mikew@neptune.fx.COM (03/15/91)
VERSION:
R4
CLIENT MACHINE and OPERATING SYSTEM:
Sun SparcStation, SunOS 4.1
DISPLAY TYPE:
CG6
WINDOW MANAGER:
mwm
AREA:
Xt
SYNOPSIS:
XtResolvePathname doesn't handle large paths properly.
DESCRIPTION:
XtResolvePathname has the following code segment
char *new = (bytesAllocd += 1000, ALLOCATE_LOCAL(bytesAllocd));
if (new == NULL) _XtAllocError("alloca");
strncpy( massagedPath, new, bytesUsed );
This copies new on top of massagedPath. It seems that the opposite
was intended. Since new could have arbitrary characters in it
(malloc doesn't guarrantee zeros), the could have some surprising
behaviour including core dumps.
REPEAT BY:
Eyeballed the code.
SAMPLE FIX:
< strncpy( massagedPath, new, bytesUsed );
--
> strncpy( new, massagedPath, bytesUsed );