[xorg-bugzilla-noise] [Bug 594] Reproducible X server crash
clicking on invalid file in gv
bugzilla-daemon at pdx.freedesktop.org
bugzilla-daemon at pdx.freedesktop.org
Sat May 29 20:25:48 PDT 2004
Please do not reply to this email: if you want to comment on the bug, go to
the URL shown below and enter your comments there.
http://freedesktop.org/bugzilla/show_bug.cgi?id=594
ajax at nwnk.net changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
Component|Lib/other |Server/general
------- Additional Comments From ajax at nwnk.net 2004-05-30 13:25 -------
Verrry interesting. I can't get a protocol trace of the action, because if I
run gv with DISPLAY=127.0.0.1:0, it doesn't crash, and there's no way to capture
on a unix-domain socket. However, Xnest will not crash, regardless of whether
gv connects to it over TCP or UDS.
This, combined with the gv display when it doesn't crash (a ~gigapixel black
rectangle) leads me to suspect an integer overflow somewhere in the MIT-SHM
code. SHM isn't active over TCP, which would explain why I can't get a protocol
dump of the crash. Xnest also does not do MIT-SHM (on my machine anyway; it
should I would think). Finally, huge integers used as pointer offsets would
easily cause a segfault and ensuing instant crash.
A fairly wild guess, but that probably needs auditing anyway...
--
Configure bugmail: http://freedesktop.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the xorg-bugzilla-noise
mailing list