Message-ID: <email address hidden>
Date: Fri, 17 Dec 2004 12:22:25 +0100
From: Thomas Winischhofer <email address hidden>
To: <email address hidden>
Subject: Re: Bug#284448: xserver-xfree86: xserver (ATI or Radeon something
7500) crashes on variouslaunches of programcs from within X.
This looks like an Xlibs bug.
-----------
#10 0x0892a025 in fs_read_list_info (fpe=0x8bcf350, blockrec=0x8d65198)
at fserve.c:2376
binfo = 0x8d651b4
rep = (fsListFontsWithXInfoReply *) 0x8bcf808
buf = 0x10c3a3fc <Address 0x10c3a3fc out of bounds> <---
conn = 0x8bcf378
pi = (fsPropInfo *) 0x8bcf83c
po = (fsPropOffset *) 0x8bcf844
pd = 0x8bcf894 <----------------------
ret = 1
err = 146600824
-----------
The source of Xfont/fc/fserve.c at this point (in fs_read_list_info)
looks like this:
From the fact that "pd" is set to a legal value in the debugging
output, while "buf" (after adding "pi->data_len") is "out of bounds" I
would very much assume that "pi->data_len" contains garbage.
Message-ID: <email address hidden>
Date: Fri, 17 Dec 2004 12:22:25 +0100
From: Thomas Winischhofer <email address hidden>
To: <email address hidden>
Subject: Re: Bug#284448: xserver-xfree86: xserver (ATI or Radeon something
7500) crashes on variouslaunches of programcs from within X.
This looks like an Xlibs bug.
-----------
#10 0x0892a025 in fs_read_list_info (fpe=0x8bcf350, blockrec=0x8d65198)
at fserve.c:2376
binfo = 0x8d651b4 hXInfoReply *) 0x8bcf808 ------- ------- --
rep = (fsListFontsWit
buf = 0x10c3a3fc <Address 0x10c3a3fc out of bounds> <---
conn = 0x8bcf378
pi = (fsPropInfo *) 0x8bcf83c
po = (fsPropOffset *) 0x8bcf844
pd = 0x8bcf894 <------
ret = 1
err = 146600824
-----------
The source of Xfont/fc/fserve.c at this point (in fs_read_list_info)
looks like this:
if (conn-> fsMajorVersion <= 1) ------- ------- ------ ------- ------- ------ fsMajorVersion > 1)
{
memcpy (binfo->name, buf, rep->nameLength);
buf += _fs_pad_length (rep->nameLength);
}
pi = (fsPropInfo *) buf;
buf += SIZEOF (fsPropInfo);
po = (fsPropOffset *) buf;
buf += pi->num_offsets * SIZEOF (fsPropOffset);
pd = (pointer) buf; <------
buf += pi->data_len; <------
if (conn->
{
memcpy (binfo->name, buf, rep->nameLength);
buf += _fs_pad_length (rep->nameLength);
}
-----------
From the fact that "pd" is set to a legal value in the debugging
output, while "buf" (after adding "pi->data_len") is "out of bounds" I
would very much assume that "pi->data_len" contains garbage.
As regards why it does this, I have no idea.
Are these patches in the Debian SVN:
http:// freedesktop. org/cgi- bin/viewcvs. cgi/xlibs/ Xfont/fc/ fserve. c?r1=3. 22&r2=3. 22.2.1 freedesktop. org/cgi- bin/viewcvs. cgi/xlibs/ Xfont/fc/ fserve. c?r1=3. 23&r2=3. 24 cvsweb. xfree86. org/cvsweb/ xc/lib/ font/fc/ fserve. c.diff? r1=3.26& r2=3.27
http://
http://
Thomas
-- www.winischhofe r.net
Thomas Winischhofer
Vienna/Austria
thomas AT winischhofer DOT net *** http://
twini AT xfree86 DOT org