Bug#449255: Synergy server crashes due to internal malloc memory corruption

[Javier Ortega Conde (Malkavian)]

Same here, whit Debian lenny/sid as server and windows XP as client in a 
laptop.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#449255: Synergy server crashes due to internal malloc memory corruption

[Jorge Salamero Sanz]

i can confirm this bug which makes synergy completely unusable.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#449255: Synergy server crashes due to internal malloc memory corruption

[Jan Vidar Krey]

Package: synergy
Version: 1.3.1-2
Severity: serious

--- Please enter the report below this line. ---

I am connecting my imac (ubuntu/powerPC) synergy client to my amd64
(sid/amd64) box using synergy server.

It seems like synergys is corrupting some malloc data, which causes it to
abort. I get this abort everytime I leave my primary screen with my mouse
which renders everything pretty much useless.
Here are the relevant excerpts from the debug log on the server (-f -d
DEBUG):

NOTE: CServer.cpp,277: client imac has connected
INFO: CServer.cpp,446: switch from amd64 to imac at 0,501
INFO: CScreen.cpp,116: leaving screen
*** glibc detected *** synergys: free(): invalid next size (fast):
0x00615c80 ***

I downloaded the source package, and rebuilt it with debug symbols enabled,
and got this backtrace:

#0 0x2b21235d26a5 in raise () from /lib/libc.so.6
#1 0x2b21235d4100 in abort () from /lib/libc.so.6
#2 0x2b212360b54b in ?? () from /lib/libc.so.6
#3 0x2b2123612a4a in ?? () from /lib/libc.so.6
#4 0x2b212361663c in free () from /lib/libc.so.6
#5 0x0044d8d8 in std::_Rb_treeunsigned int, std::pairunsigned int
const, CKeyMap::KeyItem, std::_Select1ststd::pairunsigned int const,
CKeyMap::KeyItem , std::lessunsigned int,
std::allocatorstd::pairunsigned int const, CKeyMap::KeyItem  ::_M_erase
(this=0x6c9798, __x=0x712ee0) at /usr/include/c++/4.2/ext/new_allocator.h:97
#6 0x00452206 in CKeyState::updateKeyState (this=0x6c96b0) at
/usr/include/c++/4.2/bits/stl_tree.h:711
#7 0x00453db6 in CPlatformScreen::updateKeyState (this=0x6a6f70) at
CPlatformScreen.cpp:36
#8 0x00456298 in CScreen::leave (this=0x6a6f00) at CScreen.cpp:122
#9 0x0042695d in CPrimaryClient::leave (this=value optimized out)
at CPrimaryClient.cpp:149
#10 0x004299ec in CServer::switchScreen (this=0x6d8b10,
dst=0x71e180, x=0, y=331, forScreensaver=false) at CServer.cpp:464
#11 0x0042bea6 in CServer::onMouseMovePrimary (this=0x6d8b10, x=0,
y=331) at CServer.cpp:1654
#12 0x00460bf7 in CEventQueue::dispatchEvent (this=0x7fff88b1dea0,
[EMAIL PROTECTED]) at CEventQueue.cpp:190
#13 0x00409693 in mainLoop () at synergys.cpp:685
#14 0x00409a27 in standardStartup (argc=-2001608384, argv=value
optimized out) at synergys.cpp:735
#15 0x0040a2ef in main (argc=4, argv=0x7fff88b1e478) at synergys.cpp
:762

Running synergys in valgrind causes it not to crash since malloc is bypassed
with valgrinds own malloc and friends, but I get a fairly verbose output
when leaving the screen with my mouse:

INFO: CServer.cpp,446: switch from imac to amd64 at 0,364
INFO: CScreen.cpp,116: leaving screen
==17883==
==17883== Syscall param write(buf) points to uninitialised byte(s)
==17883== at 0x5F0BE7B: (within /lib/libpthread-2.6.1.so)
==17883== by 0x55A4D7E: (within /usr/lib/libX11.so.6.2.0)
==17883== by 0x55A9A5E: (within /usr/lib/libX11.so.6.2.0)
==17883== by 0x55A9B50: _XReply (in /usr/lib/libX11.so.6.2.0)
==17883== by 0x558CBB6: XGrabKeyboard (in /usr/lib/libX11.so.6.2.0)
==17883== by 0x4347D7: CXWindowsScreen::grabMouseAndKeyboard() (
CXWindowsScreen.cpp:1822)
==17883== by 0x436144: CXWindowsScreen::leave() (CXWindowsScreen.cpp:280)
==17883== by 0x456261: CScreen::leave() (CScreen.cpp:118)
==17883== by 0x42695C: CPrimaryClient::leave() (CPrimaryClient.cpp:149)
==17883== by 0x4299EB: CServer::switchScreen(CBaseClientProxy*, int, int,
bool) (CServer.cpp:464)
==17883== by 0x42BEA5: CServer::onMouseMovePrimary(int, int) (CServer.cpp
:1654)
==17883== by 0x460BF6: CEventQueue::dispatchEvent(CEvent const) (
CEventQueue.cpp:190)
==17883== Address 0x6887B9E is 38 bytes inside a block of size 16,384
alloc'd
==17883== at 0x4C20F3F: calloc (vg_replace_malloc.c:279)
==17883== by 0x5595A24: XOpenDisplay (in /usr/lib/libX11.so.6.2.0)
==17883== by 0x4364BF: CXWindowsScreen::openDisplay(char const*) (
CXWindowsScreen.cpp:841)
==17883== by 0x438039: CXWindowsScreen::CXWindowsScreen(char const*, bool) (
CXWindowsScreen.cpp:103)
==17883== by 0x408792: initServer() (synergys.cpp:126)
==17883== by 0x408E52: startServer() (synergys.cpp:481)
==17883== by 0x4095B2: mainLoop() (synergys.cpp:662)
==17883== by 0x409A26: standardStartup(int, char**) (synergys.cpp:735)
==17883== by 0x40A2EE: main (synergys.cpp:762)
==17883==
==17883== Invalid write of size 1
==17883== at 0x436C0C: CXWindowsScreen::updateButtons() (CXWindowsScreen.cpp
:1802)
==17883== by 0x456297: CScreen::leave() (CScreen.cpp:122)
==17883== by 0x42695C: CPrimaryClient::leave() (CPrimaryClient.cpp:149)
==17883== by 0x4299EB: CServer::switchScreen(CBaseClientProxy*, int, int,
bool) (CServer.cpp:464)
==17883== by 0x42BEA5: CServer::onMouseMovePrimary(int, int) (CServer.cpp
:1654)
==17883== by 0x460BF6: CEventQueue::dispatchEvent(CEvent const) (
CEventQueue.cpp:190)
==17883== by 0x409692: mainLoop() (synergys.cpp:685)
==17883== by 0x409A26: standardStartup(int, char**) (synergys.cpp:735)
==17883== by 0x40A2EE: main