Several potential bugs of null pointer dereference in libx11-1.6.4
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libx11 (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Ubuntu version: 18.04
libx11-xcb-dev version:1.6.4
Hello,I found some potential bugs in package libx11,and the .docx file in the attachment I uploaded shows the occurrence process of the bug in a graphical way.Would you help me check whether the bugs mentioned below are true? I'm not 100% sure that the bugs I submitted is correct. I hope you don't mind seeing the wrong bug I submitted.Thank you very much for your patience.
In file libx11-
there is a statement call function NewDataBase(),load its return value to db,and this function may return a null pointer.in line 1560,there is a statement derefer db without check it.the process of this potential bug is shown in figure 1. There are several bugs caused by same reason such as in file Xrm.c,defination of function XrmPutStringRes
In file libx11-
there is a statement call function Xmalloc to allocate memory,load its return value to value_list,but Xmalloc may fail to allocate memory,so value_list may be a null pointer.in line 490,there is a statement derefer value_list without check it.the process of this potential bug is shown in figure 2.
In file libx11-
there is a statement call function Xmalloc to allocate memory,load its return value to m,but Xmalloc may fail to allocate memory,so m may be a null pointer.statements after derefer m without check it.the process of this potential bug is shown in figure 3.
In file libx11-
there is a statement call function Xmalloc to allocate memory,load its return value to tmpSLLBlock,but Xmalloc may fail to allocate memory,so tmpSLLBlock may be a null pointer.in line 100,there is a statement derefer tmpSLLBlock without check it.the process of this potential bug is shown in figure 5.btw,there are several null pointer dereference caused by same reason,one of which is marked by green text in graph 4.
In file libx11-
there is a statement call function Xmalloc to allocate memory,load its return value to buf,but Xmalloc may fail to allocate memory,so buf may be a null pointer.in line 340,buf act as the first parameter of funcion _XimSetHeader(this function is in file libx11-
In file libx11-
there is a statement call function Xmalloc to allocate memory,load its return value to text->feedback,but Xmalloc may fail to allocate memory,so text->feedback may be a null pointer.In line 531,there is a statement derefer text->feedback without check it.the process of this potential bug is shown in figure 6.
In file libx11-
there is a statement call function Xmalloc to allocate memory,load its return value to string_lowered ,but Xmalloc may fail to allocate memory,so string_lowered may be a null pointer.In line 219,there is a statement derefer string_lowered without check it.the process of this potential bug is shown in figure 7.
In file libx11-
there is a statement call function Xmalloc to allocate memory,load its return value to name_lowered ,but Xmalloc may fail to allocate memory,so name_lowered may be a null pointer.In line 432,there is a statement derefer name_lowered without check it.the process of this potential bug is shown in figure 8.
In file libx11-
there is a statement call function Xmalloc to allocate memory,load its return value to string_lowered ,but Xmalloc may fail to allocate memory,so string_lowered may be a null pointer.In line 82,there is a statement derefer string_lowered without check it.the process of this potential bug is shown in figure 9.
In file libx11-
there is a statement call function Xmalloc to allocate memory,load its return value to dpy->error_vec ,but Xmalloc may fail to allocate memory,so dpy->error_vec may be a null pointer.In line 334,there is a statement derefer dpy->error_vec without check it.the process of this potential bug is shown in figure 110.
In file libx11-
there is a statement call function Xmalloc to allocate memory,load its return value to styles-
In file libx11-
there is a statement call function strdup,load its return value to pub->siname,but strdup may fail to allocate memory,so pub->siname may be a null pointer.In line 566,there is a statement derefer pub->siname without check it.the process of this potential bug is shown in figure 12.
In file libx11-
if select true at this point.NULLSTRING will load to s and return it to caller.
In file libx11-
In file libx11-
null will returned to caller.
In same file ,defination of _XimSetEventMas
In same file ,defination of _XimProcICSetEv
the process of this potential bug is shown in figure 14.
In file libx11-
there is a statement call function Xmalloc to allocate memory,load its return value to styles,but Xmalloc may fail to allocate memory,so styles may be a null pointer.In line 267,there is a statement derefer styles without check it.the process of this potential bug is shown in figure 15.
There are several bugs in a same mode.I will list where these bugs in and show these bugs in figure 16---figure 22 in attachment.
in libx11-
function : _XimProtoReset
line:1118
in libx11-
Function: _XimEncodingNeg
Line:1760
in libx11-
Function: _XimClose
Line:953
File: libx11-
Function: _XimForwardEven
Line 305
File: libx11-
Function: _XimConnection
Line:619
File: libx11-
Function: _XimOpen
Line:834
File: libx11-
Function: _XimExtension
Line:468
In file libx11-
There is a statement load return value of _XlcFileName to name and this function may return null(_XlcFileName is in file libx11-