On Sun 2019.08.04 at 17:05 +0200, Mark Kettenis wrote:
> > Date: Sun, 4 Aug 2019 16:25:03 +0200
> > From: Klemens Nanni <[email protected]>
> >
> > On Sun, Aug 04, 2019 at 12:40:50PM +0200, Matthieu Herrb wrote:
> > > Did you try with the updates to libX11 and libXft that I sent to tech@
> > > a few weeks ago ? There is one change in libXft which may be relevant.
> > No, missed them. Just fetched your updates from current CVS, rebuilt
> > libX11 and libXft, but with no avail.
> >
> > Same reproducer, same bug. New backtrace below and full one attached
> > (for real this time, sorry).
>
> 0xdfdfdfdfdfdfdfdf is the tell-tale sign of a use-after free.
>
> The Display is just passed on by the various libXft functions, as part
> of the XftDraw instance. So my bet is on this being a bug in cmw.
> Indeed, if you look at menu_filter() you'll see there is a:
>
> if (XGrabPointer(X_Dpy, mc.win, False, MENUGRABMASK,
> GrabModeAsync, GrabModeAsync, None, Conf.cursor[CF_QUESTION],
> CurrentTime) != GrabSuccess) {
> XftDrawDestroy(mc.xftdraw);
> XDestroyWindow(X_Dpy, mc.win);
> }
>
> block near the start. If you hit that, the XftDraw instance gets
> freed. But ten it may be used later in the menu_draw() call.
>
> Cheers,
>
> Mark
Thanks! It seems I lost the return when shuffling last. Never hit this
case because I've yet to run into an app that grabs basically
everything...until you pointed me to this game :)
Can you give this a shot kn?
Index: menu.c
===================================================================
RCS file: /home/open/cvs/xenocara/app/cwm/menu.c,v
retrieving revision 1.107
diff -u -p -r1.107 menu.c
--- menu.c 4 Mar 2019 19:28:18 -0000 1.107
+++ menu.c 5 Aug 2019 20:58:08 -0000
@@ -129,6 +129,7 @@ menu_filter(struct screen_ctx *sc, struc
CurrentTime) != GrabSuccess) {
XftDrawDestroy(mc.xftdraw);
XDestroyWindow(X_Dpy, mc.win);
+ return(NULL);
}
XGetInputFocus(X_Dpy, &focuswin, &focusrevert);
