xlib/libxi crash
Rami Ylimäki
ext-rami.ylimaki at nokia.com
Wed May 5 08:41:50 PDT 2010
Hi,
I'm encountering a crash with libxi and would like to hear your comments
about it. After looking at the code it seems to be a problem in libxi
but I need someone to verify this because I could have well
misunderstood something.
Everything worked fine with an XCB enabled XLIB but as soon as I tried
XLIB without XCB these problems surfaced. Basically there will be an
segmentation fault in libxi code because it's accessing members of XI
wire events that are located after the 32-byte boundary.
The trace looks like this:
XInternAtom: Client performs some request.
_XReply: Request reads a reply.
_XRead: Multiple events are pending so 32 bytes are
read repeatedly from the connection.
_XEnq: Pending event is processed.
XInputWireToCookie: One of the pending events happens to be XI_Enter.
wireToEnterLeave: Event is converted from wire.
XInputWireToCookie casts the 32-byte xEvent to xXIEnterEvent and passes
it to wireToEnterLeave. That last function then accesses members of
xXIEnterEvent located beyond the 32-byte boundary, which ultimately
leads to a crash in memcpy, because one tries to copy a button mask with
some garbage length (greater than 48000 when it is 1 when the event
leaves X server).
I'm not quite sure where the remaining portion of the event should be
read from the wire to prevent this from happening.
-- Rami
More information about the xorg-devel
mailing list