[PATCH libX11] xcb_io: Fix Xlib 32-bit request number wrapping bug
Jonas Petersen
jnsptrsn1 at gmail.com
Sun Dec 15 15:06:54 PST 2013
By design, on 32-bit systems, the Xlib internal 32-bit request sequence
numbers may wrap. There is two locations within xcb_io.c that are not
wrap-safe though. The value of last_flushed relies on request to be
sequential all the time. This is not given in the moment when the sequence
has just wrapped. Applications may then crash with a "Fatal IO error 11
(Resource temporarily unavailable)".
This patch fixes this by "unwrapping" the sequence number when needed to
retain the sequence relative to last_flushed.
Signed-off-by: Jonas Petersen <jnsptrsn1 at gmail.com>
---
src/xcb_io.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/src/xcb_io.c b/src/xcb_io.c
index 727c6c7..34ca46e 100644
--- a/src/xcb_io.c
+++ b/src/xcb_io.c
@@ -455,7 +455,7 @@ void _XSend(Display *dpy, const char *data, long size)
static const xReq dummy_request;
static char const pad[3];
struct iovec vec[3];
- uint64_t requests;
+ uint64_t requests, unwrapped_request;
_XExtension *ext;
xcb_connection_t *c = dpy->xcb->connection;
if(dpy->flags & XlibDisplayIOError)
@@ -464,6 +464,13 @@ void _XSend(Display *dpy, const char *data, long size)
if(dpy->bufptr == dpy->buffer && !size)
return;
+ unwrapped_request = dpy->request;
+ /* If there was a sequence number wrap since our last flush,
+ * make sure the sequence number we use, stays in sequence
+ * with dpy->xcb->last_flush. */
+ if (sizeof(uint64_t) > sizeof(unsigned long) && dpy->request < dpy->xcb->last_flushed)
+ unwrapped_request += UINT64_C(1) << 32;
+
/* iff we asked XCB to set aside errors, we must pick those up
* eventually. iff there are async handlers, we may have just
* issued requests that will generate replies. in either case,
@@ -471,10 +478,10 @@ void _XSend(Display *dpy, const char *data, long size)
if(dpy->xcb->event_owner != XlibOwnsEventQueue || dpy->async_handlers)
{
uint64_t sequence;
- for(sequence = dpy->xcb->last_flushed + 1; sequence <= dpy->request; ++sequence)
+ for(sequence = dpy->xcb->last_flushed + 1; sequence <= unwrapped_request; ++sequence)
append_pending_request(dpy, sequence);
}
- requests = dpy->request - dpy->xcb->last_flushed;
+ requests = unwrapped_request - dpy->xcb->last_flushed;
dpy->xcb->last_flushed = dpy->request;
vec[0].iov_base = dpy->buffer;
--
1.7.10.4
More information about the xorg-devel
mailing list