Michal Srb <[email protected]> writes: > On neděle 24. září 2017 0:20:07 CEST Eric Anholt wrote: >> Michal Srb <[email protected]> writes: >> > Here is a script that can be used to crash X server using a broken big >> > request for PolyLine. It connects to DISPLAY=:1 and doesn't support >> > authentication. Look inside the script for more details. >> > >> > Other requests could be used to crash X server in similar way, for example >> > SetFontPath. >> >> I noticed this still in my mailbox. I tried writing an mergeable unit >> test for it at: >> >> https://github.com/anholt/xserver/commit/d0e9d732750aa8eb7eeb33adce321f1dfee >> f265d >> >> but it doesn't manage to crash the server because I can't set the endian >> mode using xcb (and xcb, sensibly, doesn't let me get an fd without >> doing connection setup on it). >> >> I don't know much about the codepath with the bug, but hopefully this >> sparks some discussion. > > Hi, > > I think in your test case the underflow of the request length still happens, > but it doesn't crash because nobody tries to access the data. It ends inside > ProcPolyLine because the Drawable and the GC are not valid. > > In my test case the client was big endian, so it crashed inside SProcPoly > trying to swap the (incorrectly) huge request. > > I think if you supply valid Drawable and GC, you should get crash even with > little endian.
I tried creating a gc against the root window and doing the drawing there, but the request seems to process successfully. bigreq branch updated with that code.
signature.asc
Description: PGP signature
_______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: https://lists.x.org/mailman/listinfo/xorg-devel
