| Summary: | libX11 patch for CVE-2007-1667 causes Opera to segfault | ||
|---|---|---|---|
| Product: | xorg | Reporter: | Jakub Moc <jakub> |
| Component: | Lib/Xlib | Assignee: | Xorg Project Team <xorg-team> |
| Status: | RESOLVED NOTOURBUG | QA Contact: | Xorg Project Team <xorg-team> |
| Severity: | major | ||
| Priority: | medium | CC: | axel |
| Version: | unspecified | ||
| Hardware: | Other | ||
| OS: | All | ||
| URL: | http://xorg.freedesktop.org/archive/X11R7.2/patches/xorg-libX11-1.1.1-xinitimage.diff | ||
| Whiteboard: | |||
| i915 platform: | i915 features: | ||
|
Description
Jakub Moc
2007-04-05 16:07:56 UTC
The crash happens because the patch is buggy: min_bytes_per_line = ROUNDUP((bits_per_pixel * width), image->bitmap_pad); It must be (bits_per_pixel * width)/8, obviously! Uh, forget that. ROUNDUP does not do what its name implies it does. Not only does it round up, but also divide by 8. Sheesh. This also seems to break rdesktop, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=418021 . It looks like some apps don't check the return value from XCreateImage(), and that the added checks make it return NULL where the apps expected success. See also http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=418016;msg=24 it looks like opera have issued a fix. from what i was seeing, some apps were assuming they needed to allocate w*depth, instead of w*bpp, so maybe this was the problem with opera. axel, can you confirm? Yes, exactly. We now changed the code to just not specify image_bytes_per_line - XCreateImage does that just fine itself when specifying 0. thanks a lot for the followup. |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.