_XData32() crash: long* vs int* on amd64 (LP64)

Tue, 17 Jun 2014 02:00:07 -0700 

Hi,

I use xsel (from ports) pretty often, and every so often it
crashes:

$ gdb `which xsel` xsel.core
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-unknown-openbsd5.5"...
Core was generated by `xsel'.
Program terminated with signal 11, Segmentation fault.
Loaded symbols ...
[...]
#0  0x000005adb1e28f40 in _XData32 () from /usr/X11R6/lib/libX11.so.16.0
(gdb) bt
#0  0x000005adb1e28f40 in _XData32 () from /usr/X11R6/lib/libX11.so.16.0
#1  0x000005adb1e05629 in XChangeProperty () from /usr/X11R6/lib/libX11.so.16.0
#2  0x000005aba4a03d75 in change_property (display=0x5adb3b07000,
    requestor=20978267, property=482, target=4, format=32, mode=0,
    data=0x5ada9647fc0 "3\001", nelements=9, selection=1, time=3242522763,
    mparent=0x0) at /usr/build/ports/pobj/xsel-1.2.0/xsel-1.2.0/xsel.c:1177
#3  0x000005aba4a042f9 in handle_targets (display=0x5adb3b07000,
    requestor=20978267, property=482, selection=1, time=3242522763,
    mparent=0x0) at /usr/build/ports/pobj/xsel-1.2.0/xsel-1.2.0/xsel.c:1307
#4  0x000005aba4a04b48 in handle_selection_request (event=
        {type = 30, xany = {type = 30, serial = 22, send_event = 0,
display = 0x5adb3b07000, window = 18874369}, xkey = {type = 30, serial
= 22, send_event = 0, display = 0x5adb3b07000, window = 18874369, root
= 20978267, subwindow = 1, time = 311, x = 482, y = 0, x_root =
-1052444533, y_root = 0, state = 0, keycode = 0, same_screen = 0},
xbutton = {type = 30, serial = 22, send_event = 0, display =
0x5adb3b07000, window = 18874369, root = 20978267, subwindow = 1, time
= 311, x = 482, y = 0, x_root = -1052444533, y_root = 0, state = 0,
button = 0, same_screen = 0}, xmotion = {type = 30, serial = 22,
send_event = 0, display = 0x5adb3b07000, window = 18874369, root =
20978267, subwindow = 1, time = 311, x = 482, y = 0, x_root =
-1052444533, y_root = 0, state = 0, is_hint = 0 '\0', same_screen =
0}, xcrossing = {type = 30, serial = 22, send_event = 0, display =
0x5adb3b07000, window = 18874369, root = 20978267, subwindow = 1, time
= 311, x = 482, y = 0, x_root = -1052444533, y_root = 0, mode = 0,
detail = 0, same_screen = 0, focus = 0, state = 0}, xfocus = {type =
30, serial = 22, send_event = 0, display = 0x5adb3b07000, window =
18874369, mode = 20978267, detail = 0}, xexpose = {type = 30, serial =
22, send_event = 0, display = 0x5adb3b07000, window = 18874369, x =
20978267, y = 0, width = 1, height = 0, count = 311}, xgraphicsexpose
= {type = 30, serial = 22, send_event = 0, display = 0x5adb3b07000,
drawable = 18874369, x = 20978267, y = 0, width = 1, height = 0, count
= 311, major_code = 0, minor_code = 482}, xnoexpose = {type = 30,
serial = 22, send_event = 0, display = 0x5adb3b07000, drawable =
18874369, major_code = 20978267, minor_code = 0}, xvisibility = {type
= 30, serial = 22, send_event = 0, display = 0x5adb3b07000, window =
18874369, state = 20978267}, xcreatewindow = {type = 30, serial = 22,
send_event = 0, display = 0x5adb3b07000, parent = 18874369, window =
20978267, x = 1, y = 0, width = 311, height = 0, border_width = 482,
override_redirect = 0}, xdestroywindow = {type = 30, serial = 22,
send_event = 0, display = 0x5adb3b07000, event = 18874369, window =
20978267}, xunmap = {type = 30, serial = 22, send_event = 0, display =
0x5adb3b07000, event = 18874369, window = 20978267, from_configure =
1}, xmap = {type = 30, serial = 22, send_event = 0, display =
0x5adb3b07000, event = 18874369, window = 20978267, override_redirect
= 1}, xmaprequest = {type = 30, serial = 22, send_event = 0, display =
0x5adb3b07000, parent = 18874369, window = 20978267}, xreparent =
{type = 30, serial = 22, send_event = 0, display = 0x5adb3b07000,
event = 18874369, window = 20978267, parent = 1, x = 311, y = 0,
override_redirect = 482}, xconfigure = {type = 30, serial = 22,
send_event = 0, display = 0x5adb3b07000, event = 18874369, window =
20978267, x = 1, y = 0, width = 311, height = 0, border_width = 482,
above = 3242522763, override_redirect = 0}, xgravity = {type = 30,
serial = 22, send_event = 0, display = 0x5adb3b07000, event =
18874369, window = 20978267, x = 1, y = 0}, xresizerequest = {type =
30, serial = 22, send_event = 0, display = 0x5adb3b07000, window =
18874369, width = 20978267, height = 0}, xconfigurerequest = {type =
30, serial = 22, send_event = 0, display = 0x5adb3b07000, parent =
18874369, window = 20978267, x = 1, y = 0, width = 311, height = 0,
border_width = 482, above = 3242522763, detail = 0, value_mask = 0},
xcirculate = {type = 30, serial = 22, send_event = 0, display =
0x5adb3b07000, event = 18874369, window = 20978267, place = 1},
xcirculaterequest = {type = 30, serial = 22, send_event = 0, display =
0x5adb3b07000, parent = 18874369, window = 20978267, place = 1},
xproperty = {type = 30, serial = 22, send_event = 0, display =
0x5adb3b07000, window = 18874369, atom = 20978267, time = 1, state =
311}, xselectionclear = {type = 30, serial = 22, send_event = 0,
display = 0x5adb3b07000, window = 18874369, selection = 20978267, time
= 1}, xselectionrequest = {type = 30, serial = 22, send_event = 0,
display = 0x5adb3b07000, owner = 18874369, requestor = 20978267,
selection = 1, target = 311, property = 482, time = 3242522763},
xselection = {type = 30, serial = 22, send_event = 0, display =
0x5adb3b07000, requestor = 18874369, selection = 20978267, target = 1,
property = 311, time = 482}, xcolormap = {type = 30, serial = 22,
send_event = 0, display = 0x5adb3b07000, window = 18874369, colormap =
20978267, new = 1, state = 0}, xclient = {type = 30, serial = 22,
send_event = 0, display = 0x5adb3b07000, window = 18874369,
message_type = 20978267, format = 1, data = {b =
"7\001\000\000\000\000\000\000â\001\000\000\000\000\000\000\213øDÁ", s
= {311, 0, 0, 0, 482, 0, 0, 0, -1909, -16060}, l = {311, 482,
3242522763, 0, 0}}}, xmapping = {type = 30, serial = 22, send_event =
0, display = 0x5adb3b07000, window = 18874369, request = 20978267,
first_keycode = 0, count = 1}, xerror = {type = 30, display = 0x16,
resourceid = 0, serial = 6243602165760, error_code = 1 '\001',
request_code = 0 '\0', minor_code = 32 ' '}, xkeymap = {type = 30,
serial = 22, send_event = 0, display = 0x5adb3b07000, window =
18874369, key_vector =
"[\032@\001\000\000\000\000\001\000\000\000\000\000\000\0007\001\000\000\000\000\000\000â\001\000\000\000\000\000"},
xgeneric = {type = 30, serial = 22, send_event = 0, display =
0x5adb3b07000, extension = 18874369, evtype = 0}, xcookie = {type =
30, serial = 22, send_event = 0, display = 0x5adb3b07000, extension =
18874369, evtype = 0, cookie = 20978267, data = 0x1}, pad = {30, 22,
0, 6243602165760, 18874369, 20978267, 1, 311, 482, 3242522763, 0
<repeats 14 times>}},
    sel=0x5ada7dbf000 "\t")
    at /usr/build/ports/pobj/xsel-1.2.0/xsel-1.2.0/xsel.c:1551
#5  0x000005aba4a04e5c in set_selection (selection=1, sel=0x5ada7dbf000 "\t")
    at /usr/build/ports/pobj/xsel-1.2.0/xsel-1.2.0/xsel.c:1637
#6  0x000005aba4a04f08 in set_selection__daemon (selection=1,
    sel=0x5ada7dbf000 "\t")
    at /usr/build/ports/pobj/xsel-1.2.0/xsel-1.2.0/xsel.c:1674
#7  0x000005aba4a06324 in main (argc=1, argv=0x5ada53e7050)
    at /usr/build/ports/pobj/xsel-1.2.0/xsel-1.2.0/xsel.c:2143


I finally decided to see what's going on but couldn't
quite figure out where the client code does things
wrong, starting off with the assumption the client is
to blame.

I don't have xenocara built with debuging symbols, so
decided to see if other reports exist on crashes ending
in _XData32() and found this 2007 report to NetBSD[1]
by Pierre Pronchery.

The report is far more detailed than I could ever hope
to provide. He, I think, has isolated the issue to the
following copy operation in _XData32():

        i >>= 2;
        while (--i >= 0)
            *buf++ = *data++;

Noting that buf is of type "int *" while data is "long *".
So, every so often, *data++ will read beyond bounds.
No? Causing the segfault on amd64 OpenBSD, while
Pierre Pronchery observes the bus error for unaligned
access on sparc64 NetBSD.

Hoping this issue gets better traction here with some
X11 wizards.

--patrick

[1] http://mail-index.netbsd.org/netbsd-bugs/2007/10/02/0005.html

Reply via email to