<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7654.12"> <TITLE>RE: XI2's copyRawEvent() question</TITLE> </HEAD> <BODY>  BTW, changing the code to use "len" rather than the sizeof() fixed my crash. diff ../../libXi-1.3-orig/src/XExtInt.c src/XExtInt.c 1196c1196 < ptr = cookie_out->data = malloc(sizeof(XIRawEvent)); --- > ptr = cookie_out->data = malloc(len); -----Original Message----- From: xorg-bounces+roger.cruz=virtualcomputer.com@lists.freedesktop.org on behalf of Roger Cruz Sent: Mon 4/25/2011 3:35 PM To: xorg@lists.freedesktop.org Subject: XI2's copyRawEvent() question In trying to understand a heap corruption when I added XI2 RawMotion event handling to our Xinput-based application, I came across the following routine copyRawEvent() in libxi-1.3/src/XExtInt.c. My question is what is the purpose of computing "len" if it is not used? Should it have been used as an argument to malloc(). copyRawEvent(XGenericEventCookie *cookie_in, XGenericEventCookie *cookie_out) { XIRawEvent *in, *out; void *ptr; int len; int bits; in = cookie_in->data; bits = count_bits(in->valuators.mask, in->valuators.mask_len); len = sizeof(XIRawEvent) + in->valuators.mask_len; len += bits * sizeof(double) * 2; ptr = cookie_out->data = malloc(sizeof(XIRawEvent)); if (!ptr) return False; out = next_block(&ptr, sizeof(XIRawEvent)); *out = *in; out->valuators.mask = next_block(&ptr, out->valuators.mask_len); memcpy(out->valuators.mask, in->valuators.mask, out->valuators.mask_len); out->valuators.values = next_block(&ptr, bits * sizeof(double)); memcpy(out->valuators.values, in->valuators.values, bits * sizeof(double)); out->raw_values = next_block(&ptr, bits * sizeof(double)); memcpy(out->raw_values, in->raw_values, bits * sizeof(double)); return True; } When I use valgrind, I get the following output as the culprit for the crash ==4166== Invalid write of size 1 ==4166== at 0x4C29F04: memcpy (mc_replace_strmem.c:497) ==4166== by 0x8F39180: ??? (in /usr/lib/libXi.so.6.1.0) ==4166== by 0x7433D48: _XCopyEventCookie (in /usr/lib/libX11.so.6.3.0) ==4166== by 0x7425166: XPeekEvent (in /usr/lib/libX11.so.6.3.0) ==4166== by 0x49C3E3: process_key (x11_be.c:1065) ==4166== by 0x49EA5C: event_key_release (x11_be.c:2201) ==4166== by 0x49DD6E: x11_be_process_events (x11_be.c:1892) ==4166== by 0x4A38F4: x11_be_main_loop (x11_be.c:4353) ==4166== by 0x4A39E1: x11_be_thread_main (x11_be.c:4385) ==4166== by 0x87549C9: start_thread (pthread_create.c:300) ==4166== by 0x8A516FC: clone (clone.S:112) ==4166== Address 0x168afe80 is 0 bytes after a block of size 96 alloc'd ==4166== at 0x4C284A8: malloc (vg_replace_malloc.c:236) ==4166== by 0x8F390BD: ??? (in /usr/lib/libXi.so.6.1.0) ==4166== by 0x7433D48: _XCopyEventCookie (in /usr/lib/libX11.so.6.3.0) ==4166== by 0x7425166: XPeekEvent (in /usr/lib/libX11.so.6.3.0) ==4166== by 0x49C3E3: process_key (x11_be.c:1065) ==4166== by 0x49EA5C: event_key_release (x11_be.c:2201) ==4166== by 0x49DD6E: x11_be_process_events (x11_be.c:1892) ==4166== by 0x4A38F4: x11_be_main_loop (x11_be.c:4353) ==4166== by 0x4A39E1: x11_be_thread_main (x11_be.c:4385) ==4166== by 0x87549C9: start_thread (pthread_create.c:300) Thanks in advance, Roger R. Cruz No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.894 / Virus Database: 271.1.1/3583 - Release Date: 04/25/11 02:34:00 </BODY> </HTML>