Server crash uploading multiple glyphs at once with XRenderAddGlyphs
Clemens Eisserer
linuxhippy at gmail.com
Thu Aug 20 09:27:18 PDT 2009
Hi Dave,
Should I file a bugreport about this on bugzilla?
What additional data would be useful to track that issue down?
Could this be used as a security whole?
Thanks, Clemens
2009/8/16 Clemens Eisserer <linuxhippy at gmail.com>
> Hi Dave,
>
> > Can you get valgrind traces by any chance? not sure we can tell
> > much other than memory got corrupted from this.
>
> It seems at least for this case, sha1_block_data_order is reading data
> from random locations:
>
> ==17163== Invalid read of size 4
> ==17163== at 0x439E91A: sha1_block_data_order (sx86-elf.s:76)
> ==17163== by 0xFA42F463: ???
> ==17163== Address 0x4815360 is 0 bytes after a block of size 4,096 alloc'd
> ==17163== at 0x4028D7E: malloc (vg_replace_malloc.c:207)
> ==17163== by 0x80AE954: Xalloc (utils.c:1056)
> ==17163== by 0x80AA42D: AllocateInputBuffer (io.c:1017)
> ==17163== by 0x80A9545: InsertFakeRequest (io.c:498)
>
> I had a look at the source but I have a pretty hard time figuring out
> whats going on there :-/
> The crash appears with a quite large framework I am working on, quite
> hard to build your own. I could provide a binary package or wireshark
> protocol if that would help?
>
> The valgrind log is attached, hope it helps a bit.
>
> Thanks, Clemens
>
> PS: I've found another problem when uploading multiple glyphs at once
> causes a memleak. I've attached a short testcase - fills up my 3GB
> pretty quick.
> There's a malloc in CreatePicture which is in some cases never freed,
> called at render.c : 1147.
> But again, I don't understand why it works sometimes and sometimes not :-/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.x.org/archives/xorg/attachments/20090820/fce6289c/attachment.html>
More information about the xorg
mailing list