DeliverPropertyEvent() accessing unallocated memory

[Adam Jackson]

On Sat, 2008-11-22 at 13:07 +0100, Matthieu Herrb wrote:
> Matthieu Herrb wrote:
> > Hi,
> > 
> > using OpenBSD's memory allocator (which has an option to fill free()'d
> > memory with a specific pattern) I found out that xserver 1.5.3 is
> > dumping core on exit.
> 
> Same problem on git's master.
> 
> > 
> > This is caused by a bad pointer caused by accessing free'd memory in
> > DeliverPropertyEvent, because when the RRProperties are destroyed, the
> > associated windows have been free'd already.
> > 
> 
> So, no help on how to fix that? Should we just remove
> RRDeleteAllOutputProperties() since it can't work?

It does work, when outputs are deleted at runtime.  It just can't work
during server shutdown since windows are already gone, so there's
nothing to deliver events to.

Something like this maybe:

--- a/randr/rrproperty.c
+++ b/randr/rrproperty.c
@@ -59,7 +59,8 @@ DeliverPropertyEvent(WindowPtr pWin, void *value)
 
 static void RRDeliverPropertyEvent(ScreenPtr pScreen, xEvent *event)
 {
-    WalkTree(pScreen, DeliverPropertyEvent, event);
+    if (!(dispatchException & (DE_RESET | DE_TERMINATE)))
+       WalkTree(pScreen, DeliverPropertyEvent, event);
 }
 
 void

---

- ajax
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://lists.x.org/archives/xorg/attachments/20081124/e12c95b4/attachment.pgp>