Public bug reported:
Ubuntu version: 18.04
libx11-xcb-dev version:1.6.4
Hello,I found some potential bugs in package libx11,and the .docx file in the
attachment I uploaded shows the occurrence process of the bug in a graphical
way.Would you help me check whether the bugs mentioned below are true? I'm not
100% sure that the bugs I submitted is correct. I hope you don't mind seeing
the wrong bug I submitted.Thank you very much for your patience.
In file libx11-1.6.4/src/Xrm.c,defination of function XrmGetStringDatebase,line
1559.
there is a statement call function NewDataBase(),load its return value to
db,and this function may return a null pointer.in line 1560,there is a
statement derefer db without check it.the process of this potential bug is
shown in figure 1. There are several bugs caused by same reason such as in file
Xrm.c,defination of function XrmPutStringResource,line 1532.In file Xrm.c
,defination of function XrmCombineFileDatabase,line 1702.In file
Xrm.c,defiantion of function XrmGetFileDatabase,line 1678.In file
Xrm.c,defination of function XrmPutLineResource,line 1547.In file
Xrms.c,defination of function XrmGetStringDatabase,line 1559.
In file libx11-1.6.4/src/Xrm.c,defination of function append_value_list,line
489.
there is a statement call function Xmalloc to allocate memory,load its return
value to value_list,but Xmalloc may fail to allocate memory,so value_list may
be a null pointer.in line 490,there is a statement derefer value_list without
check it.the process of this potential bug is shown in figure 2.
In file libx11-1.6.4/modules/im/ximcp/imLcIm.c,defination of function
_XimWriteCachedDefaultTree,line 464.
there is a statement call function Xmalloc to allocate memory,load its return
value to m,but Xmalloc may fail to allocate memory,so m may be a null
pointer.statements after derefer m without check it.the process of this
potential bug is shown in figure 3.
In file libx11-1.6.4/src/PolyReg.c,defination of function InsertEdgeInET,line
98.
there is a statement call function Xmalloc to allocate memory,load its return
value to tmpSLLBlock,but Xmalloc may fail to allocate memory,so tmpSLLBlock may
be a null pointer.in line 100,there is a statement derefer tmpSLLBlock without
check it.the process of this potential bug is shown in figure 5.btw,there are
several null pointer dereference caused by same reason,one of which is marked
by green text in graph 4.
In file libx11-1.6.4/modules/im/ximcp/imCallbk.c,defination of function
_XimStrConversionCallback,line 338.
there is a statement call function Xmalloc to allocate memory,load its return
value to buf,but Xmalloc may fail to allocate memory,so buf may be a null
pointer.in line 340,buf act as the first parameter of funcion
_XimSetHeader(this function is in file
libx11-1.6.2/modules/im/ximcp/imDefIm.c,line 78),in this function there are
several statement derefer buf without check.the process of this potential bug
is shown in figure 5.btw,some of lines after line 340 also will derefer buf
without check.
In file libx11-1.6.4/modules/im/ximcp/imCallbk.c,defination of function
_read_text_from_packet,line 528.
there is a statement call function Xmalloc to allocate memory,load its return
value to text->feedback,but Xmalloc may fail to allocate memory,so
text->feedback may be a null pointer.In line 531,there is a statement derefer
text->feedback without check it.the process of this potential bug is shown in
figure 6.
In file libx11-1.6.4/src/xcms/cmsColNm.c,defination of function
_XcmsParseColorString,line 212.
there is a statement call function Xmalloc to allocate memory,load its return
value to string_lowered ,but Xmalloc may fail to allocate memory,so
string_lowered may be a null pointer.In line 219,there is a statement derefer
string_lowered without check it.the process of this potential bug is shown in
figure 7.
In file libx11-1.6.4/src/xcms/cmsColNm.c,defination of function
_XcmsLookupColorName,line 421.
there is a statement call function Xmalloc to allocate memory,load its return
value to name_lowered ,but Xmalloc may fail to allocate memory,so name_lowered
may be a null pointer.In line 432,there is a statement derefer name_lowered
without check it.the process of this potential bug is shown in figure 8.
In file libx11-1.6.4/src/xcms/IdOfPr.c,defination of function
XcmsFormatOfPrefix,line 70.
there is a statement call function Xmalloc to allocate memory,load its return
value to string_lowered ,but Xmalloc may fail to allocate memory,so
string_lowered may be a null pointer.In line 82,there is a statement derefer
string_lowered without check it.the process of this potential bug is shown in
figure 9.
In file libx11-1.6.4/src/InitExt.c,defination of function XESetWireToError,line
332.
there is a statement call function Xmalloc to allocate memory,load its return
value to dpy->error_vec ,but Xmalloc may fail to allocate memory,so
dpy->error_vec may be a null pointer.In line 334,there is a statement derefer
dpy->error_vec without check it.the process of this potential bug is shown in
figure 110.
In file libx11-1.6.4\src\xlibi18n\XDefaultIMIF.c,defination of function
_GetIMValues,line 268.
there is a statement call function Xmalloc to allocate memory,load its return
value to styles->supported_styles,but Xmalloc may fail to allocate memory,so
styles->supported_styles may be a null pointer.In line 270,there is a statement
derefer styles->supported_styles without check it.the process of this potential
bug is shown in figure 11.
In file libx11-1.6.4/src/xlibi18n/lcFile.c,defination of function
_XlcResolveLocaleName,line 561.
there is a statement call function strdup,load its return value to
pub->siname,but strdup may fail to allocate memory,so pub->siname may be a null
pointer.In line 566,there is a statement derefer pub->siname without check
it.the process of this potential bug is shown in figure 12.
In file libx11-1.6.4/src/Quarks.c,defination of function XrmQuarkToString,line
395.
if select true at this point.NULLSTRING will load to s and return it to caller.
In file libx11-1.6.4/src/Xrm.c,defination of DumpEntry,line 2039.the return
value of XrmQuarkToString act as argument of fprintf,which can be null.the
process of this potential bug is shown in figure 13.
In file libx11-1.6.4\modules\im\ximcp\imDefLkup.c,defination of function
_XimICOfXICID,line 48.
null will returned to caller.
In same file ,defination of _XimSetEventMaskCallback,line 91.the return value
of _XimICOfXICID loaded to ic.In line 92,ic act as the first parameter of
_XimProcICSetEventMask.
In same file ,defination of _XimProcICSetEventMask.statements in line 70 an
line 71 derefer ic without check it,so null pointer dereference may happen.
the process of this potential bug is shown in figure 14.
In file libx11-1.6.4\src\xlibi18n\XDefaultIMIF.c,defination of function
_GetIMValues,line 265.
there is a statement call function Xmalloc to allocate memory,load its return
value to styles,but Xmalloc may fail to allocate memory,so styles may be a null
pointer.In line 267,there is a statement derefer styles without check it.the
process of this potential bug is shown in figure 15.
There are several bugs in a same mode.I will list where these bugs in and show
these bugs in figure 16---figure 22 in attachment.
in libx11-1.6.4\modules\im\ximcp\imDefIc.c
function : _XimProtoReset
line:1118
in libx11-1.6.4\modules\im\ximcp\imDefIc.c
Function: _XimEncodingNegotiation
Line:1760
in libx11-1.6.4\modules\im\ximcp\imDefIc.c
Function: _XimClose
Line:953
File: libx11-1.6.4\modules\im\ximcp\imDefLkup.c
Function: _XimForwardEventCore
Line 305
File: libx11-1.6.4\modules\im\ximcp\imDefIm.c
Function: _XimConnection
Line:619
File: libx11-1.6.4\modules\im\ximcp\imDefIm.c
Function: _XimOpen
Line:834
File: libx11-1.6.4\modules\im\ximcp\imExten.c
Function: _XimExtension
Line:468
In file libx11-1.6.4\src\xlibi18n\lcFile.c,defination of _XlcFileName,line 546.
There is a statement load return value of _XlcFileName to name and this
function may return null(_XlcFileName is in file
libx11-1.6.4/modules/im/ximcp/imLcIm.c).as such,in line 604,there is a
statement derefer name without check.the process of this potential bug is shown
in figure 23.
** Affects: libx11 (Ubuntu)
Importance: Undecided
Status: New
** Attachment added: "libx11_nullptr_dereference.docx"
https://bugs.launchpad.net/bugs/1940014/+attachment/5518029/+files/libx11_nullptr_dereference.docx
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1940014
Title:
Several potential bugs of null pointer dereference in libx11-1.6.4
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libx11/+bug/1940014/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
