Oh, and I think the (int *) cast here should be changed to (long *):
retval = wait_incr_selection (selection, &event.xselection,
*(int *)value);
Can anyone confirm if xsel works on big-endian LP64 platforms? I'd
suspect the above expression would render it rather useless if it's
actually supposed to be (long *)...
On Tue, Jun 17, 2014 at 9:55 PM, Matthew Dempsky <matt...@dempsky.org> wrote:
> I think the issue is that xsel.c allocates "int nr_bytes;" in
> change_property(), and then passes it to XChangeProperty with
> format==32. However, XChangeProperty() documents that format==32
> specifically means a pointer to long (even on LP64 platforms).
>
> I suspect changing "int nr_bytes" to "long nr_bytes" should fix the bug.
>
> On Tue, Jun 17, 2014 at 1:56 AM, patrick keshishian <pkesh...@gmail.com>
> wrote:
>> Hi,
>>
>> I use xsel (from ports) pretty often, and every so often it
>> crashes:
>>
>> $ gdb `which xsel` xsel.core
>> GNU gdb 6.3
>> Copyright 2004 Free Software Foundation, Inc.
>> GDB is free software, covered by the GNU General Public License, and you are
>> welcome to change it and/or distribute copies of it under certain conditions.
>> Type "show copying" to see the conditions.
>> There is absolutely no warranty for GDB. Type "show warranty" for details.
>> This GDB was configured as "amd64-unknown-openbsd5.5"...
>> Core was generated by `xsel'.
>> Program terminated with signal 11, Segmentation fault.
>> Loaded symbols ...
>> [...]
>> #0 0x000005adb1e28f40 in _XData32 () from /usr/X11R6/lib/libX11.so.16.0
>> (gdb) bt
>> #0 0x000005adb1e28f40 in _XData32 () from /usr/X11R6/lib/libX11.so.16.0
>> #1 0x000005adb1e05629 in XChangeProperty () from
>> /usr/X11R6/lib/libX11.so.16.0
>> #2 0x000005aba4a03d75 in change_property (display=0x5adb3b07000,
>> requestor=20978267, property=482, target=4, format=32, mode=0,
>> data=0x5ada9647fc0 "3\001", nelements=9, selection=1, time=3242522763,
>> mparent=0x0) at /usr/build/ports/pobj/xsel-1.2.0/xsel-1.2.0/xsel.c:1177
>> #3 0x000005aba4a042f9 in handle_targets (display=0x5adb3b07000,
>> requestor=20978267, property=482, selection=1, time=3242522763,
>> mparent=0x0) at /usr/build/ports/pobj/xsel-1.2.0/xsel-1.2.0/xsel.c:1307
>> #4 0x000005aba4a04b48 in handle_selection_request (event=
>> {type = 30, xany = {type = 30, serial = 22, send_event = 0,
>> display = 0x5adb3b07000, window = 18874369}, xkey = {type = 30, serial
>> = 22, send_event = 0, display = 0x5adb3b07000, window = 18874369, root
>> = 20978267, subwindow = 1, time = 311, x = 482, y = 0, x_root =
>> -1052444533, y_root = 0, state = 0, keycode = 0, same_screen = 0},
>> xbutton = {type = 30, serial = 22, send_event = 0, display =
>> 0x5adb3b07000, window = 18874369, root = 20978267, subwindow = 1, time
>> = 311, x = 482, y = 0, x_root = -1052444533, y_root = 0, state = 0,
>> button = 0, same_screen = 0}, xmotion = {type = 30, serial = 22,
>> send_event = 0, display = 0x5adb3b07000, window = 18874369, root =
>> 20978267, subwindow = 1, time = 311, x = 482, y = 0, x_root =
>> -1052444533, y_root = 0, state = 0, is_hint = 0 '\0', same_screen =
>> 0}, xcrossing = {type = 30, serial = 22, send_event = 0, display =
>> 0x5adb3b07000, window = 18874369, root = 20978267, subwindow = 1, time
>> = 311, x = 482, y = 0, x_root = -1052444533, y_root = 0, mode = 0,
>> detail = 0, same_screen = 0, focus = 0, state = 0}, xfocus = {type =
>> 30, serial = 22, send_event = 0, display = 0x5adb3b07000, window =
>> 18874369, mode = 20978267, detail = 0}, xexpose = {type = 30, serial =
>> 22, send_event = 0, display = 0x5adb3b07000, window = 18874369, x =
>> 20978267, y = 0, width = 1, height = 0, count = 311}, xgraphicsexpose
>> = {type = 30, serial = 22, send_event = 0, display = 0x5adb3b07000,
>> drawable = 18874369, x = 20978267, y = 0, width = 1, height = 0, count
>> = 311, major_code = 0, minor_code = 482}, xnoexpose = {type = 30,
>> serial = 22, send_event = 0, display = 0x5adb3b07000, drawable =
>> 18874369, major_code = 20978267, minor_code = 0}, xvisibility = {type
>> = 30, serial = 22, send_event = 0, display = 0x5adb3b07000, window =
>> 18874369, state = 20978267}, xcreatewindow = {type = 30, serial = 22,
>> send_event = 0, display = 0x5adb3b07000, parent = 18874369, window =
>> 20978267, x = 1, y = 0, width = 311, height = 0, border_width = 482,
>> override_redirect = 0}, xdestroywindow = {type = 30, serial = 22,
>> send_event = 0, display = 0x5adb3b07000, event = 18874369, window =
>> 20978267}, xunmap = {type = 30, serial = 22, send_event = 0, display =
>> 0x5adb3b07000, event = 18874369, window = 20978267, from_configure =
>> 1}, xmap = {type = 30, serial = 22, send_event = 0, display =
>> 0x5adb3b07000, event = 18874369, window = 20978267, override_redirect
>> = 1}, xmaprequest = {type = 30, serial = 22, send_event = 0, display =
>> 0x5adb3b07000, parent = 18874369, window = 20978267}, xreparent =
>> {type = 30, serial = 22, send_event = 0, display = 0x5adb3b07000,
>> event = 18874369, window = 20978267, parent = 1, x = 311, y = 0,
>> override_redirect = 482}, xconfigure = {type = 30, serial = 22,
>> send_event = 0, display = 0x5adb3b07000, event = 18874369, window =
>> 20978267, x = 1, y = 0, width = 311, height = 0, border_width = 482,
>> above = 3242522763, override_redirect = 0}, xgravity = {type = 30,
>> serial = 22, send_event = 0, display = 0x5adb3b07000, event =
>> 18874369, window = 20978267, x = 1, y = 0}, xresizerequest = {type =
>> 30, serial = 22, send_event = 0, display = 0x5adb3b07000, window =
>> 18874369, width = 20978267, height = 0}, xconfigurerequest = {type =
>> 30, serial = 22, send_event = 0, display = 0x5adb3b07000, parent =
>> 18874369, window = 20978267, x = 1, y = 0, width = 311, height = 0,
>> border_width = 482, above = 3242522763, detail = 0, value_mask = 0},
>> xcirculate = {type = 30, serial = 22, send_event = 0, display =
>> 0x5adb3b07000, event = 18874369, window = 20978267, place = 1},
>> xcirculaterequest = {type = 30, serial = 22, send_event = 0, display =
>> 0x5adb3b07000, parent = 18874369, window = 20978267, place = 1},
>> xproperty = {type = 30, serial = 22, send_event = 0, display =
>> 0x5adb3b07000, window = 18874369, atom = 20978267, time = 1, state =
>> 311}, xselectionclear = {type = 30, serial = 22, send_event = 0,
>> display = 0x5adb3b07000, window = 18874369, selection = 20978267, time
>> = 1}, xselectionrequest = {type = 30, serial = 22, send_event = 0,
>> display = 0x5adb3b07000, owner = 18874369, requestor = 20978267,
>> selection = 1, target = 311, property = 482, time = 3242522763},
>> xselection = {type = 30, serial = 22, send_event = 0, display =
>> 0x5adb3b07000, requestor = 18874369, selection = 20978267, target = 1,
>> property = 311, time = 482}, xcolormap = {type = 30, serial = 22,
>> send_event = 0, display = 0x5adb3b07000, window = 18874369, colormap =
>> 20978267, new = 1, state = 0}, xclient = {type = 30, serial = 22,
>> send_event = 0, display = 0x5adb3b07000, window = 18874369,
>> message_type = 20978267, format = 1, data = {b =
>> "7\001\000\000\000\000\000\000â\001\000\000\000\000\000\000\213øDÁ", s
>> = {311, 0, 0, 0, 482, 0, 0, 0, -1909, -16060}, l = {311, 482,
>> 3242522763, 0, 0}}}, xmapping = {type = 30, serial = 22, send_event =
>> 0, display = 0x5adb3b07000, window = 18874369, request = 20978267,
>> first_keycode = 0, count = 1}, xerror = {type = 30, display = 0x16,
>> resourceid = 0, serial = 6243602165760, error_code = 1 '\001',
>> request_code = 0 '\0', minor_code = 32 ' '}, xkeymap = {type = 30,
>> serial = 22, send_event = 0, display = 0x5adb3b07000, window =
>> 18874369, key_vector =
>> "[\032@\001\000\000\000\000\001\000\000\000\000\000\000\0007\001\000\000\000\000\000\000â\001\000\000\000\000\000"},
>> xgeneric = {type = 30, serial = 22, send_event = 0, display =
>> 0x5adb3b07000, extension = 18874369, evtype = 0}, xcookie = {type =
>> 30, serial = 22, send_event = 0, display = 0x5adb3b07000, extension =
>> 18874369, evtype = 0, cookie = 20978267, data = 0x1}, pad = {30, 22,
>> 0, 6243602165760, 18874369, 20978267, 1, 311, 482, 3242522763, 0
>> <repeats 14 times>}},
>> sel=0x5ada7dbf000 "\t")
>> at /usr/build/ports/pobj/xsel-1.2.0/xsel-1.2.0/xsel.c:1551
>> #5 0x000005aba4a04e5c in set_selection (selection=1, sel=0x5ada7dbf000 "\t")
>> at /usr/build/ports/pobj/xsel-1.2.0/xsel-1.2.0/xsel.c:1637
>> #6 0x000005aba4a04f08 in set_selection__daemon (selection=1,
>> sel=0x5ada7dbf000 "\t")
>> at /usr/build/ports/pobj/xsel-1.2.0/xsel-1.2.0/xsel.c:1674
>> #7 0x000005aba4a06324 in main (argc=1, argv=0x5ada53e7050)
>> at /usr/build/ports/pobj/xsel-1.2.0/xsel-1.2.0/xsel.c:2143
>>
>>
>> I finally decided to see what's going on but couldn't
>> quite figure out where the client code does things
>> wrong, starting off with the assumption the client is
>> to blame.
>>
>> I don't have xenocara built with debuging symbols, so
>> decided to see if other reports exist on crashes ending
>> in _XData32() and found this 2007 report to NetBSD[1]
>> by Pierre Pronchery.
>>
>> The report is far more detailed than I could ever hope
>> to provide. He, I think, has isolated the issue to the
>> following copy operation in _XData32():
>>
>> i >>= 2;
>> while (--i >= 0)
>> *buf++ = *data++;
>>
>> Noting that buf is of type "int *" while data is "long *".
>> So, every so often, *data++ will read beyond bounds.
>> No? Causing the segfault on amd64 OpenBSD, while
>> Pierre Pronchery observes the bus error for unaligned
>> access on sparc64 NetBSD.
>>
>> Hoping this issue gets better traction here with some
>> X11 wizards.
>>
>> --patrick
>>
>> [1] http://mail-index.netbsd.org/netbsd-bugs/2007/10/02/0005.html
