CC: xcb list
On Thu, Jul 15, 2010 at 11:23 PM, Matthieu Herrb <[email protected]> wrote: > Hi, > > After updating to libX11 1.3.4, I started seeing window managers or > toolbar programs exit without reasons when closing windows or pop-ups. > > After a bit of debugging, I figured out that this is caused by > a use after free bug in _XReply. Most people running Linux won't see it > because the data in the just free()'d memory is still there. But > Using OpenBSD's malloc which fills free()'d memory with a specific > pattern, you get a different code path. > > The proplem arises in xcb_io.c:582. the 'current' pointer can have > been free()'d already (by dequeue_pending_request() called at line 562) > when getting there. > > A simple test program to reproduce the issue is appended below: just > call XGetWindowProperty on a non-existent window. > > Using his favourite malloc debugger one should be able to see the problem > on Linux too... > > Unfortunatly I'm not sure of what the fix is... > > #include <X11/Xlib.h> > #include <X11/Xatom.h> > #include <stdio.h> > > int > main(int argc, char *argv[]) > { > Display *dpy; > Window w = 0; > Atom prop; > Atom type; > int format, result; > unsigned long nitems, bytes; > unsigned char *prop_value; > > dpy = XOpenDisplay(NULL); > prop = XInternAtom (dpy, "_NET_WM_STATE", False); > result = XGetWindowProperty(dpy, w, prop, 0, 0x7fffffff, False, > XA_ATOM, &type, &format, &nitems, &bytes, &prop_value); > return result; > } > > -- > Matthieu Herrb > _______________________________________________ > [email protected]: X.Org development > Archives: http://lists.x.org/archives/xorg-devel > Info: http://lists.x.org/mailman/listinfo/xorg-devel > _______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
