[Xcb] Null pointer dereference in xcb_image_get

Bart Massey bart at cs.pdx.edu
Wed Aug 21 11:31:42 PDT 2013


Doh. Thanks much for the analysis. Looks fixable; I'll try to produce
a patch today...

Oops. AFAICT this code doesn't even build in isolation. LT_INIT was
missing from configure.ac, which was easily fixed. I have no idea what
to do about

  autoreconf: running: automake --add-missing --copy --no-force
  image/Makefile.am:16: error: 'pkgconfig_DATA' is used but
'pkgconfigdir' is undefined
  image/Makefile.am:5: error: 'xcbinclude_HEADERS' is used but
'xcbincludedir' is undefined
  autoreconf: automake failed with exit status: 1

Sorry to be such a newb, but am I pulling from the right repo? I have

  ssh://git.freedesktop.org/git/xcb/util-image

Or perhaps this bug is relevant?

  https://bugs.freedesktop.org/show_bug.cgi?id=39019

Computers are hard.

--Bart

On Wed, Aug 21, 2013 at 7:50 AM, Peter Harris <pharris at opentext.com> wrote:
> On 2013-08-20 20:50, Bart Massey wrote:
>> IMHO we should fix the code regardless of whether we deprecate the
>> format, just for completeness. The buggy code is probably mine: I'll
>> try to look and it and figure out what I was thinking.
>
> It appears you added plane_mask handling in
> 9a2112a0e87a6df14131fb30351d765a74edc34a
>
>> I'm pretty sure that I tested the XYPixmap case at some point? Maybe
>> not; what does "is completely broken" mean here?
>
> My mistake. It's only broken in the case where
> plane_mask != xcb_mask(imrep->depth)
> . I missed that check, and thought it was always broken regardless of
> plane_mask.
>
> If the user specifies a non-full plane_mask, it will dereference a NULL
> pointer and crash (twice), copy too many (or too few) bytes (depending
> on the low bit of the (reversed) plane mask) and crash (or return an
> image memset to 0), and then assert because bytes != image->size.
>
> Peter Harris
> --
>                Open Text Connectivity Solutions Group
> Peter Harris                    http://connectivity.opentext.com/
> Research and Development        Phone: +1 905 762 6001
> pharris at opentext.com            Toll Free: 1 877 359 4866


More information about the Xcb mailing list