Bug 16790 - xterm crashs with long PATH environment path with no ":" character
Summary: xterm crashs with long PATH environment path with no ":" character
Status: RESOLVED FIXED
Alias: None
Product: xorg
Classification: Unclassified
Component: App/other (show other bugs)
Version: 7.2 (2007.02)
Hardware: x86 (IA32) Linux (All)
: medium minor
Assignee: Xorg Project Team
QA Contact: Xorg Project Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-07-21 06:14 UTC by Victor Stinner
Modified: 2008-09-08 19:21 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments
Shell script to reproduce the crash (1.05 KB, application/x-shellscript)
2008-07-21 06:14 UTC, Victor Stinner
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Stinner 2008-07-21 06:14:10 UTC
Created attachment 17789 [details]
Shell script to reproduce the crash

xterm has a off-by-one error for the PATH environment variable if it doesn't 
contain the character ":" (eg. long "aaaaaa...a" string). The bug is near 
xterm/misc.c:2811 in the function xtermFindShell(): it doesn't allocate 
enough bytes to store the nul byte.

The bug is already reported to Thomas Dickey.
Comment 1 Victor Stinner 2008-07-21 06:24:40 UTC
I think that the problem is near:
   tmp = TypeMallocN(char, strlen(leaf) + strlen(s) + 1)

Maximum length is strlen(leaf) + 1 + strlen(s) + 1, missing +1 is for "/" separator! The second strcpy() ("strcpy(d + 1, leaf);") may writes outside tmp buffer.
Comment 2 Victor Stinner 2008-07-21 07:42:46 UTC
My xterm version is 229 running on Ubuntu Gutsy.
Comment 3 Julien Cristau 2008-09-08 19:21:32 UTC
On Mon, Jul 21, 2008 at 06:14:11 -0700, bugzilla-daemon@freedesktop.org wrote:

> xterm has a off-by-one error for the PATH environment variable if it doesn't 
> contain the character ":" (eg. long "aaaaaa...a" string). The bug is near 
> xterm/misc.c:2811 in the function xtermFindShell(): it doesn't allocate 
> enough bytes to store the nul byte.
> 
> The bug is already reported to Thomas Dickey.
> 
Thomas fixed this in xterm 236.  From the changelog:

     * correct allocation of temporary buffer in xtermFindShell in case
       the user's $PATH contains no ":" (report/analysis by Victor
       Stinner, Freedesktop.Org Bugzilla #16790).


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct.