[PATCH] xkb: fix invalid memory writes in _XkbCopyGeom.

James Cloos cloos at jhcloos.com
Fri Jun 4 00:25:20 PDT 2010

>>>>> "PH" == Peter Hutterer <peter.hutterer at who-t.net> writes:

PH> for extra fun - this bug is present in pretty all server versions
PH> since 1.2 but didn't get exposed until the xalloc → malloc
PH> changes. I just took the 1.7 sources and valgrind didn't
PH> complain. Changed xalloc to malloc, valgrind gives out.

PH> Any guesses to why xalloc hides this issue are appreciated.

Probably due to the alignment and luck.

Looking at an old checkout, Xalloc() is:

    amount = (amount + (sizeof(long) - 1)) & ~(sizeof(long) - 1);
    ptr = malloc(amount);

Xalloc() will only allocate the same amount of mem as malloc(2)
when the requested size is one octet more than an exact multiple
of sizeof(long).

That was probably rare enough to avoid the bug.

James Cloos <cloos at jhcloos.com>         OpenPGP: 1024D/ED7DAEA6

More information about the xorg-devel mailing list