xlib/libxi crash

[Peter Hutterer]

On Wed, May 05, 2010 at 06:41:50PM +0300, Rami Ylimäki wrote:
> I'm encountering a crash with libxi and would like to hear your
> comments about it. After looking at the code it seems to be a
> problem in libxi but I need someone to verify this because I could
> have well misunderstood something.
> 
> Everything worked fine with an XCB enabled XLIB but as soon as I
> tried XLIB without XCB these problems surfaced. Basically there will
> be an segmentation fault in libxi code because it's accessing
> members of XI wire events that are located after the 32-byte
> boundary.
> 
> The trace looks like this:
> 
> XInternAtom:              Client performs some request.
>  _XReply:                Request reads a reply.
>    _XRead:               Multiple events are pending so 32 bytes are
> read repeatedly from the connection.
>    _XEnq:                Pending event is processed.
>      XInputWireToCookie: One of the pending events happens to be XI_Enter.
>        wireToEnterLeave: Event is converted from wire.
> 
> XInputWireToCookie casts the 32-byte xEvent to xXIEnterEvent and
> passes it to wireToEnterLeave. That last function then accesses
> members of xXIEnterEvent located beyond the 32-byte boundary, which
> ultimately leads to a crash in memcpy, because one tries to copy a
> button mask with some garbage length (greater than 48000 when it is
> 1 when the event leaves X server).
> 
> I'm not quite sure where the remaining portion of the event should
> be read from the wire to prevent this from happening.

Have a look at 
commit c34f76f475bc632490122e67b5a82575d69d5569
    Pull down extra bytes when reading a GenericEvent (non-xcb).

in libX11, I strongly suspect that this is the root issue here. libXi
probably just uncovers this as XI2 is the only extension using long events
so far.

Cheers,
  Peter