Bug 2942

Summary: "xman" may crash when opening the print dialog
Product: xorg Reporter: Roland Mainz <roland.mainz>
Component: App/xmanAssignee: Roland Mainz <roland.mainz>
Status: RESOLVED FIXED QA Contact:
Severity: blocker    
Priority: high CC: roland.mainz
Version: 6.8.2   
Hardware: All   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments:
Description Flags
Patch for 2005-04-09-trunk which uses |XtCalloc()| instead of |XtMalloc()| to clear the |ManpageGlobals| structure correctly roland.mainz: 6.8-branch?

Description Roland Mainz 2005-04-08 23:23:53 UTC 
[Originally reported by Daniel Martini]
"xman" may crash when opening the print dialog due usage of uninitalised
pointers.

A quick test using "valgrind" shows this:
-- snip --
valgrind --num-callers=15 ./xman)==24920== Memcheck, a.k.a. Valgrind, a memory
error detector for x86-linux.
==24920== Copyright (C) 2002-2003, and GNU GPL'd, by Julian Seward.
==24920== Using valgrind-2.0.0, a program supervision framework for x86-linux.
==24920== Copyright (C) 2000-2003, and GNU GPL'd, by Julian Seward.
==24920== Estimated CPU clock rate is 1197 MHz
==24920== For more details, rerun with: -v
==24920== 
==24920== Conditional jump or move depends on uninitialised value(s)
==24920==    at 0x40010606: strchr (in /lib/ld-2.3.2.so)
==24920== 
==24920== Conditional jump or move depends on uninitialised value(s)
==24920==    at 0x804D3FB: PrintThisManpage (in
/home/gismobile/projects/xorg/commit1/xc/programs/xman/xman)
==24920==    by 0x804C81F: OptionCallback (in
/home/gismobile/projects/xorg/commit1/xc/programs/xman/xman)
==24920==    by 0x402B173F: XtCallCallbacks (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402638C9: Notify (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xaw/libXaw.so.8.0)
==24920==    by 0x4026223C: Notify (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xaw/libXaw.so.8.0)
==24920==    by 0x402E5BA3: HandleActions (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402E619D: HandleSimpleState (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402E67FB: _XtTranslateEvent (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402BE67F: XtDispatchEventToWidget (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402BF1F4: _XtDefaultDispatcher (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402BF2F0: XtDispatchEvent (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402BF861: XtAppMainLoop (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x80532F0: main (in
/home/gismobile/projects/xorg/commit1/xc/programs/xman/xman)
==24920==    by 0x404318AD: __libc_start_main (in /lib/libc.so.6)
==24920==    by 0x804B2C0: (within
/home/gismobile/projects/xorg/commit1/xc/programs/xman/xman)
==24920== 
==24920== Conditional jump or move depends on uninitialised value(s)
==24920==    at 0x402E9A31: XtVaGetValues (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x804D426: PrintThisManpage (in
/home/gismobile/projects/xorg/commit1/xc/programs/xman/xman)
==24920==    by 0x804C81F: OptionCallback (in
/home/gismobile/projects/xorg/commit1/xc/programs/xman/xman)
==24920==    by 0x402B173F: XtCallCallbacks (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402638C9: Notify (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xaw/libXaw.so.8.0)
==24920==    by 0x4026223C: Notify (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xaw/libXaw.so.8.0)
==24920==    by 0x402E5BA3: HandleActions (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402E619D: HandleSimpleState (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402E67FB: _XtTranslateEvent (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402BE67F: XtDispatchEventToWidget (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402BF1F4: _XtDefaultDispatcher (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402BF2F0: XtDispatchEvent (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402BF861: XtAppMainLoop (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x80532F0: main (in
/home/gismobile/projects/xorg/commit1/xc/programs/xman/xman)
==24920==    by 0x404318AD: __libc_start_main (in /lib/libc.so.6)
==24920== 
==24920== Use of uninitialised value of size 4
==24920==    at 0x402BB9D8: XtWidgetToApplicationContext (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402C325D: XtGetValues (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402E9BC4: XtVaGetValues (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x804D426: PrintThisManpage (in
/home/gismobile/projects/xorg/commit1/xc/programs/xman/xman)
==24920==    by 0x804C81F: OptionCallback (in
/home/gismobile/projects/xorg/commit1/xc/programs/xman/xman)
==24920==    by 0x402B173F: XtCallCallbacks (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402638C9: Notify (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xaw/libXaw.so.8.0)
==24920==    by 0x4026223C: Notify (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xaw/libXaw.so.8.0)
==24920==    by 0x402E5BA3: HandleActions (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402E619D: HandleSimpleState (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402E67FB: _XtTranslateEvent (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402BE67F: XtDispatchEventToWidget (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402BF1F4: _XtDefaultDispatcher (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402BF2F0: XtDispatchEvent (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402BF861: XtAppMainLoop (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920== 
==24920== Invalid read of size 1
==24920==    at 0x402BB9EA: XtWidgetToApplicationContext (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402C325D: XtGetValues (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402E9BC4: XtVaGetValues (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x804D426: PrintThisManpage (in
/home/gismobile/projects/xorg/commit1/xc/programs/xman/xman)
==24920==    by 0x804C81F: OptionCallback (in
/home/gismobile/projects/xorg/commit1/xc/programs/xman/xman)
==24920==    by 0x402B173F: XtCallCallbacks (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402638C9: Notify (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xaw/libXaw.so.8.0)
==24920==    by 0x4026223C: Notify (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xaw/libXaw.so.8.0)
==24920==    by 0x402E5BA3: HandleActions (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402E619D: HandleSimpleState (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402E67FB: _XtTranslateEvent (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402BE67F: XtDispatchEventToWidget (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402BF1F4: _XtDefaultDispatcher (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402BF2F0: XtDispatchEvent (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402BF861: XtAppMainLoop (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    Address 0x61687343 is not stack'd, malloc'd or free'd
==24920== 
==24920== Use of uninitialised value of size 4
==24920==    at 0x402C385A: _XtIsHookObject (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402C325D: XtGetValues (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402E9BC4: XtVaGetValues (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x804D426: PrintThisManpage (in
/home/gismobile/projects/xorg/commit1/xc/programs/xman/xman)
==24920==    by 0x804C81F: OptionCallback (in
/home/gismobile/projects/xorg/commit1/xc/programs/xman/xman)
==24920==    by 0x402B173F: XtCallCallbacks (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402638C9: Notify (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xaw/libXaw.so.8.0)
==24920==    by 0x4026223C: Notify (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xaw/libXaw.so.8.0)
==24920==    by 0x402E5BA3: HandleActions (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402E619D: HandleSimpleState (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402E67FB: _XtTranslateEvent (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402BE67F: XtDispatchEventToWidget (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402BF1F4: _XtDefaultDispatcher (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402BF2F0: XtDispatchEvent (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
==24920==    by 0x402BF861: XtAppMainLoop (in
/home/gismobile/projects/xorg/commit1/xc/lib/Xt/libXt.so.6.0)
-- snip --
etc. etc.
The problem may or may not crash "xman" depending on what's in the memory block
returned by |GetGlobals()|.
Comment 1 Roland Mainz 2005-04-08 23:26:15 UTC 
A quick analysis shows that the "xman" code has _two_ (and not _one_) place
where the |ManpageGlobals| structure gets allocated. Opening the print dialog
from a real manpoage window does not cause any problems - but opening it from
the "welcome" page may lead to a crash.

Taking bug myself, the fix for this is quite easy...
Comment 2 Roland Mainz 2005-04-08 23:39:59 UTC 
Created attachment 2360 [details] [review]
Patch for 2005-04-09-trunk which uses |XtCalloc()| instead of |XtMalloc()| to clear the |ManpageGlobals| structure correctly
Comment 3 Roland Mainz 2005-04-08 23:44:17 UTC 
Patch checked-in...

/cvs/xorg/xc/ChangeLog,v  <--  xc/ChangeLog
new revision: 1.863; previous revision: 1.862
/cvs/xorg/xc/programs/xman/buttons.c,v  <--  xc/programs/xman/buttons.c
new revision: 1.6; previous revision: 1.5
Mailing the commit message to xorg-commit@lists.freedesktop.org...

... marking bug as FIXED.
Comment 4 Roland Mainz 2005-04-08 23:47:01 UTC 
Comment on attachment 2360 [details] [review]
Patch for 2005-04-09-trunk which uses |XtCalloc()| instead of |XtMalloc()| to clear the |ManpageGlobals| structure correctly

Requesting approval for X11R6.8.x stable branch. The patches cures a quite
common crasher in "xman"'s print dialog which may occur on opening the dialog
due an uninitalised structure.

The fix is to clear the structure before using it (=allocating it using
|XtCalloc()| instead of |XtMalloc()|).

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.