This looks like an Xlibs bug.
-----------
#10 0x0892a025 in fs_read_list_info (fpe=0x8bcf350, blockrec=0x8d65198)
at fserve.c:2376
binfo = 0x8d651b4 rep = (fsListFontsWithXInfoReply *) 0x8bcf808 buf = 0x10c3a3fc <Address 0x10c3a3fc out of bounds> <--- conn = 0x8bcf378 pi = (fsPropInfo *) 0x8bcf83c po = (fsPropOffset *) 0x8bcf844 pd = 0x8bcf894 <---------------------- ret = 1 err = 146600824
The source of Xfont/fc/fserve.c at this point (in fs_read_list_info) looks like this:
if (conn->fsMajorVersion <= 1) { memcpy (binfo->name, buf, rep->nameLength); buf += _fs_pad_length (rep->nameLength); } pi = (fsPropInfo *) buf; buf += SIZEOF (fsPropInfo); po = (fsPropOffset *) buf; buf += pi->num_offsets * SIZEOF (fsPropOffset); pd = (pointer) buf; <-------------------------- buf += pi->data_len; <-------------------------- if (conn->fsMajorVersion > 1) { memcpy (binfo->name, buf, rep->nameLength); buf += _fs_pad_length (rep->nameLength); }
From the fact that "pd" is set to a legal value in the debugging output, while "buf" (after adding "pi->data_len") is "out of bounds" I would very much assume that "pi->data_len" contains garbage.
As regards why it does this, I have no idea.
Are these patches in the Debian SVN:
http://freedesktop.org/cgi-bin/viewcvs.cgi/xlibs/Xfont/fc/fserve.c?r1=3.22&r2=3.22.2.1 http://freedesktop.org/cgi-bin/viewcvs.cgi/xlibs/Xfont/fc/fserve.c?r1=3.23&r2=3.24 http://cvsweb.xfree86.org/cvsweb/xc/lib/font/fc/fserve.c.diff?r1=3.26&r2=3.27
Thomas
-- Thomas Winischhofer Vienna/Austria thomas AT winischhofer DOT net *** http://www.winischhofer.net twini AT xfree86 DOT org
This looks like an Xlibs bug.
-----------
#10 0x0892a025 in fs_read_list_info (fpe=0x8bcf350, blockrec=0x8d65198)
at fserve.c:2376
binfo = 0x8d651b4 hXInfoReply *) 0x8bcf808 ------- ------- --
rep = (fsListFontsWit
buf = 0x10c3a3fc <Address 0x10c3a3fc out of bounds> <---
conn = 0x8bcf378
pi = (fsPropInfo *) 0x8bcf83c
po = (fsPropOffset *) 0x8bcf844
pd = 0x8bcf894 <------
ret = 1
err = 146600824
-----------
The source of Xfont/fc/fserve.c at this point (in fs_read_list_info)
looks like this:
if (conn-> fsMajorVersion <= 1) ------- ------- ------ ------- ------- ------ fsMajorVersion > 1)
{
memcpy (binfo->name, buf, rep->nameLength);
buf += _fs_pad_length (rep->nameLength);
}
pi = (fsPropInfo *) buf;
buf += SIZEOF (fsPropInfo);
po = (fsPropOffset *) buf;
buf += pi->num_offsets * SIZEOF (fsPropOffset);
pd = (pointer) buf; <------
buf += pi->data_len; <------
if (conn->
{
memcpy (binfo->name, buf, rep->nameLength);
buf += _fs_pad_length (rep->nameLength);
}
-----------
From the fact that "pd" is set to a legal value in the debugging
output, while "buf" (after adding "pi->data_len") is "out of bounds" I
would very much assume that "pi->data_len" contains garbage.
As regards why it does this, I have no idea.
Are these patches in the Debian SVN:
http:// freedesktop. org/cgi- bin/viewcvs. cgi/xlibs/ Xfont/fc/ fserve. c?r1=3. 22&r2=3. 22.2.1 freedesktop. org/cgi- bin/viewcvs. cgi/xlibs/ Xfont/fc/ fserve. c?r1=3. 23&r2=3. 24 cvsweb. xfree86. org/cvsweb/ xc/lib/ font/fc/ fserve. c.diff? r1=3.26& r2=3.27
http://
http://
Thomas
-- www.winischhofe r.net
Thomas Winischhofer
Vienna/Austria
thomas AT winischhofer DOT net *** http://
twini AT xfree86 DOT org