Bug#298720: libx11-6: XCreateFontSet crashes with "*" as font name

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#298720: libx11-6: XCreateFontSet crashes with "*" as font name
From: Manuel Menal <mmenal@hurdfr.org>
Date: Wed, 09 Mar 2005 15:42:12 +0100
Message-id: <[🔎] 200503091441.j29EftOf029376@zeus.eila.jussieu.fr>
Reply-to: Manuel Menal <mmenal@hurdfr.org>, 298720@bugs.debian.org

Package: libx11-6
Version: 4.3.0.dfsg.1-12.0.1
Severity: normal

Hello,

root-tail seems to trigger a bug in XLib, as reported in #298708.
It seems XCreateFontSet() crashes when passed the string "*" as
second argument (font name). Here is a simple test case which 
triggers the bug :

#include <X11/Xlib.h>
#include <stdio.h>

int 
main (int argc, char **argv)
{
  Display *dpy = NULL;
  char *base_name = "*";
  char **missing_charset = NULL;
  int missing_charsetn = -1;
  char *def_str = NULL;
  XFontSet font_set = NULL;
  
  dpy = XOpenDisplay (NULL);
  if (!dpy)
    {
      fprintf(stderr, "Cannot open display");
      return -1;
    }

  font_set = 
    XCreateFontSet(dpy,
		   base_name,
		   &missing_charset,
		   &missing_charsetn,
		   &def_str);
  
 if (font_set) 
     XFreeFontSet(dpy, font_set);

 XCloseDisplay(dpy);

 return 0;
}

Which gives :

$ gcc -Wall -ggdb test.c -o test -L/usr/X11R6/lib -lX11
$ gdb ./test
[...]
(gdb) r
Program received signal SIGSEGV, Segmentation fault.
0x40163af4 in mallopt () from /lib/tls/libc.so.6
(gdb) bt
#0  0x40163af4 in mallopt () from /lib/tls/libc.so.6
#1  0x40162a4b in free () from /lib/tls/libc.so.6
#2  0x4001f36a in _Xutf8DefaultDrawImageString ()
   from /usr/X11R6/lib/X11/locale/lib/common/xomGeneric.so.2
#3  0x4001f52f in _Xutf8DefaultDrawImageString ()
   from /usr/X11R6/lib/X11/locale/lib/common/xomGeneric.so.2
#4  0x4001f868 in _Xutf8DefaultDrawImageString ()
   from /usr/X11R6/lib/X11/locale/lib/common/xomGeneric.so.2
#5  0x4001fe09 in destroy_fontdata ()
   from /usr/X11R6/lib/X11/locale/lib/common/xomGeneric.so.2
#6  0x40079491 in XCreateOC () from /usr/X11R6/lib/libX11.so.6
#7  0x40078825 in XCreateFontSet () from /usr/X11R6/lib/libX11.so.6
#8  0x08048658 in main (argc=1, argv=0xbffffa64) at test.c:21
(gdb)

It seems like there's a double-free somewhere, but I couldn't 
find it at first look, and I'm surely not as familiar as you
are with this code. :)

Thanks a lot,

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-1-386
Locale: LANG=fr_FR@euro, LC_CTYPE=fr_FR@euro (charmap=ISO-8859-15)

Versions of packages libx11-6 depends on:
ii  debconf [debconf-2.0]    1.4.46          Debian configuration management sy
ii  libc6                    2.3.2.ds1-20    GNU C Library: Shared libraries an
ii  xfree86-common           4.3.0.dfsg.1-12 X Window System (XFree86) infrastr
ii  xlibs-data               4.3.0.dfsg.1-12 X Window System client data

-- debconf information excluded

Reply to:

Prev by Date: Re: X Strike Force XFree86 SVN commit: r2208 - /
Next by Date: xfree86 built on sparc but not uploaded
Previous by thread: Processed: merging 175074 and 297633
Next by thread: xfree86 built on sparc but not uploaded
Index(es):
- Date
- Thread