[Xcb] Null pointer dereference in xcb_image_get
Peter Harris
pharris at opentext.com
Wed Aug 21 07:50:44 PDT 2013
On 2013-08-20 20:50, Bart Massey wrote:
> IMHO we should fix the code regardless of whether we deprecate the
> format, just for completeness. The buggy code is probably mine: I'll
> try to look and it and figure out what I was thinking.
It appears you added plane_mask handling in
9a2112a0e87a6df14131fb30351d765a74edc34a
> I'm pretty sure that I tested the XYPixmap case at some point? Maybe
> not; what does "is completely broken" mean here?
My mistake. It's only broken in the case where
plane_mask != xcb_mask(imrep->depth)
. I missed that check, and thought it was always broken regardless of
plane_mask.
If the user specifies a non-full plane_mask, it will dereference a NULL
pointer and crash (twice), copy too many (or too few) bytes (depending
on the low bit of the (reversed) plane mask) and crash (or return an
image memset to 0), and then assert because bytes != image->size.
Peter Harris
--
Open Text Connectivity Solutions Group
Peter Harris http://connectivity.opentext.com/
Research and Development Phone: +1 905 762 6001
pharris at opentext.com Toll Free: 1 877 359 4866
More information about the Xcb
mailing list