On neděle 24. září 2017 0:20:07 CEST Eric Anholt wrote: > Michal Srb <[email protected]> writes: > > Here is a script that can be used to crash X server using a broken big > > request for PolyLine. It connects to DISPLAY=:1 and doesn't support > > authentication. Look inside the script for more details. > > > > Other requests could be used to crash X server in similar way, for example > > SetFontPath. > > I noticed this still in my mailbox. I tried writing an mergeable unit > test for it at: > > https://github.com/anholt/xserver/commit/d0e9d732750aa8eb7eeb33adce321f1dfee > f265d > > but it doesn't manage to crash the server because I can't set the endian > mode using xcb (and xcb, sensibly, doesn't let me get an fd without > doing connection setup on it). > > I don't know much about the codepath with the bug, but hopefully this > sparks some discussion.
Hi, I think in your test case the underflow of the request length still happens, but it doesn't crash because nobody tries to access the data. It ends inside ProcPolyLine because the Drawable and the GC are not valid. In my test case the client was big endian, so it crashed inside SProcPoly trying to swap the (incorrectly) huge request. I think if you supply valid Drawable and GC, you should get crash even with little endian. Michal Srb _______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: https://lists.x.org/mailman/listinfo/xorg-devel
