DragBS.c: _XmReadDragBuffer overwrites stack :-/

Fri, 04 Aug 2000 09:33:30 -0700 

this call:
           _XmReadDragBuffer(&bmgr, False, (char *)&nents,
                              sizeof(CARD16));

from read_targets_table (line 1110 ) wants to read at most 2 ( 1 card16
) characters.

apparently, under certain conditions XmReadDragBuffer ignores this limit
and substitutes its own outrageous size , which in turn corrupt the
stack! ouch  else
    {
        rsize = bmgr->atom_size;
       eaten = bmgr->atom_start - bmgr->atoms;
        if (rsize <= eaten)
        {
            size = rsize - eaten;
<<----------------------------
        }
        bcopy(bmgr->atom_start, retbuf, size);            /* OUCH
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!*/
        bmgr->atom_start += size;
        return size;
    }

bmgr looks like this:
    (gdb) p bmgr[0]
$2 = {atoms = 0x1207484d0 "l",
  atom_ptr = 0x3ff0000000000000 <Address 0x3ff0000000000000 out of
bounds>,
  atom_start = 0x120748c18 "", atom_size = 58, atom_avail = 1072693248,
  names = 0x2000552e8d4 "$", name_ptr = 0x12031a7d0 "",
  name_start = 0x2000562d51c "%s:get_targets_table(%d) - NULL\n",
  name_size = 90362097, name_avail = 512}
(gdb) p rsize
$3 = 58
(gdb) p eaten
$4 = 1864
(gdb)

Reply via email to