Bug#308527: marked as forwarded (xfig: buffer over-read in w_util.c convert_gridstr?)

[Debian Bug Tracking System]

Your message dated Sun, 1 Oct 2006 15:36:21 +0200
with message-id <[EMAIL PROTECTED]>
has caused the Debian Bug report #308527,
regarding xfig: buffer over-read in w_util.c convert_gridstr?
to be marked as having been forwarded to the upstream software
author(s) "Brian V. Smith" <[EMAIL PROTECTED]>.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

Hi Brian!

I received the following bug report.  The attached patch should fix
this.

Ciao

        Roland

----- Forwarded message from Eric Sharkey <[EMAIL PROTECTED]> -----

From: Eric Sharkey <[EMAIL PROTECTED]>
Subject: Bug#308527: xfig: buffer over-read in w_util.c convert_gridstr?
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Date: Tue, 10 May 2005 14:42:15 -0400

Package: xfig
Version: 1:3.2.5-alpha5-3
Severity: normal

I was looking at the xfig source and noticed this:

w_util.c:

  static void
  convert_gridstr(Widget widget, float mult)
  {
          double   value, numer, denom, diff;
          char    *sval, fraction[20];
          double   fracts[] = { 2, 4, 8, 16, 32 };
          double   tol[]    = { 0.05, 0.1, 0.2, 0.3, 0.6};
  #define NUM_FRACTS sizeof(fracts)/sizeof(int)


NUM_FRACTS should be sizeof(fracts)/sizeof(double), otherwise the
loops for (i=0; i<NUM_FRACTS; i++)  overrun the end of the buffer.

Eric

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.9
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages xfig depends on:
ii  libc6                    2.3.2.ds1-21    GNU C Library: Shared libraries an
ii  libice6                  4.3.0.dfsg.1-10 Inter-Client Exchange library
ii  libjpeg62                6b-9            The Independent JPEG Group's JPEG 
ii  libpng12-0               1.2.8rel-1      PNG library - runtime
ii  libsm6                   4.3.0.dfsg.1-10 X Window System Session Management
ii  libx11-6                 4.3.0.dfsg.1-10 X Window System protocol client li
ii  libxext6                 4.3.0.dfsg.1-10 X Window System miscellaneous exte
ii  libxi6                   4.3.0.dfsg.1-10 X Window System Input extension li
ii  libxmu6                  4.3.0.dfsg.1-10 X Window System miscellaneous util
ii  libxpm4                  4.3.0.dfsg.1-10 X pixmap library
ii  libxt6                   4.3.0.dfsg.1-10 X Toolkit Intrinsics
ii  xaw3dg                   1.5+E-8         Xaw3d widget set
ii  xlibs                    4.3.0.dfsg.1-10 X Keyboard Extension (XKB) configu
ii  zlib1g                   1:1.2.2-4       compression library - runtime

-- no debconf information


----- End forwarded message -----

Tschoeeee

        Roland

-- 
 * [EMAIL PROTECTED] * http://www.spinnaker.de/ *

#! /bin/sh /usr/share/dpatch/dpatch-run
## 17_numfracts.dpatch by Eric Sharkey <[EMAIL PROTECTED]>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Fix NUM_FRACTS otherwise the for loop will overrun.

@DPATCH@
diff -urNad xfig~/w_util.c xfig/w_util.c
--- xfig~/w_util.c
+++ xfig/w_util.c
@@ -2004,7 +2004,7 @@
        char    *sval, fraction[20];
        double   fracts[] = { 2, 4, 8, 16, 32 };
        double   tol[]    = { 0.05, 0.1, 0.2, 0.3, 0.6};
-#define NUM_FRACTS sizeof(fracts)/sizeof(int)
+#define NUM_FRACTS sizeof(fracts)/sizeof(double)
        int      i;
 
        FirstArg(XtNstring, &sval);

--- End Message ---