XFree86 3.9Ag - xterm patch #71 - T.Dickey This patch is a slightly modified version of one by Richard Braakman, which prevents buffer overflow in the input-method and preedit-type parsing in xterm. I changed a couple of details to make the code more maintainable, and looked for similar things - copying into a fixed-size buffer (found none, though I did spot an unused variable). # ------------------------------------------------------------------------------ # charproc.c | 22 ++++++++++------------ # main.c | 2 +- # version.h | 2 +- # xterm.log.html | 9 +++++++++ # 4 files changed, 21 insertions, 14 deletions # ------------------------------------------------------------------------------ Index: charproc.c --- xterm-70+/charproc.c Sun Apr 5 23:48:23 1998 +++ xterm-71/charproc.c Sun Apr 12 19:46:23 1998 @@ -4012,7 +4012,6 @@ *s, *ns, *end, - tmp[1024], buf[32]; XIM xim = (XIM) NULL; XIMStyles *xim_styles; @@ -4027,17 +4026,18 @@ if ((p = XSetLocaleModifiers("@im=none")) != NULL && *p) xim = XOpenIM(XtDisplay(term), NULL, NULL, NULL); } else { - strcpy(tmp, term->misc.input_method); - for(ns=s=tmp; ns && *s;) { + for(ns=s=term->misc.input_method; ns && *s;) { while (*s && isspace(*s)) s++; if (!*s) break; if ((ns = end = strchr(s, ',')) == 0) end = s + strlen(s); while (isspace(*end)) end--; - *end = '\0'; strcpy(buf, "@im="); - strcat(buf, s); + if (end - (s + (sizeof(buf) - 5)) > 0) + end = s + (sizeof(buf) - 5); + strncat(buf, s, end - s); + if ((p = XSetLocaleModifiers(buf)) != NULL && *p && (xim = XOpenIM(XtDisplay(term), NULL, NULL, NULL)) != NULL) break; @@ -4062,8 +4062,7 @@ } found = False; - strcpy(tmp, term->misc.preedit_type); - for(s = tmp; s && !found;) { + for(s = term->misc.preedit_type; s && !found;) { while (*s && isspace(*s)) s++; if (!*s) break; if ((ns = end = strchr(s, ',')) != 0) @@ -4071,13 +4070,12 @@ else end = s + strlen(s); while (isspace(*end)) end--; - *end = '\0'; - if (!strcmp(s, "OverTheSpot")) { + if (!strncmp(s, "OverTheSpot", end - s)) { input_style = (XIMPreeditPosition | XIMStatusArea); - } else if (!strcmp(s, "OffTheSpot")) { + } else if (!strncmp(s, "OffTheSpot", end - s)) { input_style = (XIMPreeditArea | XIMStatusArea); - } else if (!strcmp(s, "Root")) { + } else if (!strncmp(s, "Root", end - s)) { input_style = (XIMPreeditNothing | XIMStatusNothing); } for (i = 0; (unsigned short)i < xim_styles->count_styles; i++) @@ -4628,7 +4626,7 @@ XtOverrideTranslations(w, original); return; } - (void) sprintf( mapName, "%sKeymap", params[0] ); + (void) sprintf( mapName, "%.*sKeymap", (int)sizeof(mapName) - 10, params[0] ); (void) strcpy( mapClass, mapName ); if (islower(mapClass[0])) mapClass[0] = toupper(mapClass[0]); XtGetSubresources( w, (XtPointer)&keymap, mapName, mapClass, Index: main.c --- xterm-70+/main.c Sun Apr 5 23:48:23 1998 +++ xterm-71/main.c Sun Apr 12 19:51:38 1998 @@ -3546,7 +3546,7 @@ int i, n, ncap; errstat err; struct caplist *cl; - char buf[64], numbuf[12]; + char buf[64]; struct caplist *capvnew; int ttythread(); int xwatchdogthread(); Index: version.h --- xterm-70+/version.h Sun Apr 5 23:48:23 1998 +++ xterm-71/version.h Sun Apr 12 20:42:38 1998 @@ -6,4 +6,4 @@ * version of xterm has been built. The number in parentheses is my patch * number (T.Dickey). */ -#define XTERM_VERSION "XFree86 3.9Af(70)" +#define XTERM_VERSION "XFree86 3.9Ag(71)" Index: xterm.log.html --- xterm-70+/xterm.log.html Sun Apr 5 23:48:23 1998 +++ xterm-71/xterm.log.html Sun Apr 12 20:50:49 1998 @@ -41,6 +41,7 @@ xc/programs/Xserver/hw/xfree86). + +

Patch #71 - 1998/4/12 - XFree86 3.9Ag and 3.3.2

+ +This patch is a slightly modified version of one by Richard Braakman, which +prevents buffer overflow in the input-method and preedit-type parsing in xterm. +I changed a couple of details to make the code more maintainable, and looked +for similar things - copying into a fixed-size buffer (found none, though I did +spot an unused variable).

Patch #70 - 1998/3/29 - XFree86 3.9Af and 3.3.2