[Uim-bugs] [Bug 3684] New: Corrupted data structure in uim-xim

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Sat Jul 2 07:37:41 EEST 2005 

Please do not reply to this email: if you want to comment on the bug, go to    
       
the URL shown below and enter yourcomments there.     
   
https://bugs.freedesktop.org/show_bug.cgi?id=3684          
     
           Summary: Corrupted data structure in uim-xim
           Product: UIM
           Version: unspecified
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: bridge: XIM
        AssignedTo: uim-bugs at freedesktop.org
        ReportedBy: vandry at TZoNE.ORG


Please see xim/compose.cpp at the top of XimIM::ParseComposeStringFile.

The first thing this method does is initialize the compose key mapping
tree with one root node. However it fails to initialize the keysym,
modifier, and modifier_mask fields of the structure. These get random
values according to whatever was in the memory that got allocated.

Unfortunately because of bad luck, on my system, the garbage value in
"keysym" is not always but sometimes actually a valid keysym. If I am
unlucky enough to press that particular key, uim-xim will crash because
Compose::handleKey will call m_xic->commit_string on a NULL string.

Actually I am not sure why ParseComposeStringFile creates a root node
to the structure at all, since parse_compose_line should take care of
creating it on demand. If I am correct about this then the following
patch should suffice. If I am mistaken about the usefullness of
creating the root node then the correct fix is rather to initialize the
three extra fields to sane values.

diff -r -u uim-0.4.7.OLD/xim/compose.cpp uim-0.4.7/xim/compose.cpp
--- uim-0.4.7.OLD/xim/compose.cpp	2005-06-05 10:52:42.000000000 -0400
+++ uim-0.4.7/xim/compose.cpp	2005-07-02 00:34:26.285018921 -0400
@@ -654,15 +654,6 @@
     char* tbp;
     struct stat st;
 
-    if (mTreeTop == NULL) {
-	mTreeTop = (DefTree *)malloc(sizeof(DefTree));
-	mTreeTop->succession = NULL;
-	mTreeTop->next = NULL;
-	mTreeTop->mb = NULL;
-	mTreeTop->utf8 = NULL;
-	mTreeTop->ks = NoSymbol;
-    }
-
     if (fstat(fileno(fp), &st) != -1) {
 	unsigned long size = (unsigned long)st.st_size;
 	if (size <= sizeof tb)

-Phil          
     
     
--           
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email         
     
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the uim-bugs mailing list