Bug#284025: xserver-xfree86: SEGV in RADEONQueryConnectedDisplays
Package: xserver-xfree86
Version: 4.3.0.1.dfsg.1-8
Severity: normal
Script started on Thu 02 Dec 2004 04:40:39 PM MST
root@i2000:~# gdb /usr/X11R6/bin/XFree86-debug
GNU gdb 6.3-debian
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "ia64-linux"...Using host libthread_db library "/lib/tls/libthread_db.so.1".
(gdb) run
Starting program: /usr/X11R6/bin/XFree86-debug
This is a pre-release version of XFree86, and is not supported in any
way. Bugs may be reported to XFree86@XFree86.Org and patches submitted
to fixes@XFree86.Org. Before reporting bugs in pre-release versions,
please check the latest version in the XFree86 CVS repository
(http://www.XFree86.Org/cvs).
XFree86 Version 4.3.0.1 (Debian (static) 4.3.0.dfsg.1-8 20040928150828 root@caballero.debian.org)
Release Date: 15 August 2003
X Protocol Version 11, Revision 0, Release 6.6
Build Operating System: Linux 2.4.25-dsa-mckinley-smp ia64 [ELF]
Build Date: 28 September 2004
Before reporting problems, check http://www.XFree86.Org/
to make sure that you have the latest version.
OS Kernel: Linux version 2.6.10-rc2 (helgaas@tiger) (gcc version 3.3.3 20040110 (prerelease) (Debian)) #4 SMP Mon Nov 29 16:45:09 MST 2004
Markers: (--) probed, (**) from config file, (==) default setting,
(++) from command line, (!!) notice, (II) informational,
(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(==) Log file: "/var/log/XFree86.0.log", Time: Thu Dec 2 16:40:56 2004
(==) Using config file: "/etc/X11/XF86Config-4"
Program received signal SIGSEGV, Segmentation fault.
RADEONQueryConnectedDisplays (pScrn=0x600000000010a430,
pInt10=0x600000000010d3c0) at radeon_driver.c:1275
1275 radeon_driver.c: No such file or directory.
in radeon_driver.c
(gdb) x/i $pc
0x4000000000834f21 <RADEONQueryConnectedDisplays+4161>:
ld8 r14=[r14]
(gdb) p $r14
$1 = 568
(gdb) bt
#0 RADEONQueryConnectedDisplays (pScrn=0x600000000010a430,
pInt10=0x600000000010d3c0) at radeon_driver.c:1275
#1 0x40000000008368b0 in RADEONGetBIOSParameters (pScrn=0x600000000010a430,
pInt10=0x600000000010d3c0) at radeon_driver.c:1456
#2 0x400000000084dcf0 in RADEONPreInit (pScrn=0x600000000010a430, flags=0)
at radeon_driver.c:4049
#3 0x4000000000de3780 in InitOutput (pScreenInfo=0x60000000000e93e0, argc=1,
argv=0x60000fffffffb958) at xf86Init.c:574
#4 0x40000000010d2080 in main (argc=1, argv=0x60000fffffffb958,
envp=0x60000fffffffb968) at main.c:361
(gdb) quit
The program is running. Exit anyway? (y or n) y
root@i2000:~#
Script done on Thu 02 Dec 2004 04:41:33 PM MST
The problem is pretty clear from the source. We call vbeDoEDID(),
which usually returns a pointer, but can return NULL for failure.
Then we dereference it without bothering to check for NULL:
for (i = 0; i < 5; i++) {
pRADEONEnt->MonInfo1 = vbeDoEDID(pVbe, NULL);
}
if (pRADEONEnt->MonInfo1->rawData[0x14] & 0x80)
pRADEONEnt->MonType1 = MT_DFP;
else pRADEONEnt->MonType1 = MT_CRT;
Here's a patch:
--- xc/programs/Xserver/hw/xfree86/drivers/ati/radeon_driver.c.orig 2004-11-30 13:59:17.314008332 -0700
+++ xc/programs/Xserver/hw/xfree86/drivers/ati/radeon_driver.c 2004-11-30 14:00:14.328656071 -0700
@@ -1272,7 +1272,7 @@
for (i = 0; i < 5; i++) {
pRADEONEnt->MonInfo1 = vbeDoEDID(pVbe, NULL);
}
- if (pRADEONEnt->MonInfo1->rawData[0x14] & 0x80)
+ if (pRADEONEnt->MonInfo1 && pRADEONEnt->MonInfo1->rawData[0x14] & 0x80)
pRADEONEnt->MonType1 = MT_DFP;
else pRADEONEnt->MonType1 = MT_CRT;
}
Reply to: