A buffer overflow type bug has been found in Window Maker
which makes it possible for html pages containing malicious
code to corrupt memory allocated by wmaker.
To reproduce the problem, open a window with a very long
title and also the window list menu (middle click on the root
window). Window Maker will have it's heap corrupted and
will sometimes crash. Since browsers will set the <title>
of a page as it's window title, Window Maker may be crashed
by html pages containing long titles.
Here's an excerpt from the patch that fixes the problem
and can illustrate it:
--- switchmenu.c Thu Apr 19 22:22:42 2001
+++ ../../wm/src/switchmenu.c Mon Jul 23 14:55:39 2001
@@ -181,6 +181,7 @@
WMenu *switchmenu = scr->switch_menu;
WMenuEntry *entry;
char title[MAX_MENU_TEXT_LENGTH+6];
+ int len = MAX_MENU_TEXT_LENGTH+6;
int i;
int checkVisibility = 0;
@@ -203,9 +204,9 @@
return;
if (wwin->frame->title)
- sprintf(title, "%s", wwin->frame->title);
+ snprintf(title, len, "%s", wwin->frame->title);
else
- sprintf(title, "%s", DEF_WINDOW_TITLE);
+ snprintf(title, len, "%s", DEF_WINDOW_TITLE);
t = ShrinkString(scr->menu_entry_font, title,
MAX_WINDOWLIST_WIDTH);
if (IS_OMNIPRESENT(wwin))
I have included a patch that fixes it. The soon to be released
Window Maker 0.65.1 should also have this bug fixed.
It can be downloaded from www.windowmaker.org
Please keep me in the CC: list since I'm not subscribed to the list.
Thank you
-- Alfredo
This archive was generated by hypermail 2b30 : Tue Aug 14 2001 - 23:42:47 CEST