Christian Neukirchen <[email protected]> writes:
> I found this key sequence to crash cwm on Linux in CVS HEAD:
>
> Minimal .cwmrc:
> bind C-i grouponly2
> bind CS-i movetogroup2
>
> Run cwm, open a window (say xterm), press C-i, press CS-i, press C-i.
> cwm crashes on Linux with this backtrace:
> #4 0x0000000000408a72 in group_show (sc=0x625d80, gc=0x625f38) at group.c:135
> I have not been able to reproduce this on OpenBSD, so it's not clear to
> me where the error actually is.
Analyzing group_show, I found out:
winlist = (Window *) xcalloc(sizeof(*winlist), (gc->highstack + 1));
...
TAILQ_FOREACH(cc, &gc->clients, group_entry) {
winlist[gc->highstack - cc->stackingorder] = cc->win;
client_unhide(cc);
}
For some reason cc->stackingorder is bigger than gc->highstack (which is
0 in above use case), thus the assignment writes to a negative address
relative to winlist. I can reproduce that on OpenBSD 4.8/cwm HEAD as
well, it just doesn't crash there because the heap corruption goes
undetected.
I hope this helps debugging, I don't fully understand the code yet.
--
Christian Neukirchen <[email protected]> http://chneukirchen.org
