In trying to understand a heap corruption when I added XI2 RawMotion event
handling to our Xinput-based application, I came across the following routine
copyRawEvent() in libxi-1.3/src/XExtInt.c. My question is what is the purpose
of computing "len" if it is not used? Should it have been used as an argument
to malloc().
copyRawEvent(XGenericEventCookie *cookie_in, XGenericEventCookie *cookie_out)
{
XIRawEvent *in, *out;
void *ptr;
int len;
int bits;
in = cookie_in->data;
bits = count_bits(in->valuators.mask, in->valuators.mask_len);
len = sizeof(XIRawEvent) + in->valuators.mask_len;
len += bits * sizeof(double) * 2;
ptr = cookie_out->data = malloc(sizeof(XIRawEvent));
if (!ptr)
return False;
When I use valgrind, I get the following output as the culprit for the crash
==4166== Invalid write of size 1
==4166== at 0x4C29F04: memcpy (mc_replace_strmem.c:497)
==4166== by 0x8F39180: ??? (in /usr/lib/libXi.so.6.1.0)
==4166== by 0x7433D48: _XCopyEventCookie (in /usr/lib/libX11.so.6.3.0)
==4166== by 0x7425166: XPeekEvent (in /usr/lib/libX11.so.6.3.0)
==4166== by 0x49C3E3: process_key (x11_be.c:1065)
==4166== by 0x49EA5C: event_key_release (x11_be.c:2201)
==4166== by 0x49DD6E: x11_be_process_events (x11_be.c:1892)
==4166== by 0x4A38F4: x11_be_main_loop (x11_be.c:4353)
==4166== by 0x4A39E1: x11_be_thread_main (x11_be.c:4385)
==4166== by 0x87549C9: start_thread (pthread_create.c:300)
==4166== by 0x8A516FC: clone (clone.S:112)
==4166== Address 0x168afe80 is 0 bytes after a block of size 96 alloc'd
==4166== at 0x4C284A8: malloc (vg_replace_malloc.c:236)
==4166== by 0x8F390BD: ??? (in /usr/lib/libXi.so.6.1.0)
==4166== by 0x7433D48: _XCopyEventCookie (in /usr/lib/libX11.so.6.3.0)
==4166== by 0x7425166: XPeekEvent (in /usr/lib/libX11.so.6.3.0)
==4166== by 0x49C3E3: process_key (x11_be.c:1065)
==4166== by 0x49EA5C: event_key_release (x11_be.c:2201)
==4166== by 0x49DD6E: x11_be_process_events (x11_be.c:1892)
==4166== by 0x4A38F4: x11_be_main_loop (x11_be.c:4353)
==4166== by 0x4A39E1: x11_be_thread_main (x11_be.c:4385)
==4166== by 0x87549C9: start_thread (pthread_create.c:300)
This fixes what I believe is a bug in libxi which causes my application to crash. I have reported it to FreeDesktop.org
https:/ /bugs.freedeskt op.org/ show_bug. cgi?id= 36592
diff ../../libXi- 1.3-orig/ src/XExtInt. c src/XExtInt.c sizeof( XIRawEvent) );
1196c1196
< ptr = cookie_out->data = malloc(
---
> ptr = cookie_out->data = malloc(len);
In trying to understand a heap corruption when I added XI2 RawMotion event 3/src/XExtInt. c. My question is what is the purpose
handling to our Xinput-based application, I came across the following routine
copyRawEvent() in libxi-1.
of computing "len" if it is not used? Should it have been used as an argument
to malloc().
copyRawEvent( XGenericEventCo okie *cookie_in,
XGenericE ventCookie *cookie_out)
{
XIRawEvent *in, *out;
void *ptr;
int len;
int bits;
in = cookie_in->data;
bits = count_bits( in->valuators. mask, in->valuators. mask_len) ; mask_len;
len = sizeof(XIRawEvent) + in->valuators.
len += bits * sizeof(double) * 2;
ptr = cookie_out->data = malloc( sizeof( XIRawEvent) );
if (!ptr)
return False;
out = next_block(&ptr, sizeof( XIRawEvent) ); >valuators. mask = next_block(&ptr, out->valuators. mask_len) ; out->valuators. mask, in->valuators.mask, out->valuators. mask_len) ;
*out = *in;
out-
memcpy(
out- >valuators. values = next_block(&ptr, bits * sizeof(double)); out->valuators. values, in->valuators. values, bits * sizeof(double));
memcpy(
out->raw_values = next_block(&ptr, bits * sizeof(double)); out->raw_ values, in->raw_values, bits * sizeof(double));
memcpy(
return True;
}
When I use valgrind, I get the following output as the culprit for the crash
==4166== Invalid write of size 1 strmem. c:497) libXi.so. 6.1.0) libX11. so.6.3. 0) libX11. so.6.3. 0) process_ events (x11_be.c:1892) create. c:300) malloc. c:236) libXi.so. 6.1.0) libX11. so.6.3. 0) libX11. so.6.3. 0) process_ events (x11_be.c:1892) create. c:300)
==4166== at 0x4C29F04: memcpy (mc_replace_
==4166== by 0x8F39180: ??? (in /usr/lib/
==4166== by 0x7433D48: _XCopyEventCookie (in /usr/lib/
==4166== by 0x7425166: XPeekEvent (in /usr/lib/
==4166== by 0x49C3E3: process_key (x11_be.c:1065)
==4166== by 0x49EA5C: event_key_release (x11_be.c:2201)
==4166== by 0x49DD6E: x11_be_
==4166== by 0x4A38F4: x11_be_main_loop (x11_be.c:4353)
==4166== by 0x4A39E1: x11_be_thread_main (x11_be.c:4385)
==4166== by 0x87549C9: start_thread (pthread_
==4166== by 0x8A516FC: clone (clone.S:112)
==4166== Address 0x168afe80 is 0 bytes after a block of size 96 alloc'd
==4166== at 0x4C284A8: malloc (vg_replace_
==4166== by 0x8F390BD: ??? (in /usr/lib/
==4166== by 0x7433D48: _XCopyEventCookie (in /usr/lib/
==4166== by 0x7425166: XPeekEvent (in /usr/lib/
==4166== by 0x49C3E3: process_key (x11_be.c:1065)
==4166== by 0x49EA5C: event_key_release (x11_be.c:2201)
==4166== by 0x49DD6E: x11_be_
==4166== by 0x4A38F4: x11_be_main_loop (x11_be.c:4353)
==4166== by 0x4A39E1: x11_be_thread_main (x11_be.c:4385)
==4166== by 0x87549C9: start_thread (pthread_
Thanks in advance,
Roger R. Cruz