strncpy(result, value.addr, (int)value.size);
! 		return result;
  	}
  	return 0;
  }
--- 147,153 ----
  	if (XrmGetResource(
  			XrmGetDatabase(_dpy),
  			str1, str2, &str_type, &value) == True) {
! 		return str_ndup(value.addr, value.size);
  	}
  	return 0;
  }
***************
*** 155,165 ****
--- 164,176 ----
  
  	s = get_resource(resource, class, "debug", "Debug");
  	if (s && strcasecmp(s, "true")) {
+ 		free(s);
  		XSetErrorHandler(error_handler);
  		XSetIOErrorHandler(io_error_handler);
  	}
  	s = get_resource(resource, class, "login", "Login");
  	if (s && !strcasecmp(s, "true")) {
+ 		free(s);
  		/* Change argv[0] if this is a login shell */
  		new = (char *)malloc(strlen(shargv[0])+2);
  		if (!new)
***************
*** 169,206 ****
  		shargv[0] = new;
  	}
  	s = get_resource(resource, class, "scroll", "Scroll");
! 	if (s && !strcasecmp(s, "true"))
  		scrolling = 1;
  	s = get_resource(resource, class, "utmp", "Utmp");
! 	if (s && !strcasecmp(s, "true"))
  		utmpentry = 1;
  	if (s = get_resource(resource, class, "label", "Label")) {
  		XStoreName(_dpy, XtWindow(_toplevel), s);
  		XSetIconName(_dpy, XtWindow(_toplevel), s);
  		XFlush(_dpy);
  	}
! 	if (s = get_resource(resource, class, "ttyModes", "TtyModes"))
  		parsettymodes(UNIX, s);
! 	if (s = get_resource(resource, class, "p9TtyModes", "P9TTyModes"))
  		parsettymodes(PLAN9, s);
! 	if (s = get_resource(resource, class, "kbdMode", "KbdMode"))
  		if (!strcasecmp(s, "unix"))
  			kbdmode = UNIX;
  		else if (!strcasecmp(s, "plan9"))
  			kbdmode = PLAN9;
! 	if (s = get_resource(resource, class, "p9font", "P9font"))
  		setenv("font", s, 1);
! 	if (s = get_resource(resource, class, "highwater", "Highwater"))
  		highwater = atoi(s);
! 	if (s = get_resource(resource, class, "lowwater", "Lowwater"))
  		lowwater = atoi(s);
! 	if (s = get_resource(resource, class, "9wm", "9Wm"))
  		ninewm = !strcasecmp(s, "true");
  	if (s = get_resource(resource, class, "beep", "Beep")) {
  		if (strstr(s, "unix"))
  			beepmask |= UNIX;
  		if (strstr(s, "plan9"))
  			beepmask |= PLAN9;
  	}
  }
  /*
--- 180,237 ----
  		shargv[0] = new;
  	}
  	s = get_resource(resource, class, "scroll", "Scroll");
! 	if (s && !strcasecmp(s, "true")) {
! 		free(s);
  		scrolling = 1;
+ 	}
  	s = get_resource(resource, class, "utmp", "Utmp");
! 	if (s && !strcasecmp(s, "true")) {
! 		free(s);
  		utmpentry = 1;
+ 	}
  	if (s = get_resource(resource, class, "label", "Label")) {
  		XStoreName(_dpy, XtWindow(_toplevel), s);
  		XSetIconName(_dpy, XtWindow(_toplevel), s);
  		XFlush(_dpy);
+ 		free(s);
  	}
! 	if (s = get_resource(resource, class, "ttyModes", "TtyModes")) {
  		parsettymodes(UNIX, s);
! 		free(s);
! 	}
! 	if (s = get_resource(resource, class, "p9TtyModes", "P9TTyModes")) {
  		parsettymodes(PLAN9, s);
! 		free(s);
! 	}
! 	if (s = get_resource(resource, class, "kbdMode", "KbdMode")) {
  		if (!strcasecmp(s, "unix"))
  			kbdmode = UNIX;
  		else if (!strcasecmp(s, "plan9"))
  			kbdmode = PLAN9;
! 		free(s);
! 	}
! 	if (s = get_resource(resource, class, "p9font", "P9font")) {
  		setenv("font", s, 1);
! 		free(s);
! 	}
! 	if (s = get_resource(resource, class, "highwater", "Highwater")) {
  		highwater = atoi(s);
! 		free(s);
! 	}
! 	if (s = get_resource(resource, class, "lowwater", "Lowwater")) {
  		lowwater = atoi(s);
! 		free(s);
! 	}
! 	if (s = get_resource(resource, class, "9wm", "9Wm")) {
  		ninewm = !strcasecmp(s, "true");
+ 		free(s);
+ 	}
  	if (s = get_resource(resource, class, "beep", "Beep")) {
  		if (strstr(s, "unix"))
  			beepmask |= UNIX;
  		if (strstr(s, "plan9"))
  			beepmask |= PLAN9;
+ 		free(s);
  	}
  }
  /*


                 reply	other threads:[~1998-01-30 22:05 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=19980127214756.19841.qmail@bio.cse.psu.edu \
    --to=schwartz+sam-fans@bio.cse.psu.edu \
    --cc=sam-fans@hawkwind.utcs.toronto.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).