On Wed, May 05, 2010 at 06:41:50PM +0300, Rami Ylimäki wrote:
> I'm encountering a crash with libxi and would like to hear your
> comments about it. After looking at the code it seems to be a
> problem in libxi but I need someone to verify this because I could
> have well misunderstood something.
>
> Everything worked fine with an XCB enabled XLIB but as soon as I
> tried XLIB without XCB these problems surfaced. Basically there will
> be an segmentation fault in libxi code because it's accessing
> members of XI wire events that are located after the 32-byte
> boundary.
>
> The trace looks like this:
>
> XInternAtom: Client performs some request.
> _XReply: Request reads a reply.
> _XRead: Multiple events are pending so 32 bytes are
> read repeatedly from the connection.
> _XEnq: Pending event is processed.
> XInputWireToCookie: One of the pending events happens to be XI_Enter.
> wireToEnterLeave: Event is converted from wire.
>
> XInputWireToCookie casts the 32-byte xEvent to xXIEnterEvent and
> passes it to wireToEnterLeave. That last function then accesses
> members of xXIEnterEvent located beyond the 32-byte boundary, which
> ultimately leads to a crash in memcpy, because one tries to copy a
> button mask with some garbage length (greater than 48000 when it is
> 1 when the event leaves X server).
>
> I'm not quite sure where the remaining portion of the event should
> be read from the wire to prevent this from happening.
Have a look at
commit c34f76f475bc632490122e67b5a82575d69d5569
Pull down extra bytes when reading a GenericEvent (non-xcb).
in libX11, I strongly suspect that this is the root issue here. libXi
probably just uncovers this as XI2 is the only extension using long events
so far.
Cheers,
Peter
_______________________________________________
[email protected]: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel
