Bug 29212

Summary: Segfault in miDCRestoreUnderCursor
Product: xorg Reporter: Stephen White <swhite-freedesktop>
Component: Server/GeneralAssignee: Xorg Project Team <xorg-team>
Status: RESOLVED FIXED QA Contact: Xorg Project Team <xorg-team>
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments:
Description Flags
Add a guard to prevent null pointer de-reference
none
Updated patch for Xorg 1.9.0 (also applies to 1.9.3) as shipped with Fedora 14 none

Description Stephen White 2010-07-22 02:35:28 UTC 
Created attachment 37299 [details]
Add a guard to prevent null pointer de-reference

We run some UI tests for our Eclipse/SWT-based application inside Xvfb using SWTBot.  Recently the Xvfb session started crashing during the tests, with the following stack trace:

#0  0x00ab3424 in __kernel_vsyscall ()
#1  0x0074fa81 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2  0x0075134a in abort () at abort.c:92
#3  0x081bcbeb in AbortServer () at log.c:408
#4  0x081bd21e in FatalError (f=0x81d811c "Caught signal %d (%s). Server
aborting\n") at log.c:530
#5  0x081b5a70 in OsSigHandler (signo=11, sip=0xbfa154bc, unused=0xbfa1553c) at
osinit.c:156
#6  <signal handler called>
#7  miDCRestoreUnderCursor (pDev=0x8d9fc80, pScreen=0x8c09088, x=-9, y=-9,
w=35, h=44) at midispcur.c:576
#8  0x081a1ca3 in miSpriteRemoveCursor (pDev=0x8d9fc80, pScreen=0x8c09088) at
misprite.c:995
#9  0x081a2ab2 in miSpriteSetCursor (pDev=0x8d9fc80, pScreen=0x8c09088,
pCursor=0x8dd1ac0, x=172, y=12) at misprite.c:895
#10 0x081a2be0 in miSpriteMoveCursor (pDev=0x8d9fc80, pScreen=0x8c09088, x=172,
y=12) at misprite.c:922
#11 0x0819c465 in miPointerUpdateSprite (pDev=0x8d9fc80) at mipointer.c:428
#12 0x08080f9a in ProcXTestFakeInput (client=0x8e6c400) at xtest.c:454
#13 0x0815bcd7 in Dispatch () at dispatch.c:439
#14 0x0814b71a in main (argc=8, argv=0xbfa15c64, envp=0xbfa15c88) at main.c:285

This is Xorg 1.7.6 as shipped by Fedora Core 12.

Line 576 of midispcur.c is inside miDCRestoreUnderCursor and is:
 pSave = pBuffer->pSave;

Searching the freedesktop.org bugzilla yielded two very similar bugs: bug 24181 and bug 27942.  These seem to relate to the same de-referencing (pSave = pBuffer->pSave;) but inside miDCSaveUnderCursor rather than miDCRestoreUnderCursor

Our problem appears to have been solved by simply guarding the dereferencing of pBuffer in miDCRestoreUnderCursor with:
    if (!pBuffer)
        return FALSE;

(see attached patch).

I don't know if a similar guard on line 536 would solve the other bugs mentioned above, and I also don't know if the bug would be better fixed elsewhere rather than simply adding this guard.  Having said that the guard does seem to solve the problem for us.

Unfortunately we don't have a simple set of steps to reproduce this problem, as it only occurred for us during a large set of tests of one of our products.
Comment 1 Stephen White 2011-02-14 08:48:03 UTC 
Created attachment 43341 [details] [review]
Updated patch for Xorg 1.9.0 (also applies to 1.9.3) as shipped with Fedora 14
Comment 2 Julien Cristau 2011-02-14 08:55:47 UTC 
> --- Comment #1 from Stephen White <swhite-freedesktop@corefiling.co.uk> 2011-02-14 08:48:03 PST ---
> Created an attachment (id=43341)
>  View: https://bugs.freedesktop.org/attachment.cgi?id=43341
>  Review: https://bugs.freedesktop.org/review?bug=29212&attachment=43341
> 
> Updated patch for Xorg 1.9.0 (also applies to 1.9.3) as shipped with Fedora 14
> 
Can you send your patch to xorg-devel per
http://www.x.org/wiki/Development/Documentation/SubmittingPatches ?
Comment 3 Stephen White 2011-02-17 02:49:49 UTC 
Thanks.  It turns out that updating this patch for Xorg 1.9.0 it didn't fix the crashes we were seeing with that version.  After analysing the new core-dumps we think the crashes we've been seeing in Xorg 1.9.0 are caused by bug 30032 (and the patch attached to that bug does fix our crashes).

As we're not seeing the miDCRestoreUnderCursor problems in Xorg 1.9.0 I'm going to mark this bug FIXED.  I don't know what fixed this, the most likely candidate looks like 518f3b189b6c8aa28b62837d14309fd06163ccbb.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.