Package: libx11-6
Version: 4.3.0-7
Severity: grave
Tags: patch l10n
Justification: causes non-serious data loss
Hello,
If _XimProtoCreateIC() in xc/lib/X11/imDefIc.c fails to create an
input context, it cleans up by freeing the input context and its
private resources (see the label "ErrorOnCreatingIC:" at the bottom
of the function). However, the failure may be encountered inside
_XimEncodeICATTRIBUTE() (see line 1506), which may in turn have
registered an event filter with a pointer to the input context, as shown
in the following stack trace.
#0 _XimRegisterKeyPressFilter (ic=0x8235be8) at imDefFlt.c:275
#1 0x400065c4 in _XimRegisterFilter (ic=0x8235be8) at imDefFlt.c:334
#2 0x400179ab in _XimEncodeTopValue (ic=0x8235be8, res=0x8235e14, p=0x8236348) at imRmAttr.c:957
#3 0x40018063 in _XimEncodeICATTRIBUTE (ic=0x8235be8, res_list=0x8235e00, res_num=18, arg=0x8236340, arg_ret=0xbfffddf4, buf=0xbfffe610, size=2032, ret_len=0xbfffddf8, top=0xbfffee10 "\004\004", flag=0x0, mode=2) at imRmAttr.c:1139
#4 0x4000820c in _XimProtoCreateIC (xim=0x811bac8, arg=0x8236340) at imDefIc.c:1506
#5 0x400bfd04 in XCreateIC (im=0x811bac8) at ICWrap.c:250
#6 0x40192b5c in Tk_HandleEvent () from /usr/lib/libtk8.4.so.0
#7 0x40193556 in TkQueueEventForAllChildren () from /usr/lib/libtk8.4.so.0
#8 0x402b5919 in Tcl_ServiceEvent () from /usr/lib/libtcl8.4.so.0
#9 0xfffffffd in ?? ()
#10 0xbffff038 in ?? ()
#11 0x402c6a1c in Tcl_DeleteTimerHandler () from /usr/lib/libtcl8.4.so.0
In such a situation, when _XimProtoCreateIC() returns, it leaves a
dangling pointer from the event filter list of the display to the freed
input context. This can easily cause a segfault later. The following
one-line patch fixes this problem:
--- xc/lib/X11/imDefIc.c.orig 2001-01-17 14:41:51.000000000 -0500
+++ xc/lib/X11/imDefIc.c 2004-03-24 23:47:54.000000000 -0500
@@ -1591,6 +1591,7 @@
return (XIC)ic;
ErrorOnCreatingIC:
+ _XimUnregisterFilter(ic);
if (ic->private.proto.ic_resources)
Xfree(ic->private.proto.ic_resources);
if (ic->private.proto.ic_inner_resources)
I have verified that this patch eliminates the segfault that I encounter
on the second keystroke when running wnb in the wordnet package
(version 2.0g-4 or earlier, LC_CTYPE=zh_TW.UTF-8), with xcin (version
2.5.2.99.pre2+cvs20030224-1) running in the background (LANG=zh_TW.Big5
LC_CTYPE=zh_TW.Big5 LC_MESSAGES=zh_TW.Big5 LC_ALL=zh_TW.Big5). However,
I am not sure that the above fix is the right one -- perhaps it is the
responsibility of _XimEncodeICATTRIBUTE() or _XimEncodeTopValue() to
unregister the event filter.
Thank you,
Ken
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.3
Locale: LANG=C, LC_CTYPE=zh_TW.UTF-8
Versions of packages libx11-6 depends on:
ii libc6 2.3.2.ds1-11 GNU C Library: Shared libraries an
ii xfree86-common 4.3.0-7 X Window System (XFree86) infrastr
ii xlibs-data 4.3.0-7 X Window System client data
-- no debconf information
--
Edit this signature at http://www.digitas.harvard.edu/cgi-bin/ken/sig
BBC News: Universities face week of protest
http://news.bbc.co.uk/1/hi/education/3508209.stm
Attachment:
signature.asc
Description: Digital signature