Re: _XData32() crash: long* vs int* on amd64 (LP64)

Matthew Dempsky Tue, 17 Jun 2014 22:04:20 -0700

I think the issue is that xsel.c allocates "int nr_bytes;" in
change_property(), and then passes it to XChangeProperty with
format==32.  However, XChangeProperty() documents that format==32
specifically means a pointer to long (even on LP64 platforms).


I suspect changing "int nr_bytes" to "long nr_bytes" should fix the bug.

On Tue, Jun 17, 2014 at 1:56 AM, patrick keshishian <pkesh...@gmail.com> wrote:
> Hi,
>
> I use xsel (from ports) pretty often, and every so often it
> crashes:
>
> $ gdb `which xsel` xsel.core
> GNU gdb 6.3
> Copyright 2004 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for details.
> This GDB was configured as "amd64-unknown-openbsd5.5"...
> Core was generated by `xsel'.
> Program terminated with signal 11, Segmentation fault.
> Loaded symbols ...
> [...]
> #0  0x000005adb1e28f40 in _XData32 () from /usr/X11R6/lib/libX11.so.16.0
> (gdb) bt
> #0  0x000005adb1e28f40 in _XData32 () from /usr/X11R6/lib/libX11.so.16.0
> #1  0x000005adb1e05629 in XChangeProperty () from 
> /usr/X11R6/lib/libX11.so.16.0
> #2  0x000005aba4a03d75 in change_property (display=0x5adb3b07000,
>     requestor=20978267, property=482, target=4, format=32, mode=0,
>     data=0x5ada9647fc0 "3\001", nelements=9, selection=1, time=3242522763,
>     mparent=0x0) at /usr/build/ports/pobj/xsel-1.2.0/xsel-1.2.0/xsel.c:1177
> #3  0x000005aba4a042f9 in handle_targets (display=0x5adb3b07000,
>     requestor=20978267, property=482, selection=1, time=3242522763,
>     mparent=0x0) at /usr/build/ports/pobj/xsel-1.2.0/xsel-1.2.0/xsel.c:1307
> #4  0x000005aba4a04b48 in handle_selection_request (event=
>         {type = 30, xany = {type = 30, serial = 22, send_event = 0,
> display = 0x5adb3b07000, window = 18874369}, xkey = {type = 30, serial
> = 22, send_event = 0, display = 0x5adb3b07000, window = 18874369, root
> = 20978267, subwindow = 1, time = 311, x = 482, y = 0, x_root =
> -1052444533, y_root = 0, state = 0, keycode = 0, same_screen = 0},
> xbutton = {type = 30, serial = 22, send_event = 0, display =
> 0x5adb3b07000, window = 18874369, root = 20978267, subwindow = 1, time
> = 311, x = 482, y = 0, x_root = -1052444533, y_root = 0, state = 0,
> button = 0, same_screen = 0}, xmotion = {type = 30, serial = 22,
> send_event = 0, display = 0x5adb3b07000, window = 18874369, root =
> 20978267, subwindow = 1, time = 311, x = 482, y = 0, x_root =
> -1052444533, y_root = 0, state = 0, is_hint = 0 '\0', same_screen =
> 0}, xcrossing = {type = 30, serial = 22, send_event = 0, display =
> 0x5adb3b07000, window = 18874369, root = 20978267, subwindow = 1, time
> = 311, x = 482, y = 0, x_root = -1052444533, y_root = 0, mode = 0,
> detail = 0, same_screen = 0, focus = 0, state = 0}, xfocus = {type =
> 30, serial = 22, send_event = 0, display = 0x5adb3b07000, window =
> 18874369, mode = 20978267, detail = 0}, xexpose = {type = 30, serial =
> 22, send_event = 0, display = 0x5adb3b07000, window = 18874369, x =
> 20978267, y = 0, width = 1, height = 0, count = 311}, xgraphicsexpose
> = {type = 30, serial = 22, send_event = 0, display = 0x5adb3b07000,
> drawable = 18874369, x = 20978267, y = 0, width = 1, height = 0, count
> = 311, major_code = 0, minor_code = 482}, xnoexpose = {type = 30,
> serial = 22, send_event = 0, display = 0x5adb3b07000, drawable =
> 18874369, major_code = 20978267, minor_code = 0}, xvisibility = {type
> = 30, serial = 22, send_event = 0, display = 0x5adb3b07000, window =
> 18874369, state = 20978267}, xcreatewindow = {type = 30, serial = 22,
> send_event = 0, display = 0x5adb3b07000, parent = 18874369, window =
> 20978267, x = 1, y = 0, width = 311, height = 0, border_width = 482,
> override_redirect = 0}, xdestroywindow = {type = 30, serial = 22,
> send_event = 0, display = 0x5adb3b07000, event = 18874369, window =
> 20978267}, xunmap = {type = 30, serial = 22, send_event = 0, display =
> 0x5adb3b07000, event = 18874369, window = 20978267, from_configure =
> 1}, xmap = {type = 30, serial = 22, send_event = 0, display =
> 0x5adb3b07000, event = 18874369, window = 20978267, override_redirect
> = 1}, xmaprequest = {type = 30, serial = 22, send_event = 0, display =
> 0x5adb3b07000, parent = 18874369, window = 20978267}, xreparent =
> {type = 30, serial = 22, send_event = 0, display = 0x5adb3b07000,
> event = 18874369, window = 20978267, parent = 1, x = 311, y = 0,
> override_redirect = 482}, xconfigure = {type = 30, serial = 22,
> send_event = 0, display = 0x5adb3b07000, event = 18874369, window =
> 20978267, x = 1, y = 0, width = 311, height = 0, border_width = 482,
> above = 3242522763, override_redirect = 0}, xgravity = {type = 30,
> serial = 22, send_event = 0, display = 0x5adb3b07000, event =
> 18874369, window = 20978267, x = 1, y = 0}, xresizerequest = {type =
> 30, serial = 22, send_event = 0, display = 0x5adb3b07000, window =
> 18874369, width = 20978267, height = 0}, xconfigurerequest = {type =
> 30, serial = 22, send_event = 0, display = 0x5adb3b07000, parent =
> 18874369, window = 20978267, x = 1, y = 0, width = 311, height = 0,
> border_width = 482, above = 3242522763, detail = 0, value_mask = 0},
> xcirculate = {type = 30, serial = 22, send_event = 0, display =
> 0x5adb3b07000, event = 18874369, window = 20978267, place = 1},
> xcirculaterequest = {type = 30, serial = 22, send_event = 0, display =
> 0x5adb3b07000, parent = 18874369, window = 20978267, place = 1},
> xproperty = {type = 30, serial = 22, send_event = 0, display =
> 0x5adb3b07000, window = 18874369, atom = 20978267, time = 1, state =
> 311}, xselectionclear = {type = 30, serial = 22, send_event = 0,
> display = 0x5adb3b07000, window = 18874369, selection = 20978267, time
> = 1}, xselectionrequest = {type = 30, serial = 22, send_event = 0,
> display = 0x5adb3b07000, owner = 18874369, requestor = 20978267,
> selection = 1, target = 311, property = 482, time = 3242522763},
> xselection = {type = 30, serial = 22, send_event = 0, display =
> 0x5adb3b07000, requestor = 18874369, selection = 20978267, target = 1,
> property = 311, time = 482}, xcolormap = {type = 30, serial = 22,
> send_event = 0, display = 0x5adb3b07000, window = 18874369, colormap =
> 20978267, new = 1, state = 0}, xclient = {type = 30, serial = 22,
> send_event = 0, display = 0x5adb3b07000, window = 18874369,
> message_type = 20978267, format = 1, data = {b =
> "7\001\000\000\000\000\000\000â\001\000\000\000\000\000\000\213øDÁ", s
> = {311, 0, 0, 0, 482, 0, 0, 0, -1909, -16060}, l = {311, 482,
> 3242522763, 0, 0}}}, xmapping = {type = 30, serial = 22, send_event =
> 0, display = 0x5adb3b07000, window = 18874369, request = 20978267,
> first_keycode = 0, count = 1}, xerror = {type = 30, display = 0x16,
> resourceid = 0, serial = 6243602165760, error_code = 1 '\001',
> request_code = 0 '\0', minor_code = 32 ' '}, xkeymap = {type = 30,
> serial = 22, send_event = 0, display = 0x5adb3b07000, window =
> 18874369, key_vector =
> "[\032@\001\000\000\000\000\001\000\000\000\000\000\000\0007\001\000\000\000\000\000\000â\001\000\000\000\000\000"},
> xgeneric = {type = 30, serial = 22, send_event = 0, display =
> 0x5adb3b07000, extension = 18874369, evtype = 0}, xcookie = {type =
> 30, serial = 22, send_event = 0, display = 0x5adb3b07000, extension =
> 18874369, evtype = 0, cookie = 20978267, data = 0x1}, pad = {30, 22,
> 0, 6243602165760, 18874369, 20978267, 1, 311, 482, 3242522763, 0
> <repeats 14 times>}},
>     sel=0x5ada7dbf000 "\t")
>     at /usr/build/ports/pobj/xsel-1.2.0/xsel-1.2.0/xsel.c:1551
> #5  0x000005aba4a04e5c in set_selection (selection=1, sel=0x5ada7dbf000 "\t")
>     at /usr/build/ports/pobj/xsel-1.2.0/xsel-1.2.0/xsel.c:1637
> #6  0x000005aba4a04f08 in set_selection__daemon (selection=1,
>     sel=0x5ada7dbf000 "\t")
>     at /usr/build/ports/pobj/xsel-1.2.0/xsel-1.2.0/xsel.c:1674
> #7  0x000005aba4a06324 in main (argc=1, argv=0x5ada53e7050)
>     at /usr/build/ports/pobj/xsel-1.2.0/xsel-1.2.0/xsel.c:2143
>
>
> I finally decided to see what's going on but couldn't
> quite figure out where the client code does things
> wrong, starting off with the assumption the client is
> to blame.
>
> I don't have xenocara built with debuging symbols, so
> decided to see if other reports exist on crashes ending
> in _XData32() and found this 2007 report to NetBSD[1]
> by Pierre Pronchery.
>
> The report is far more detailed than I could ever hope
> to provide. He, I think, has isolated the issue to the
> following copy operation in _XData32():
>
>         i >>= 2;
>         while (--i >= 0)
>             *buf++ = *data++;
>
> Noting that buf is of type "int *" while data is "long *".
> So, every so often, *data++ will read beyond bounds.
> No? Causing the segfault on amd64 OpenBSD, while
> Pierre Pronchery observes the bus error for unaligned
> access on sparc64 NetBSD.
>
> Hoping this issue gets better traction here with some
> X11 wizards.
>
> --patrick
>
> [1] http://mail-index.netbsd.org/netbsd-bugs/2007/10/02/0005.html

Re: _XData32() crash: long* vs int* on amd64 (LP64)

Reply via email to