Bugtraq mailing list archives

Re: Crashing X

From: Matthieu Herrb <matthieu.herrb () laas fr>
Date: Sat, 8 Dec 2001 21:13:20 +0100

You wrote (in your message from Friday 7)


The vuln-dev Message-ID is <3B822F5F.99227A5F () snosoft com>. I saw a fix
for it on September 16th, so I'm rather hoping XFree86 releases newer
than that have the fix integrated.


This has indeed been reported several time to XFree86 since last
september. 

The patch that is in current XFree86 and in the 4_1_0 branch is
appended below. I have reports that it does not fix all possible cases
of crashes, but I can not reproduce any crashes with this patch. 
May be someone can provide more details here (stack trace,...) ? 

                                Matthieu Herrb

Index: fbglyph.c
===================================================================
RCS file: /xf86/xc/programs/Xserver/fb/fbglyph.c,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- fbglyph.c   2001/05/29 04:54:09     1.11
+++ fbglyph.c   2001/09/07 15:16:00     1.12
@@ -34,9 +34,19 @@
           int          height)
 {
     BoxRec  box;
+    BoxPtr  pExtents = REGION_EXTENTS (0, pRegion);
 
-    if (x + width < 0) return FALSE;
-    if (y + height < 0) return FALSE;
+    /*
+     * Check extents by hand to avoid 16 bit overflows
+     */
+    if (x < (int) pExtents->x1) 
+       return FALSE;
+    if ((int) pExtents->x2 < x + width) 
+       return FALSE;
+    if (y < (int) pExtents->y1)
+       return FALSE;
+    if ((int) pExtents->y2 < y + height)
+       return FALSE;
     box.x1 = x;
     box.x2 = x + width;
     box.y1 = y;
@@ -261,10 +271,10 @@
                              FbBits,
                              int,
                              int);
-    FbBits         *dst;
-    FbStride       dstStride;
-    int                    dstBpp;
-    int                    dstXoff, dstYoff;
+    FbBits         *dst = 0;
+    FbStride       dstStride = 0;
+    int                    dstBpp = 0;
+    int                    dstXoff = 0, dstYoff = 0;
     
     glyph = 0;
     if (pGC->fillStyle == FillSolid && pPriv->and == 0)
@@ -352,10 +362,10 @@
                              FbBits,
                              int,
                              int);
-    FbBits         *dst;
-    FbStride       dstStride;
-    int                    dstBpp;
-    int                    dstXoff, dstYoff;
+    FbBits         *dst = 0;
+    FbStride       dstStride = 0;
+    int                    dstBpp = 0;
+    int                    dstXoff = 0, dstYoff = 0;
     
     glyph = 0;
     if (pPriv->and == 0)

Current thread:

Crashing X scott (Dec 07)
- Re: Crashing X John Scimone (Dec 08)
  - Re: Crashing X KF (Dec 10)
    - Re: Crashing X Paul Starzetz (Dec 11)
- Re: Crashing X Seth Arnold (Dec 08)
  - Re: Crashing X Matthieu Herrb (Dec 08)
- Re: Crashing X munehiro (Dec 08)
- <Possible follow-ups>
- Re: Crashing X Joe Schmoe (Dec 11)