> Date: Sun, 4 Aug 2019 16:25:03 +0200
> From: Klemens Nanni <[email protected]>
>
> On Sun, Aug 04, 2019 at 12:40:50PM +0200, Matthieu Herrb wrote:
> > Did you try with the updates to libX11 and libXft that I sent to tech@
> > a few weeks ago ? There is one change in libXft which may be relevant.
> No, missed them. Just fetched your updates from current CVS, rebuilt
> libX11 and libXft, but with no avail.
>
> Same reproducer, same bug. New backtrace below and full one attached
> (for real this time, sorry).
0xdfdfdfdfdfdfdfdf is the tell-tale sign of a use-after free.
The Display is just passed on by the various libXft functions, as part
of the XftDraw instance. So my bet is on this being a bug in cmw.
Indeed, if you look at menu_filter() you'll see there is a:
if (XGrabPointer(X_Dpy, mc.win, False, MENUGRABMASK,
GrabModeAsync, GrabModeAsync, None, Conf.cursor[CF_QUESTION],
CurrentTime) != GrabSuccess) {
XftDrawDestroy(mc.xftdraw);
XDestroyWindow(X_Dpy, mc.win);
}
block near the start. If you hit that, the XftDraw instance gets
freed. But ten it may be used later in the menu_draw() call.
Cheers,
Mark
> [New process 238882]
> Core was generated by `cwm'.
> Program terminated with signal SIGBUS, Bus error.
> #0 0x00000261a2f9101d in XAddExtension (dpy=0xdfdfdfdfdfdfdfdf) at
> /usr/xenocara/lib/libX11/src/InitExt.c:73
> 73 LockDisplay (dpy);
> #0 0x00000261a2f9101d in XAddExtension (dpy=0xdfdfdfdfdfdfdfdf) at
> /usr/xenocara/lib/libX11/src/InitExt.c:73
> #1 0x0000026265e448f9 in _XftDisplayInfoGet () from
> /usr/X11R6/lib/libXft.so.11.0
> #2 0x0000026265e46a49 in XftDrawSrcPicture () from
> /usr/X11R6/lib/libXft.so.11.0
> #3 0x0000026265e470cb in XftDrawGlyphs () from /usr/X11R6/lib/libXft.so.11.0
> #4 0x0000026265e479dc in XftDrawStringUtf8 () from
> /usr/X11R6/lib/libXft.so.11.0
> #5 0x0000025f92282fdd in menu_draw (mc=0x7f7ffffdd570, menuq=0x7f7ffffdd948,
> resultq=0x7f7ffffdd560) at /x/app/cwm/menu.c:399
> #6 0x0000025f9228212f in menu_filter (sc=0x26197db1000,
> menuq=0x7f7ffffdd948, prompt=0x25f9227849f "window", initial=0x0, flags=0,
> match=0x25f92283f00 <search_match_client>, print=0x25f92284b20
> <search_print_client>) at /x/app/cwm/menu.c:153
> #7 0x0000025f9228ca16 in kbfunc_menu_client (ctx=0x26197db1000,
> cargs=0x261ab1b6280) at /x/app/cwm/kbfunc.c:484
> #8 0x0000025f92288ffa in xev_handle_keypress (ee=0x7f7ffffdda28) at
> /x/app/cwm/xevents.c:336
> #9 0x0000025f9228a19d in xev_process () at /x/app/cwm/xevents.c:491
> #10 0x0000025f9227c63f in main (argc=0, argv=0x7f7ffffddbd0) at
> /x/app/cwm/calmwm.c:114
>
> [2:text/plain Show Save:cwm.bt_full (43kB)]
>
