- taken from SuSE, only changed paths

  this fixes buffer overflow in XLOCALEDIR in X 4.2.x (BTS#697, BugTraqID#7002)

Changed files:
    XFree86-xlclocale-overflow.patch -> 1.1.2.1

diff --git a/XFree86-xlclocale-overflow.patch b/XFree86-xlclocale-overflow.patch
new file mode 100644 (file)
index 0000000..167e9b2
--- /dev/null
+++ b/XFree86-xlclocale-overflow.patch
@@ -0,0 +1,99 @@
+Index: XlcDL.c
+===================================================================
+RCS file: /home/x-cvs/xc/lib/X11/XlcDL.c,v
+retrieving revision 1.9
+diff -u -r1.9 XlcDL.c
+--- XlcDL.c    2002/11/25 14:04:53     1.9
++++ xc/lib/X11/XlcDL.c 2003/03/09 18:19:23
+@@ -406,7 +406,7 @@
+
+     if (lc_name == NULL) return (XLCd)NULL;
+
+-    if (_XlcLocaleDirName(lc_dir, (char *)lc_name) == (char*)NULL)
++    if (_XlcLocaleDirName(lc_dir, BUFSIZE, (char *)lc_name) == (char*)NULL)
+       return (XLCd)NULL;
+
+     resolve_object(lc_dir, lc_name);
+@@ -452,7 +452,7 @@
+
+   lc_name = lcd->core->name;
+
+-  if (_XlcLocaleDirName(lc_dir, lc_name) == NULL) return (XIM)0;
++  if (_XlcLocaleDirName(lc_dir, BUFSIZE, lc_name) == NULL) return (XIM)0;
+
+   count = lc_count;
+   for (; count-- > 0; objects_list++) {
+@@ -498,7 +498,7 @@
+
+   lc_name = lcd->core->name;
+
+-  if (_XlcLocaleDirName(lc_dir, lc_name) == NULL) return False;
++  if (_XlcLocaleDirName(lc_dir, BUFSIZE, lc_name) == NULL) return False;
+
+   count = lc_count;
+   for (; count-- > 0; objects_list++) {
+@@ -543,7 +543,7 @@
+ #endif
+
+   lc_name = lcd->core->name;
+-  if (_XlcLocaleDirName(lc_dir, lc_name) == NULL) return False;
++  if (_XlcLocaleDirName(lc_dir, BUFSIZE, lc_name) == NULL) return False;
+
+   count = lc_count;
+   for (; count-- > 0; objects_list++) {
+@@ -610,7 +610,7 @@
+
+   lc_name = lcd->core->name;
+
+-  if (_XlcLocaleDirName(lc_dir, lc_name) == NULL) return (XOM)0;
++  if (_XlcLocaleDirName(lc_dir, BUFSIZE, lc_name) == NULL) return (XOM)0;
+
+   count = lc_count;
+   for (; count-- > 0; objects_list++) {
+Index: XlcPubI.h
+===================================================================
+RCS file: /home/x-cvs/xc/lib/X11/XlcPubI.h,v
+retrieving revision 3.9
+diff -u -r3.9 XlcPubI.h
+--- XlcPubI.h  2001/11/16 00:52:27     3.9
++++ xc/lib/X11/XlcPubI.h       2003/03/09 18:19:23
+@@ -217,6 +217,7 @@
+ extern char *_XlcLocaleDirName(
+ #if NeedFunctionPrototypes
+      char*             /* dir_name */,
++     size_t,         /* dir_len */
+      char*             /* lc_name */
+ #endif
+ );
+--- xc/lib/X11/lcFile.c.orig   2003-03-26 17:52:08.000000000 +0100
++++ xc/lib/X11/lcFile.c        2003-03-26 23:30:55.000000000 +0100
+@@ -429,8 +429,9 @@
+ }
+ 
+ char *
+-_XlcLocaleDirName(dir_name, lc_name)
++_XlcLocaleDirName(dir_name, dir_len, lc_name)
+      char *dir_name;
++     size_t dir_len;
+      char *lc_name;
+ {
+   char dir[PATH_MAX], buf[PATH_MAX], *name = NULL;
+@@ -478,8 +479,15 @@
+     target_dir = args[0];
+     target_name = lc_name;
+   }
+-  strcpy(dir_name, target_dir);
+-  strcat(dir_name, "/");
+-  strcat(dir_name, target_name);
++  /* snprintf(dir_name, dir_len, "%s/%", target_dir, target_name); */
++  strncpy(dir_name, target_dir, dir_len - 1);
++  if (strlen(target_dir) >= dir_len - 1) {
++     dir_name[dir_len - 1] = '\0';
++  } else  {
++     strcat(dir_name, "/");
++     strncat(dir_name, target_name, dir_len - strlen(dir_name) - 1);
++     if (strlen(target_name) >= dir_len - strlen(dir_name) - 1)
++         dir_name[dir_len - 1] = '\0';
++  }
+   return dir_name;
+ }