© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0f7b58d
(Get the code!)
Message-ID: <email address hidden>
Date: Fri, 17 Dec 2004 12:22:25 +0100
From: Thomas Winischhofer <email address hidden>
To: <email address hidden>
Subject: Re: Bug#284448: xserver-xfree86: xserver (ATI or Radeon something
7500) crashes on variouslaunches of programcs from within X.
This looks like an Xlibs bug.
-----------
#10 0x0892a025 in fs_read_list_info (fpe=0x8bcf350, blockrec=0x8d65198)
at fserve.c:2376
binfo = 0x8d651b4
rep = (fsListFontsWit
buf = 0x10c3a3fc <Address 0x10c3a3fc out of bounds> <---
conn = 0x8bcf378
pi = (fsPropInfo *) 0x8bcf83c
po = (fsPropOffset *) 0x8bcf844
pd = 0x8bcf894 <------
ret = 1
err = 146600824
-----------
The source of Xfont/fc/fserve.c at this point (in fs_read_list_info)
looks like this:
if (conn->
{
memcpy (binfo->name, buf, rep->nameLength);
buf += _fs_pad_length (rep->nameLength);
}
pi = (fsPropInfo *) buf;
buf += SIZEOF (fsPropInfo);
po = (fsPropOffset *) buf;
buf += pi->num_offsets * SIZEOF (fsPropOffset);
pd = (pointer) buf; <------
buf += pi->data_len; <------
if (conn->
{
memcpy (binfo->name, buf, rep->nameLength);
buf += _fs_pad_length (rep->nameLength);
}
-----------
From the fact that "pd" is set to a legal value in the debugging
output, while "buf" (after adding "pi->data_len") is "out of bounds" I
would very much assume that "pi->data_len" contains garbage.
As regards why it does this, I have no idea.
Are these patches in the Debian SVN:
http://
http://
http://
Thomas
--
Thomas Winischhofer
Vienna/Austria
thomas AT winischhofer DOT net *** http://
twini AT xfree86 DOT org