DeliverPropertyEvent() accessing unallocated memory

Matthieu Herrb matthieu.herrb at laas.fr
Sat Nov 22 04:07:41 PST 2008 

Matthieu Herrb wrote:
> Hi,
> 
> using OpenBSD's memory allocator (which has an option to fill free()'d
> memory with a specific pattern) I found out that xserver 1.5.3 is
> dumping core on exit.

Same problem on git's master.

> 
> This is caused by a bad pointer caused by accessing free'd memory in
> DeliverPropertyEvent, because when the RRProperties are destroyed, the
> associated windows have been free'd already.
> 

So, no help on how to fix that? Should we just remove
RRDeleteAllOutputProperties() since it can't work?

> Here's a short debugging session that shows the problem (0xfd is the
> value used to fill free()'d regions:
> 
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0x1c1486f7 in DeliverPropertyEvent (pWin=0xdfdfdfdf, value=0xcfbc2400)
>     at /usr/xenocara/xserver/randr/rrproperty.c:34
> 34          pHead = LookupIDByType(pWin->drawable.id, RREventType);
> (gdb) p **WindowTable
> $1 = {drawable = {type = 223 'ß', class = 223 'ß', depth = 223 'ß',
>     bitsPerPixel = 223 'ß', id = 3755991007, x = -8225, y = -8225,
>     width = 57311, height = 57311, pScreen = 0xdfdfdfdf,
>     serialNumber = 3755991007}, devPrivates = 0xdfdfdfdf, parent =
> 0xdfdfdfdf,
>   nextSib = 0xdfdfdfdf, prevSib = 0xdfdfdfdf, firstChild = 0xdfdfdfdf,
>   lastChild = 0xdfdfdfdf, clipList = {extents = {x1 = -8225, y1 = -8225,
>       x2 = -8225, y2 = -8225}, data = 0xdfdfdfdf}, borderClip = {extents = {
>       x1 = -8225, y1 = -8225, x2 = -8225, y2 = -8225}, data = 0xdfdfdfdf},
>   valdata = 0xdfdfdfdf, winSize = {extents = {x1 = -8225, y1 = -8225,
>       x2 = -8225, y2 = -8225}, data = 0xdfdfdfdf}, borderSize = {extents = {
>       x1 = -8225, y1 = -8225, x2 = -8225, y2 = -8225}, data = 0xdfdfdfdf},
>   origin = {x = -8225, y = -8225}, borderWidth = 57311,
>   deliverableEvents = 57311, eventMask = 3755991007, background = {
>     pixmap = 0xdfdfdfdf, pixel = 3755991007}, border = {pixmap =
> 0xdfdfdfdf,
>     pixel = 3755991007}, backStorage = 0xdfdfdfdf, optional = 0xdfdfdfdf,
>   backgroundState = 3, borderIsPixel = 1, cursorIsNone = 1, backingStore
> = 1,
>   saveUnder = 1, DIXsaveUnder = 1, bitGravity = 15, winGravity = 13,
>   overrideRedirect = 1, visibility = 3, mapped = 1, realized = 1,
>   viewable = 0, dontPropagate = 7, forcedBS = 1, redirectDraw = 3,
>   forcedBG = 1}
> (gdb) bt
> #0  0x1c1486f7 in DeliverPropertyEvent (pWin=0xdfdfdfdf, value=0xcfbc2400)
>     at /usr/xenocara/xserver/randr/rrproperty.c:34
> #1  0x1c025c5c in TraverseTree (pWin=0x879d7900,
>     func=0x1c1486d0 <DeliverPropertyEvent>, data=0xcfbc2400)
>     at /usr/xenocara/xserver/dix/window.c:225
> #2  0x1c025d03 in WalkTree (pScreen=0x81310400,
>     func=0x1c1486d0 <DeliverPropertyEvent>, data=0xcfbc2400)
>     at /usr/xenocara/xserver/dix/window.c:253
> #3  0x1c148858 in RRDeliverPropertyEvent (pScreen=0x81310400,
> event=0xcfbc2400)
>     at /usr/xenocara/xserver/randr/rrproperty.c:62
> #4  0x1c1488d2 in RRDeleteAllOutputProperties (output=0x88fa2000)
>     at /usr/xenocara/xserver/randr/rrproperty.c:80
> #5  0x1c147c9f in RROutputDestroyResource (value=0x88fa2000, pid=60)
>     at /usr/xenocara/xserver/randr/rroutput.c:410
> #6  0x1c025078 in FreeClientResources (client=0x7d3f1400)
>     at /usr/xenocara/xserver/dix/resource.c:809
> #7  0x1c02515e in FreeAllResources ()
>     at /usr/xenocara/xserver/dix/resource.c:826
> #8  0x1c021acd in main (argc=1, argv=0xcfbc2578, envp=0xcfbc2580)
>     at /usr/xenocara/xserver/dix/main.c:453
> (gdb)
> 
> 
> Ideas for fixing that are of course welcome.
> 


-- 
Matthieu Herrb

More information about the xorg mailing list