xlib/libxi crash

Rami Ylimäki ext-rami.ylimaki at nokia.com
Wed May 5 08:41:50 PDT 2010


Hi,

I'm encountering a crash with libxi and would like to hear your comments 
about it. After looking at the code it seems to be a problem in libxi 
but I need someone to verify this because I could have well 
misunderstood something.

Everything worked fine with an XCB enabled XLIB but as soon as I tried 
XLIB without XCB these problems surfaced. Basically there will be an 
segmentation fault in libxi code because it's accessing members of XI 
wire events that are located after the 32-byte boundary.

The trace looks like this:

XInternAtom:              Client performs some request.
  _XReply:                Request reads a reply.
    _XRead:               Multiple events are pending so 32 bytes are 
read repeatedly from the connection.
    _XEnq:                Pending event is processed.
      XInputWireToCookie: One of the pending events happens to be XI_Enter.
        wireToEnterLeave: Event is converted from wire.

XInputWireToCookie casts the 32-byte xEvent to xXIEnterEvent and passes 
it to wireToEnterLeave. That last function then accesses members of 
xXIEnterEvent located beyond the 32-byte boundary, which ultimately 
leads to a crash in memcpy, because one tries to copy a button mask with 
some garbage length (greater than 48000 when it is 1 when the event 
leaves X server).

I'm not quite sure where the remaining portion of the event should be 
read from the wire to prevent this from happening.

-- Rami



More information about the xorg-devel mailing list