Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!uunet!snorkelwacker.mit.edu!bloom-beacon!dont-send-mail-to-path-lines
From: tml@tik.vtt.fi (Tor Lillqvist)
Newsgroups: comp.windows.x
Subject: Bug: Too small buffer in lib/X/XStrKeysym.c
Message-ID: <9102201232.AA11751@tik.vtt.fi>
Date: 20 Feb 91 12:32:22 GMT
Sender: daemon@athena.mit.edu (Mr Background)
Organization: The Internet
Lines: 52


			  X Window System Bug Report
			    xbugs@expo.lcs.mit.edu
			    [ also sent to xpert ]

VERSION:
    R4

CLIENT MACHINE and OPERATING SYSTEM:
    HP9000 running HP-UX 7.0

DISPLAY TYPE:
    Irrelevant

WINDOW MANAGER:
    Irrelevant

AREA:
    mit/lib/X/XStrKeysym.c

SYNOPSIS:
    Sprintf overflows buffer.

DESCRIPTION:
    This has probably been reported earlier, but anyway...

    In XKeysymToString sprintf is used to store a keysym value in hex
    into char buf[8].  If the keysym in question is vendor-specific
    (with bit 29 set, and thus making eight hex digits), the buffer
    overflows.

SAMPLE FIX:

*** XStrKeysym.c.ORIG	Tue Dec 12 02:10:36 1989
--- XStrKeysym.c	Wed Feb 20 14:12:24 1991
***************
*** 91,97 ****
  	_XInitKeysymDB();
      if (keysymdb)
      {
! 	char buf[8];
  	XrmValue resval;
  
  	sprintf(buf, "%lX", ks);
--- 91,97 ----
  	_XInitKeysymDB();
      if (keysymdb)
      {
! 	char buf[10];
  	XrmValue resval;
  
  	sprintf(buf, "%lX", ks);