[Xcb] Null pointer dereference in xcb_image_get

Bart Massey bart at cs.pdx.edu
Tue Aug 20 17:50:19 PDT 2013 

IMHO we should fix the code regardless of whether we deprecate the
format, just for completeness. The buggy code is probably mine: I'll
try to look and it and figure out what I was thinking.

I'm pretty sure that I tested the XYPixmap case at some point? Maybe
not; what does "is completely broken" mean here?

--Bart

On Tue, Aug 20, 2013 at 7:19 AM, Peter Harris <pharris at opentext.com> wrote:
> On 2013-08-18 19:38, Alan Coopersmith wrote:
>> Our in-house static analyzer has reported:
>>
>> Error: Null pointer dereference
>>    Null pointer dereference (CWE 476): Read from null pointer image
>>         at line 339 of xcb/util-image/image/xcb_image.c in function
>> 'xcb_image_get'.
>>         at line 341 of xcb/util-image/image/xcb_image.c in function
>> 'xcb_image_get'.
>>
>> It seems to be correct from looking at the code:
>> http://cgit.freedesktop.org/xcb/util-image/tree/image/xcb_image.c#n300
>>
>> image is set to 0 at line 313, and isn't set to another value until 355,
>> well after the uses at 339 & 341.
>>
>> I'm not sure what the fix should be - from the src_plane & dst_plane
>> references
>> in 339 & 340, it appears the code believes there should be two distinct
>> images
>> here, but I don't know at where or to what image should be set to make that
>> true.  My best guess is something in imrep should be used.  Anyone know?
>
> Looks like it should be 339:"src_plane = data", 341:"size =
> tmp_image->height * tmp_image->stride", 346:"if (rpm & (1 << i))", and
> 371:"assert(bytes == image->size)" should be moved up into the ZPixmap case.
>
> I didn't send this in patch format partly because I didn't even compile
> it, but mostly for the following reason:
>
> Given that XYPixmap is completely broken, nobody can be using it. There
> are probably more bugs lurking. Perhaps the best fix is to document that
> only ZPixmap is a valid argument to xcb_image_get and remove the whole
> XCB_IMAGE_FORMAT_XY_PIXMAP case entirely.
>
> Peter Harris
> --
>                Open Text Connectivity Solutions Group
> Peter Harris                    http://connectivity.opentext.com/
> Research and Development        Phone: +1 905 762 6001
> pharris at opentext.com            Toll Free: 1 877 359 4866
> _______________________________________________
> Xcb mailing list
> Xcb at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/xcb

More information about the Xcb mailing list