Package: lesstif2 Version: 1:0.94.4-2 Severity: important Tags: patch *** Please type your report below this line ***
Sorry for my english!
Bug reproduction with "plan" application and a malloc debugger :
- edit a day ; select a text case, then a another and then a another => SEGV
Explication:
In lesstif2-0.94.4/lib/Xm-2.1/XmIm.c , there is a chained list of
XmICStuff objects that point on XIM objects. Many XmICStuff can point
on the same XIM. So the first allocated XmICStuff object store a
counter of XIM reference and others have a link (in "orig_xim"
attribute) on this XmICStuff object.
When XmICStuff object must be closed, the function XmImCloseXIM()
checks the XIM counter (possibly on the original XmICStuff by
following orig_xim) to know if it can free the XIM object. However it
always unlinks and frees the XmICStuff object.
If another XmICStuff had a "orig_xim" on the freed XmICStuff then,
when it'll be closed, it'll try to access the freed XmICStuff by its
"orig_xim" attribute and involve a SEGV.
It seems to me that the XIM counter should be in XIM object. But
nevertheless, I made patch (cf. attachement), that workarounds the
problem.
-- System Information:
Debian Release: 4.0
APT prefers testing
APT policy: (900, 'testing'), (50, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17.3
Locale: LANG=C, LC_CTYPE=fr_FR.iso8859-1 (charmap=ISO-8859-1)
Versions of packages lesstif2 depends on:
ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries
ii libice6 1:1.0.1-2 X11 Inter-Client Exchange library
ii libsm6 1:1.0.1-3 X11 Session Management library
ii libx11-6 2:1.0.3-6 X11 client-side library
ii libxext6 1:1.0.1-2 X11 miscellaneous extension librar
ii libxp6 1:1.0.0.xsf1-1 X Printing Extension (Xprint) clie
ii libxt6 1:1.0.2-2 X11 toolkit intrinsics library
lesstif2 recommends no packages.
-- no debconf information
Sincerly,
--
Julien
<< Vous n'avez rien a dire... Parlons-en! >>
diff -ru lesstif2-0.94.4-old/lib/Xm-2.1/XmIm.c lesstif2-0.94.4/lib/Xm-2.1/XmIm.c
--- lesstif2-0.94.4-old/lib/Xm-2.1/XmIm.c 2004-10-20 21:32:11.000000000 +0200
+++ lesstif2-0.94.4/lib/Xm-2.1/XmIm.c 2007-03-28 14:39:27.000000000 +0200
@@ -133,7 +133,10 @@
p->next = q->next;
}
- XtFree((char *)stuff);
+ /* if count!=0 then someone uses the stuff as orig_xim
+ so unlink it but not free it */
+ if (!stuff->count)
+ XtFree((char *)stuff);
}
/*
@@ -1060,6 +1063,8 @@
XCloseIM(stuff->xim);
DEBUGOUT(_LtDebug(__FILE__, w, "XCloseIM(%p)\n", stuff->xim));
stuff->orig_xim->xim = NULL;
+ /* stuff->orig_xim is now useless */
+ XtFree(stuff->orig_xim);
} else {
DEBUGOUT(_LtDebug(__FILE__, w, "XmImCloseXIM(%p), count -> %d\n",
stuff->xim, stuff->orig_xim->count));
signature.asc
Description: Digital signature
