Bug#284448: xserver-xfree86: xserver (ATI or Radeon something 7500) crashes on variouslaunches of programcs from within X.
This looks like an Xlibs bug.
-----------
#10 0x0892a025 in fs_read_list_info (fpe=0x8bcf350, blockrec=0x8d65198)
at fserve.c:2376
binfo = 0x8d651b4
rep = (fsListFontsWithXInfoReply *) 0x8bcf808
buf = 0x10c3a3fc <Address 0x10c3a3fc out of bounds> <---
conn = 0x8bcf378
pi = (fsPropInfo *) 0x8bcf83c
po = (fsPropOffset *) 0x8bcf844
pd = 0x8bcf894 <----------------------
ret = 1
err = 146600824
-----------
The source of Xfont/fc/fserve.c at this point (in fs_read_list_info)
looks like this:
if (conn->fsMajorVersion <= 1)
{
memcpy (binfo->name, buf, rep->nameLength);
buf += _fs_pad_length (rep->nameLength);
}
pi = (fsPropInfo *) buf;
buf += SIZEOF (fsPropInfo);
po = (fsPropOffset *) buf;
buf += pi->num_offsets * SIZEOF (fsPropOffset);
pd = (pointer) buf; <--------------------------
buf += pi->data_len; <--------------------------
if (conn->fsMajorVersion > 1)
{
memcpy (binfo->name, buf, rep->nameLength);
buf += _fs_pad_length (rep->nameLength);
}
-----------
From the fact that "pd" is set to a legal value in the debugging
output, while "buf" (after adding "pi->data_len") is "out of bounds" I
would very much assume that "pi->data_len" contains garbage.
As regards why it does this, I have no idea.
Are these patches in the Debian SVN:
http://freedesktop.org/cgi-bin/viewcvs.cgi/xlibs/Xfont/fc/fserve.c?r1=3.22&r2=3.22.2.1
http://freedesktop.org/cgi-bin/viewcvs.cgi/xlibs/Xfont/fc/fserve.c?r1=3.23&r2=3.24
http://cvsweb.xfree86.org/cvsweb/xc/lib/font/fc/fserve.c.diff?r1=3.26&r2=3.27
Thomas
--
Thomas Winischhofer
Vienna/Austria
thomas AT winischhofer DOT net *** http://www.winischhofer.net
twini AT xfree86 DOT org
Reply to: