#194 dtcm: SIGABRT (fortify buffer overflow) in p_create_v4_group_access_pane on File > Options
Summary
The Calendar Manager (dtcm) aborts with buffer overflow detected: terminated when the user opens the File > Options dialog. The crash originates in p_create_v4_group_access_pane()
(cde/programs/dtcm/dtcm/props_pu.c) where sprintf writes past the end of a heap buffer that is undersized for the formatted output. glibc's _FORTIFY_SOURCE runtime check catches the overflow and raises SIGABRT.
Two additional sprintf sites in dtcm share the same root cause and are exploitable by long user input rather than just the default catalog strings.
Steps to reproduce
- Build and install CDE from master.
- Start a dtcm session: dtcm
- From the menu bar, choose File > Options.
- dtcm aborts immediately; no Options dialog appears.
Expected result
The "Calendar Options" / Group Access properties pane should appear.
Actual result
Process aborts with:
*** buffer overflow detected ***: terminated
Program received signal SIGABRT, Aborted.
Relevant backtrace (full log at /tmp/dtcm.log on power9):
#13 __sprintf_chk (s=0x10022ebd0 "User Name", ' ' <repeats 14 times>, "Permiss",
flag=2, slen=..., format=0x100095d48 "%-*s%s")
#14 __sprintfieee128 (...) at /usr/include/bits/stdio2.h:30
#15 p_create_v4_group_access_pane (p=0x1000e82f0) at props_pu.c:1316
#16 p_make_props_pu (c=...) at props_pu.c:2547
#17 show_props_pu (c=0x1000e6f30) at props_pu.c:3303
#18 edit_cb (...) at calendarA.c:1114
Root cause
Site 1 — props_pu.c:1315 (the crash)
char *user = XtNewString(CATGETS(c->DT_catd, 1, 983, "User Name"));
char *perm = XtNewString(CATGETS(c->DT_catd, 1, 413, "Permissions"));
buf = (char *)ckalloc(cm_strlen(user) + cm_strlen(perm) + 10); /* 30 */
sprintf(buf, "%-*s%s", NAME_LEN, user, perm); /* needs 35 */
```
`NAME_LEN` is `23`. `%-*s` is a minimum field width — it pads but never truncates. With the default catalog strings:
- user = "User Name" (9 chars), padded to 23 chars
- perm = "Permissions" (11 chars)
- Output size = 23 + 11 = 34 + NUL = 35 bytes
- Allocated = 9 + 11 + 10 = 30 bytes
Five-byte heap overflow on every invocation.
**Site 2 — props_pu.c:1050**
buf = (char )ckalloc(NAME_LEN + PERMISSION_LEN + 1); / 30 /
sprintf(buf, "%-s%s", NAME_LEN, who, p_str);
`who` is `XmTextGetString(p->gap_user_text)` — text the user types into the "User Name:" entry box on the same Options dialog. Type a username longer than 23 characters and click Add Name to overflow.
**Site 3 — group_editor.c:1734**
buf = (char )ckalloc(ACCESS_NAME_LEN + cm_strlen(CATGETS(c->DT_catd,
1, 348, "Insert Permission")) + 5);
sprintf(buf, "%-s %c", ACCESS_NAME_LEN, name, access);
```
The allocation formula references "Insert Permission" — a string that is never written into the buffer. The actual output is max(ACCESS_NAME_LEN, strlen(name)) + 1 + 1 bytes. With ACCESS_NAME_LEN=25 and the
English catalog, allocated size is ~47, so a calendar name longer than ~44 characters (e.g. a long user@fqdn identifier) overflows.
Reproduction for sites 2 and 3
Site 2 — only reproducible if the user types a long name:
- dtcm built with the site-1 fix applied (otherwise crashes before this point).
- File > Options > Group Access tab.
- In the "User Name:" entry, type 30+ characters; click Add Name.
Site 3 — reproducible with long calendar names:
- Open the Group Calendar Editor.
- Add a calendar whose name exceeds ~44 chars (e.g. a long DNS-qualified user spec).
- The access list refresh triggers add_to_gaccess_list() and overflows.
Patch applied, thanks!