<html>
<head>
<base href="https://bugs.freedesktop.org/" />
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_NEEDINFO "
title="NEEDINFO --- - Buffer Overflow in xf86-video-intel"
href="https://bugs.freedesktop.org/show_bug.cgi?id=80157#c22">Comment # 22</a>
on <a class="bz_bug_link
bz_status_NEEDINFO "
title="NEEDINFO --- - Buffer Overflow in xf86-video-intel"
href="https://bugs.freedesktop.org/show_bug.cgi?id=80157">bug 80157</a>
from <span class="vcard"><a class="email" href="mailto:typingtothemaxbuyer@gmail.com" title="typingtothemaxbuyer@gmail.com">typingtothemaxbuyer@gmail.com</a>
</span></b>
<pre>Good news, I've managed to see a crash while running with valgrind (valgrind
output pasted below, I'll attached xorg.0.log). I'm running git version 6b32cf3
with --enable-debug=valgrind.
==9913== Memcheck, a memory error detector
==9913== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==9913== Using Valgrind-3.9.0 and LibVEX; rerun with -h for copyright info
==9913== Command: /usr/bin/Xorg.valgrind -nolisten tcp :0 -auth
/tmp/serverauth.U3ZgNqfZFB vt1
==9913== Parent PID: 9912
==9913==
==9913== Syscall param rt_sigaction(act->sa_mask) points to uninitialised
byte(s)
==9913== at 0x547D5B1: __libc_sigaction (in /usr/lib/libpthread-2.19.so)
==9913== by 0x59F684: busfault_init (busfault.c:145)
==9913== by 0x5930DC: OsInit (osinit.c:191)
==9913== by 0x43A96A: dix_main (main.c:163)
==9913== by 0x66B0FFF: (below main) (in /usr/lib/libc-2.19.so)
==9913== Address 0xffeffdf98 is on thread 1's stack
==9913==
==9913== Warning: noted but unhandled ioctl 0x4b51 with no size/direction hints
==9913== This could cause spurious value errors to appear.
==9913== See README_MISSING_SYSCALL_OR_IOCTL for guidance on writing a
proper wrapper.
**9913** SNA compiled for use with valgrind
==9913== Warning: noted but unhandled ioctl 0x6458 with no size/direction hints
==9913== This could cause spurious value errors to appear.
==9913== See README_MISSING_SYSCALL_OR_IOCTL for guidance on writing a
proper wrapper.
==9913== Warning: noted but unhandled ioctl 0x641e with no size/direction hints
==9913== This could cause spurious value errors to appear.
==9913== See README_MISSING_SYSCALL_OR_IOCTL for guidance on writing a
proper wrapper.
==9913== Syscall param writev(vector[...]) points to uninitialised byte(s)
==9913== at 0x6772F27: writev (in /usr/lib/libc-2.19.so)
==9913== by 0x596E1B: _XSERVTransSocketWritev (Xtranssock.c:2364)
==9913== by 0x5920DC: FlushClient (io.c:936)
==9913== by 0x5927BD: WriteToClient (io.c:851)
==9913== by 0x4ED943: RecordFlushReplyBuffer (record.c:242)
==9913== by 0x4EFEB3: ProcRecordEnableContext (record.c:2339)
==9913== by 0x436A1E: Dispatch (dispatch.c:433)
==9913== by 0x43AC05: dix_main (main.c:294)
==9913== by 0x66B0FFF: (below main) (in /usr/lib/libc-2.19.so)
==9913== Address 0xd67df52 is 50 bytes inside a block of size 1,072 alloc'd
==9913== at 0x4C28730: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==9913== by 0x4F0191: ProcRecordCreateContext (record.c:1851)
==9913== by 0x436A1E: Dispatch (dispatch.c:433)
==9913== by 0x43AC05: dix_main (main.c:294)
==9913== by 0x66B0FFF: (below main) (in /usr/lib/libc-2.19.so)
==9913==
==9913== Invalid read of size 8
==9913== at 0x591194: AttendClient (connection.c:1187)
==9913== by 0x55FE14: DRI2SwapComplete (dri2.c:1011)
==9913== by 0xB1BFD9F: frame_swap_complete.isra.37 (sna_dri2.c:1793)
==9913== by 0xB1C17F9: sna_dri2_immediate_blit (sna_dri2.c:2076)
==9913== by 0xB1C37F4: sna_dri2_schedule_swap (sna_dri2.c:2727)
==9913== by 0x5601DD: DRI2SwapBuffers (dri2.c:1161)
==9913== by 0x56194B: ProcDRI2Dispatch (dri2ext.c:413)
==9913== by 0x436A1E: Dispatch (dispatch.c:433)
==9913== by 0x43AC05: dix_main (main.c:294)
==9913== by 0x66B0FFF: (below main) (in /usr/lib/libc-2.19.so)
==9913== Address 0xd8b2828 is 8 bytes inside a block of size 336 free'd
==9913== at 0x4C2999C: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==9913== by 0x435F44: CloseDownClient (dispatch.c:3396)
==9913== by 0x4369DF: Dispatch (dispatch.c:445)
==9913== by 0x43AC05: dix_main (main.c:294)
==9913== by 0x66B0FFF: (below main) (in /usr/lib/libc-2.19.so)
==9913==
==9913==
==9913== HEAP SUMMARY:
==9913== in use at exit: 12,869,582 bytes in 47,746 blocks
==9913== total heap usage: 320,044 allocs, 272,298 frees, 146,408,270 bytes
allocated
==9913==
==9913== LEAK SUMMARY:
==9913== definitely lost: 859 bytes in 28 blocks
==9913== indirectly lost: 95 bytes in 4 blocks
==9913== possibly lost: 1,973,644 bytes in 4,683 blocks
==9913== still reachable: 10,894,984 bytes in 43,031 blocks
==9913== suppressed: 0 bytes in 0 blocks
==9913== Rerun with --leak-check=full to see details of leaked memory
==9913==
==9913== For counts of detected and suppressed errors, rerun with: -v
==9913== Use --track-origins=yes to see where uninitialised values come from
==9913== ERROR SUMMARY: 6317 errors from 3 contexts (suppressed: 1 from 1)</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the QA Contact for the bug.</li>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>