[apport] rdesktop crashed with SIGSEGV in XPutImage()

StacktraceTop:_XrmInternalStringToQuark (name=<value optimized out>, len=65011717, sig=138257672, permstring=0) at ../../src/Quarks.c:340
?? ()
?? ()
?? ()
?? ()

I've got a similar crash, see below...

rdesktop_1.5.0-1build1

Starting program: /usr/src/rdesktop-1.5.0/rdesktop 172.20.89.3
Autoselected keyboard map en-us
WARNING: Remote desktop does not support colour depth 16; falling back to 8

Program received signal SIGSEGV, Segmentation fault.
0xb7d932b2 in XPutImage () from /usr/lib/libX11.so.6
(gdb)
(gdb) bt
#0 0xb7d932b2 in XPutImage () from /usr/lib/libX11.so.6
#1 0x08051d0c in ui_desktop_restore (offset=0, x=191, y=115, cx=417, cy=255)
    at xwin.c:3226
#2 0x08063e60 in process_orders (s=0x80b6c40, num_orders=29) at orders.c:375
#3 0x08069079 in rdp5_process (s=0x80b6c40) at rdp5.c:85
#4 0x08060d11 in rdp_recv (type=0xbfdc19b7 "\a\001\001\001\001") at rdp.c:99
#5 0x08061308 in rdp_loop (deactivated=0xbfdc1a64, ext_disc_reason=0xbfdc1a60)
    at rdp.c:1378
#6 0x08061f5c in rdp_main_loop (deactivated=0xbfdc1a64,
    ext_disc_reason=0xbfdc1a60) at rdp.c:1363
#7 0x0804db07 in main (argc=1, argv=0xbfdc1e24) at rdesktop.c:912

Please note that downgrading to rdesktop 1.41 fixed the problem for me.

I downloaded http://mirrors.kernel.org/ubuntu/pool/main/r/rdesktop/rdesktop_1.4.1-1_i386.deb
and installed it manually via dpkg(1).

Here's what I saw under the debugger:

#1 0x08051d0c in ui_desktop_restore (offset=0, x=191, y=115, cx=417, cy=255)
    at xwin.c:3226
3226 XPutImage(g_display, g_backstore, g_gc, image, 0, 0, x, y, cx, cy);
(gdb) print g_display
$1 = (Display *) 0x83cf7c0
(gdb) print g_backstore
$2 = 48234501
(gdb) print g_gc
$3 = (GC) 0x83dafd0
(gdb) print image
$5 = (XImage *) 0x0

It looks like image is a NULL pointer which probably causes XPutImage to segfault.

I can connect to the remote Windows 2000 server and get to view the login screen, but when I hit "Cancel" it crashes. When I type my user name and password and hit "Login", it crashes.

I have also attached a corefile.

PLEASE consider releasing Feisty with rdesktop 1.41 instead of 1.5 since it is very late in the game to get this major bug fixed.

This bug is also present in the CVS version of rdesktop as of April 5th.

Here is a patch that works around the problem but creates visual artifacts on the screen.

--- xwin.c 2006-08-07 07:45:44.000000000 -0400
+++ ../rdesktop-1.5.0a/xwin.c 2007-04-05 15:56:16.000000000 -0400
@@ -3220,6 +3220,8 @@

        image = XCreateImage(g_display, g_visual, g_depth, ZPixmap, 0,
                             (char *) data, cx, cy, BitmapPad(g_display), cx * g_bpp / 8);
+ if (image == NULL)
+ return;

        if (g_ownbackstore)
        {

On Wed, 2007-04-11 at 11:26 -0400, Mark Heily wrote:
> Here is a patch that prevents rdesktop from crashing due to increased Xlib sanity checking
> of arguments passed to XCreateImage(3). Thanks to Julien Cristau for his helpful explanation
> of the problem on the Debian bug tracking system.
>

Regrettably, the patch I submitted needs additional work by the rdesktop
developers or someone with more knowledge about Xlib programming. After
applying the patch, XCreateImage(3) returns a valid Image pointer and
does not crash the program, but the image it creates is slanted and
unreadable. The impacted functions are ui_desktop_save() and
ui_desktop_restore() in xwin.c.

You can reproduce this by connecting to a Windows 2000 server in 8bpp
mode, clicking on the Start button, and then clicking the start button
again. The part of the desktop that is repainted will be displayed
incorrectly.

Regards,

Mark

Hi,

Here is another solution: replace "BitmapPad(g_display)" by "g_bpp" inside this XCreateImage call.

I've done some tests with a windows 2003 server, 8 bpp and 16 bpp, and it worked fine.

Mat