[PATCH] Xext: "xauth generate" with large timeout crashes Xorg #27134 . Sorry subject is missing in my previous two emails, sending it again. Please ignore my previous emails

Arvind Umrao Arvind.Umrao at Sun.COM
Wed Apr 7 10:42:45 PDT 2010


bug https://bugs.freedesktop.org/show_bug.cgi?id=27134

Description of the change:

This coredump is happening because of assertion at  ( Xext/security.c 
line:325     assert(pAuth->timer == timer)

Overflow of CARD32 happens at ( os/WaitFor.c line:458  millis += now )

This bug could be fixed in couple of ways.
a) Using CARD64 for variable millis.  But still we can get coredump when 
timeout is very large
b) Removing assert statement, but it is not a good fix.
c) By checking maximum permitted value of timeout.

I have fixed this problem by checking maximum value of timeout. Maximum 
timeout     is possible between range 0 to     ( MAX_Value(CARD32) - 
CurrentTime)

---
  Xext/security.c |   10 ++++++----
  1 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/Xext/security.c b/Xext/security.c
index af8d205..6d2e36e 100644
--- a/Xext/security.c
+++ b/Xext/security.c
@@ -280,11 +280,13 @@ SecurityComputeAuthorizationTimeout(
       * 32 bits worth of milliseconds
       */
      CARD32 maxSecs = (CARD32)(~0) / (CARD32)MILLI_PER_SECOND;
+    CARD32 nowSec = GetTimeInMillis()/ (CARD32)MILLI_PER_SECOND;

-    if (seconds > maxSecs)
-    { /* only come here if we want to wait more than 49 days */
-    pAuth->secondsRemaining = seconds - maxSecs;
-    return maxSecs * MILLI_PER_SECOND;
+    CARD32 maxPossibleSec = maxSecs - nowSec;
+    if (seconds > maxPossibleSec -1 )
+    {
+    pAuth->secondsRemaining = seconds - maxPossibleSec;
+    return maxPossibleSec * MILLI_PER_SECOND;
      }
      else
      { /* by far the common case */
--
1.5.6.5



More information about the xorg-devel mailing list