Several potential bugs of null pointer dereference in libx11-1.6.4

Bug #1940014 reported by yuxuan He
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libx11 (Ubuntu)
New
Undecided
Unassigned

Bug Description

Ubuntu version: 18.04
libx11-xcb-dev version:1.6.4
Hello,I found some potential bugs in package libx11,and the .docx file in the attachment I uploaded shows the occurrence process of the bug in a graphical way.Would you help me check whether the bugs mentioned below are true? I'm not 100% sure that the bugs I submitted is correct. I hope you don't mind seeing the wrong bug I submitted.Thank you very much for your patience.

In file libx11-1.6.4/src/Xrm.c,defination of function XrmGetStringDatebase,line 1559.
there is a statement call function NewDataBase(),load its return value to db,and this function may return a null pointer.in line 1560,there is a statement derefer db without check it.the process of this potential bug is shown in figure 1. There are several bugs caused by same reason such as in file Xrm.c,defination of function XrmPutStringResource,line 1532.In file Xrm.c ,defination of function XrmCombineFileDatabase,line 1702.In file Xrm.c,defiantion of function XrmGetFileDatabase,line 1678.In file Xrm.c,defination of function XrmPutLineResource,line 1547.In file Xrms.c,defination of function XrmGetStringDatabase,line 1559.

In file libx11-1.6.4/src/Xrm.c,defination of function append_value_list,line 489.
there is a statement call function Xmalloc to allocate memory,load its return value to value_list,but Xmalloc may fail to allocate memory,so value_list may be a null pointer.in line 490,there is a statement derefer value_list without check it.the process of this potential bug is shown in figure 2.

In file libx11-1.6.4/modules/im/ximcp/imLcIm.c,defination of function _XimWriteCachedDefaultTree,line 464.
there is a statement call function Xmalloc to allocate memory,load its return value to m,but Xmalloc may fail to allocate memory,so m may be a null pointer.statements after derefer m without check it.the process of this potential bug is shown in figure 3.

In file libx11-1.6.4/src/PolyReg.c,defination of function InsertEdgeInET,line 98.
there is a statement call function Xmalloc to allocate memory,load its return value to tmpSLLBlock,but Xmalloc may fail to allocate memory,so tmpSLLBlock may be a null pointer.in line 100,there is a statement derefer tmpSLLBlock without check it.the process of this potential bug is shown in figure 5.btw,there are several null pointer dereference caused by same reason,one of which is marked by green text in graph 4.

In file libx11-1.6.4/modules/im/ximcp/imCallbk.c,defination of function _XimStrConversionCallback,line 338.
there is a statement call function Xmalloc to allocate memory,load its return value to buf,but Xmalloc may fail to allocate memory,so buf may be a null pointer.in line 340,buf act as the first parameter of funcion _XimSetHeader(this function is in file libx11-1.6.2/modules/im/ximcp/imDefIm.c,line 78),in this function there are several statement derefer buf without check.the process of this potential bug is shown in figure 5.btw,some of lines after line 340 also will derefer buf without check.

In file libx11-1.6.4/modules/im/ximcp/imCallbk.c,defination of function _read_text_from_packet,line 528.
there is a statement call function Xmalloc to allocate memory,load its return value to text->feedback,but Xmalloc may fail to allocate memory,so text->feedback may be a null pointer.In line 531,there is a statement derefer text->feedback without check it.the process of this potential bug is shown in figure 6.

In file libx11-1.6.4/src/xcms/cmsColNm.c,defination of function _XcmsParseColorString,line 212.
there is a statement call function Xmalloc to allocate memory,load its return value to string_lowered ,but Xmalloc may fail to allocate memory,so string_lowered may be a null pointer.In line 219,there is a statement derefer string_lowered without check it.the process of this potential bug is shown in figure 7.

In file libx11-1.6.4/src/xcms/cmsColNm.c,defination of function _XcmsLookupColorName,line 421.
there is a statement call function Xmalloc to allocate memory,load its return value to name_lowered ,but Xmalloc may fail to allocate memory,so name_lowered may be a null pointer.In line 432,there is a statement derefer name_lowered without check it.the process of this potential bug is shown in figure 8.

In file libx11-1.6.4/src/xcms/IdOfPr.c,defination of function XcmsFormatOfPrefix,line 70.
there is a statement call function Xmalloc to allocate memory,load its return value to string_lowered ,but Xmalloc may fail to allocate memory,so string_lowered may be a null pointer.In line 82,there is a statement derefer string_lowered without check it.the process of this potential bug is shown in figure 9.

In file libx11-1.6.4/src/InitExt.c,defination of function XESetWireToError,line 332.
there is a statement call function Xmalloc to allocate memory,load its return value to dpy->error_vec ,but Xmalloc may fail to allocate memory,so dpy->error_vec may be a null pointer.In line 334,there is a statement derefer dpy->error_vec without check it.the process of this potential bug is shown in figure 110.

In file libx11-1.6.4\src\xlibi18n\XDefaultIMIF.c,defination of function _GetIMValues,line 268.
there is a statement call function Xmalloc to allocate memory,load its return value to styles->supported_styles,but Xmalloc may fail to allocate memory,so styles->supported_styles may be a null pointer.In line 270,there is a statement derefer styles->supported_styles without check it.the process of this potential bug is shown in figure 11.

In file libx11-1.6.4/src/xlibi18n/lcFile.c,defination of function _XlcResolveLocaleName,line 561.
there is a statement call function strdup,load its return value to pub->siname,but strdup may fail to allocate memory,so pub->siname may be a null pointer.In line 566,there is a statement derefer pub->siname without check it.the process of this potential bug is shown in figure 12.

In file libx11-1.6.4/src/Quarks.c,defination of function XrmQuarkToString,line 395.
if select true at this point.NULLSTRING will load to s and return it to caller.
In file libx11-1.6.4/src/Xrm.c,defination of DumpEntry,line 2039.the return value of XrmQuarkToString act as argument of fprintf,which can be null.the process of this potential bug is shown in figure 13.

In file libx11-1.6.4\modules\im\ximcp\imDefLkup.c,defination of function _XimICOfXICID,line 48.
null will returned to caller.
In same file ,defination of _XimSetEventMaskCallback,line 91.the return value of _XimICOfXICID loaded to ic.In line 92,ic act as the first parameter of _XimProcICSetEventMask.
In same file ,defination of _XimProcICSetEventMask.statements in line 70 an line 71 derefer ic without check it,so null pointer dereference may happen.
the process of this potential bug is shown in figure 14.

In file libx11-1.6.4\src\xlibi18n\XDefaultIMIF.c,defination of function _GetIMValues,line 265.
there is a statement call function Xmalloc to allocate memory,load its return value to styles,but Xmalloc may fail to allocate memory,so styles may be a null pointer.In line 267,there is a statement derefer styles without check it.the process of this potential bug is shown in figure 15.

There are several bugs in a same mode.I will list where these bugs in and show these bugs in figure 16---figure 22 in attachment.
    in libx11-1.6.4\modules\im\ximcp\imDefIc.c
    function : _XimProtoReset
    line:1118

    in libx11-1.6.4\modules\im\ximcp\imDefIc.c
    Function: _XimEncodingNegotiation
    Line:1760

    in libx11-1.6.4\modules\im\ximcp\imDefIc.c
    Function: _XimClose
    Line:953

    File: libx11-1.6.4\modules\im\ximcp\imDefLkup.c
    Function: _XimForwardEventCore
    Line 305

    File: libx11-1.6.4\modules\im\ximcp\imDefIm.c
    Function: _XimConnection
    Line:619

    File: libx11-1.6.4\modules\im\ximcp\imDefIm.c
    Function: _XimOpen
    Line:834

    File: libx11-1.6.4\modules\im\ximcp\imExten.c
    Function: _XimExtension
    Line:468

In file libx11-1.6.4\src\xlibi18n\lcFile.c,defination of _XlcFileName,line 546.
There is a statement load return value of _XlcFileName to name and this function may return null(_XlcFileName is in file libx11-1.6.4/modules/im/ximcp/imLcIm.c).as such,in line 604,there is a statement derefer name without check.the process of this potential bug is shown in figure 23.

Revision history for this message
yuxuan He (hyxl1017) wrote :
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.