Experimental Physics and Industrial Control System
Dear all,
I found (and presumably fixed) 2 buffer overflow problems in MEDM
(3.1.11) on 64bit Ubuntu 16.04.
1) Stack smashing protection is enabled in Ubuntu 16.04. Therefore
MEDM crashes as following when I manupilate pull down menus in
"Resource Palette" window:
====
$ medm
...
*** stack smashing detected ***: medm terminated
Aborted
====
A call to XtVaGetValues() in optionMenuSimpleCallback() (in
medm/resourcePalette.c) seems to be the cause of the problem. An "int"
variable is passed to the 3rd argument of XtVaGetValues() as
following:
XtVaGetValues(XtParent(w),XmNuserData,&rcType,NULL);
but it should be 64bit-wide on 64bit system. Attached is a patch
(medm-resourcePallette-bof.patch) which will fix the problem.
2) There is another buffer overflow in related display. When I use 5
or more entries in a related display with row (or column) of buttons,
an array overflows. The array in question is defined in line 471 of
medm/medmRelatedDispolay.c as following:
====
Arg wargs[20];
====
There are only 4 remaining elements for push buttons because 16 out of
20 elements are already used. Its number of elements should be 32
instead of 20, so that all the 16 entries in "Related Display Data"
are available without any problems.
best regards,
Shuei YAMADA
--
----------------------------------------------------
Shuei Yamada,
High Energy Accelerator Research Organization (KEK)
mailto:[email protected]
----------------------------------------------------
*** medm-MEDM3_1_11.orig/medm/resourcePalette.c 2016-11-23 05:17:05.000000000 +0900
--- medm-MEDM3_1_11/medm/resourcePalette.c 2017-06-19 10:54:31.705472877 +0900
*************** static void optionMenuSimpleCallback(Wid
*** 189,195 ****
{
DisplayInfo *cdi = currentDisplayInfo;
int buttonId = (intptr_t)cd;
! int rcType;
DlElement *elementPtr;
UNREFERENCED(cbs);
--- 189,195 ----
{
DisplayInfo *cdi = currentDisplayInfo;
int buttonId = (intptr_t)cd;
! long rcType;
DlElement *elementPtr;
UNREFERENCED(cbs);
*** medm-MEDM3_1_11.orig/medm/medmRelatedDisplay.c 2016-11-23 05:17:05.000000000 +0900
--- medm-MEDM3_1_11/medm/medmRelatedDisplay.c 2017-06-19 11:16:57.907736044 +0900
*************** void executeDlRelatedDisplay(DisplayInfo
*** 468,474 ****
dlRelatedDisplay->visual == RD_COL_OF_BTN) {
/* Case 3 of 4 */
/* Rows or columns of buttons */
! Arg wargs[20];
int i = 0, maxChars = 0, usedWidth = 0, usedHeight = 0;
XmFontList fontList;
Pixel fg, bg;
--- 468,474 ----
dlRelatedDisplay->visual == RD_COL_OF_BTN) {
/* Case 3 of 4 */
/* Rows or columns of buttons */
! Arg wargs[MAX_RELATED_DISPLAYS+16];
int i = 0, maxChars = 0, usedWidth = 0, usedHeight = 0;
XmFontList fontList;
Pixel fg, bg;
- Navigate by Date:
- Prev:
Re: Any issues with Base-3.16.1-rc1? Lang, Keenan C.
- Next:
Open Position at APS Arnold, Ned D.
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
<2017>
2018
2019
2020
2021
2022
2023
2024
- Navigate by Thread:
- Prev:
Re: MEDM to EDM Conversion Script Mark Rivers
- Next:
Open Position at APS Arnold, Ned D.
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
<2017>
2018
2019
2020
2021
2022
2023
2024