[Xcb] use after free in _XReply in libX11 1.3.4
Pauli Nieminen
suokkos at gmail.com
Thu Jul 15 23:38:46 PDT 2010
CC: xcb list
On Thu, Jul 15, 2010 at 11:23 PM, Matthieu Herrb <matthieu.herrb at laas.fr> wrote:
> Hi,
>
> After updating to libX11 1.3.4, I started seeing window managers or
> toolbar programs exit without reasons when closing windows or pop-ups.
>
> After a bit of debugging, I figured out that this is caused by
> a use after free bug in _XReply. Most people running Linux won't see it
> because the data in the just free()'d memory is still there. But
> Using OpenBSD's malloc which fills free()'d memory with a specific
> pattern, you get a different code path.
>
> The proplem arises in xcb_io.c:582. the 'current' pointer can have
> been free()'d already (by dequeue_pending_request() called at line 562)
> when getting there.
>
> A simple test program to reproduce the issue is appended below: just
> call XGetWindowProperty on a non-existent window.
>
> Using his favourite malloc debugger one should be able to see the problem
> on Linux too...
>
> Unfortunatly I'm not sure of what the fix is...
>
> #include <X11/Xlib.h>
> #include <X11/Xatom.h>
> #include <stdio.h>
>
> int
> main(int argc, char *argv[])
> {
> Display *dpy;
> Window w = 0;
> Atom prop;
> Atom type;
> int format, result;
> unsigned long nitems, bytes;
> unsigned char *prop_value;
>
> dpy = XOpenDisplay(NULL);
> prop = XInternAtom (dpy, "_NET_WM_STATE", False);
> result = XGetWindowProperty(dpy, w, prop, 0, 0x7fffffff, False,
> XA_ATOM, &type, &format, &nitems, &bytes, &prop_value);
> return result;
> }
>
> --
> Matthieu Herrb
> _______________________________________________
> xorg-devel at lists.x.org: X.Org development
> Archives: http://lists.x.org/archives/xorg-devel
> Info: http://lists.x.org/mailman/listinfo/xorg-devel
>
More information about the Xcb
mailing list