[wmii] WMII Menu bug with non-existent programs

Adam Gleave Mon, 19 Dec 2005 11:10:36 -0800

If you select a non-existent program (for instance, type ctrl+alt+p
and then type adf - persuming no program begins with adf) wmiimenu
will segfault. This is due to dereferencing a null pointer in
update_offset. A gdb backtrace is attatched.


But I found in update_offsets some interesting code:

if (!i)
    return;

If I remember the C spec correctly, uninitialized local variables are
undefined; so it seems odd to test an undefined value. The only use I
can think of is if update_offset's stack is 'always' set up in a way
for i to actually represent something, which would be an.. ermm..
intriguing way of passing data.

GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-openbsd3.7"...
Core was generated by `wmiimenu'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libc.so.34.2...done.
Loaded symbols for /usr/lib/libc.so.34.2
Reading symbols from /usr/lib/libm.so.2.0...done.
Loaded symbols for /usr/lib/libm.so.2.0
Reading symbols from /usr/X11R6/lib/libX11.so.8.1...done.
Loaded symbols for /usr/X11R6/lib/libX11.so.8.1
Reading symbols from /usr/libexec/ld.so...done.
Loaded symbols for /usr/libexec/ld.so
Reading symbols from /usr/X11R6/lib/libXcursor.so.2.2...done.
Loaded symbols for /usr/X11R6/lib/libXcursor.so.2.2
Reading symbols from /usr/X11R6/lib/libXrender.so.3.1...done.
Loaded symbols for /usr/X11R6/lib/libXrender.so.3.1
Reading symbols from /usr/X11R6/lib/libXext.so.8.0...done.
Loaded symbols for /usr/X11R6/lib/libXext.so.8.0
#0  0x1c001a75 in update_offsets () at wmiimenu.c:205
205             for (i = offset[OFF_CURR]->prev; i && i->prev; i = i->prev) {
(gdb) bt full
#0  0x1c001a75 in update_offsets () at wmiimenu.c:205
        i = (Item *) 0x0
        w = 225
#1  0x1c001dc4 in update_items (pattern=0x3c046880 "adf") at wmiimenu.c:281
        plen = 3
        len = 3
        max = 24
        matched = 0
        f = (File *) 0x3c018400
        p = (File *) 0x0
        maxitem = (File *) 0x3c01fd20
        i = (Item *) 0x0
        new = (Item *) 0x3c00f158
#2  0x1c0025f3 in handle_kpress (e=0xcfbf9310) at wmiimenu.c:468
        ksym = 102
        buf = 
"f\000\000\000äç\000<è\222¿Ï¢\204\a\016\000`\000<\000\000\000\000\200ç\000<\000`\000<"
        num = 1
        text = "adf", '\0' <repeats 4092 times>
        len = 2
#3  0x1c0026c5 in check_event (c=0x3c00f0b0) at wmiimenu.c:491
        ev = {type = 2, xany = {type = 2, serial = 634, send_event = 0, display 
= 0x3c006000, window = 56}, 
  xkey = {type = 2, serial = 634, send_event = 0, display = 0x3c006000, window 
= 56, root = 56, 
    subwindow = 4194323, time = 19128, x = 698, y = 512, x_root = 698, y_root = 
512, state = 0, keycode = 41, 
    same_screen = 1}, xbutton = {type = 2, serial = 634, send_event = 0, 
display = 0x3c006000, window = 56, 
    root = 56, subwindow = 4194323, time = 19128, x = 698, y = 512, x_root = 
698, y_root = 512, state = 0, 
    button = 41, same_screen = 1}, xmotion = {type = 2, serial = 634, 
send_event = 0, display = 0x3c006000, 
    window = 56, root = 56, subwindow = 4194323, time = 19128, x = 698, y = 
512, x_root = 698, y_root = 512, 
    state = 0, is_hint = 41 ')', same_screen = 1}, xcrossing = {type = 2, 
serial = 634, send_event = 0, 
    display = 0x3c006000, window = 56, root = 56, subwindow = 4194323, time = 
19128, x = 698, y = 512, 
    x_root = 698, y_root = 512, mode = 0, detail = 41, same_screen = 1, focus = 
0, state = 0}, xfocus = {
    type = 2, serial = 634, send_event = 0, display = 0x3c006000, window = 56, 
mode = 56, detail = 4194323}, 
  xexpose = {type = 2, serial = 634, send_event = 0, display = 0x3c006000, 
window = 56, x = 56, y = 4194323, 
    width = 19128, height = 698, count = 512}, xgraphicsexpose = {type = 2, 
serial = 634, send_event = 0, 
    display = 0x3c006000, drawable = 56, x = 56, y = 4194323, width = 19128, 
height = 698, count = 512, 
    major_code = 698, minor_code = 512}, xnoexpose = {type = 2, serial = 634, 
send_event = 0, 
    display = 0x3c006000, drawable = 56, major_code = 56, minor_code = 
4194323}, xvisibility = {type = 2, 
    serial = 634, send_event = 0, display = 0x3c006000, window = 56, state = 
56}, xcreatewindow = {type = 2, 
    serial = 634, send_event = 0, display = 0x3c006000, parent = 56, window = 
56, x = 4194323, y = 19128, 
    width = 698, height = 512, border_width = 698, override_redirect = 512}, 
xdestroywindow = {type = 2, 
    serial = 634, send_event = 0, display = 0x3c006000, event = 56, window = 
56}, xunmap = {type = 2, 
    serial = 634, send_event = 0, display = 0x3c006000, event = 56, window = 
56, from_configure = 4194323}, 
  xmap = {type = 2, serial = 634, send_event = 0, display = 0x3c006000, event = 
56, window = 56, 
    override_redirect = 4194323}, xmaprequest = {type = 2, serial = 634, 
send_event = 0, display = 0x3c006000, 
    parent = 56, window = 56}, xreparent = {type = 2, serial = 634, send_event 
= 0, display = 0x3c006000, 
    event = 56, window = 56, parent = 4194323, x = 19128, y = 698, 
override_redirect = 512}, xconfigure = {
    type = 2, serial = 634, send_event = 0, display = 0x3c006000, event = 56, 
window = 56, x = 4194323, 
    y = 19128, width = 698, height = 512, border_width = 698, above = 512, 
override_redirect = 0}, xgravity = {
    type = 2, serial = 634, send_event = 0, display = 0x3c006000, event = 56, 
window = 56, x = 4194323, 
    y = 19128}, xresizerequest = {type = 2, serial = 634, send_event = 0, 
display = 0x3c006000, window = 56, 
    width = 56, height = 4194323}, xconfigurerequest = {type = 2, serial = 634, 
send_event = 0, 
    display = 0x3c006000, parent = 56, window = 56, x = 4194323, y = 19128, 
width = 698, height = 512, 
    border_width = 698, above = 512, detail = 0, value_mask = 41}, xcirculate = 
{type = 2, serial = 634, 
    send_event = 0, display = 0x3c006000, event = 56, window = 56, place = 
4194323}, xcirculaterequest = {
    type = 2, serial = 634, send_event = 0, display = 0x3c006000, parent = 56, 
window = 56, place = 4194323}, 
  xproperty = {type = 2, serial = 634, send_event = 0, display = 0x3c006000, 
window = 56, atom = 56, 
    time = 4194323, state = 19128}, xselectionclear = {type = 2, serial = 634, 
send_event = 0, 
    display = 0x3c006000, window = 56, selection = 56, time = 4194323}, 
xselectionrequest = {type = 2, 
    serial = 634, send_event = 0, display = 0x3c006000, owner = 56, requestor = 
56, selection = 4194323, 
    target = 19128, property = 698, time = 512}, xselection = {type = 2, serial 
= 634, send_event = 0, 
    display = 0x3c006000, requestor = 56, selection = 56, target = 4194323, 
property = 19128, time = 698}, 
  xcolormap = {type = 2, serial = 634, send_event = 0, display = 0x3c006000, 
window = 56, colormap = 56, 
    new = 4194323, state = 19128}, xclient = {type = 2, serial = 634, 
send_event = 0, display = 0x3c006000, 
    window = 56, message_type = 56, format = 4194323, data = {
      b = "¸J\000\000º\002\000\000\000\002\000\000º\002\000\000\000\002\000", s 
= {19128, 0, 698, 0, 512, 0, 698, 
        0, 512, 0}, l = {19128, 698, 512, 698, 512}}}, xmapping = {type = 2, 
serial = 634, send_event = 0, 
    display = 0x3c006000, window = 56, request = 56, first_keycode = 4194323, 
count = 19128}, xerror = {type = 2, 
    display = 0x27a, resourceid = 0, serial = 1006657536, error_code = 56 '8', 
request_code = 0 '\0', 
    minor_code = 0 '\0'}, xkeymap = {type = 2, serial = 634, send_event = 0, 
display = 0x3c006000, window = 56, 
    key_vector = "[EMAIL PROTECTED]"}, pad = {2, 634, 0, 1006657536, 56, 56, 
4194323, 19128, 698, 512, 698, 512, 0, 41, 1, 0, 0, 0, 0, 0, 
    0, 0, 0, 0}}
#4  0x1c00501e in handle_socks (s=0x3c00f000) at server.c:305
        i = 1
        now = 1
#5  0x1c00566d in run_server (s=0x3c00f000) at server.c:422
        r = 1
        i = -809527592
#6  0x1c0055cd in run_server_with_fd_support (s=0x3c00f000, fd=3, 
fd_read=0x1c002661 <check_event>, fd_write=0)
    at server.c:402
No locals.
#7  0x1c003010 in main (argc=3, argv=0xcfbf953c) at wmiimenu.c:653
        i = 3
        wa = {background_pixmap = 1, background_pixel = 5, border_pixmap = 0, 
border_pixel = 1006641872, 
  bit_gravity = -1, win_gravity = 0, backing_store = 26719776, backing_planes = 
3485439704, 
  backing_pixel = 3485439292, save_under = -809528080, event_mask = 1605637, 
do_not_propagate_mask = 248001195, 
  override_redirect = 1, colormap = 456, cursor = 27182993}
        gcv = {function = 3, plane_mask = 3485439044, foreground = 3485439048, 
background = 11, line_width = 0, 
  line_style = 2, cap_style = 514, join_style = 0, fill_style = 1, fill_rule = 
0, arc_mode = 0, tile = 784875912, 
  stipple = 2249166884, ts_x_origin = -809528080, ts_y_origin = -809528152, 
font = 248011409, 
  subwindow_mode = 469764647, graphics_exposures = 0, clip_x_origin = 
-809528152, clip_y_origin = 248011508, 
  clip_mask = 3, dash_offset = 0, dashes = 0 '\0'}
(gdb) quit

_______________________________________________
[email protected] mailing list
http://wmii.de/cgi-bin/mailman/listinfo/wmii

[wmii] WMII Menu bug with non-existent programs

Reply via email to