Bug 5125

Summary: XPolygonRegion double free segv
Product: xorg Reporter: Caolán McNamara <caolanm>
Component: Lib/XlibAssignee: Xorg Project Team <xorg-team>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: high CC: mharris
Version: 6.8.99.3   
Hardware: x86 (IA32)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:
Bug Depends on:    
Bug Blocks: 1690    
Attachments:
Description Flags
sample code to reproduce none

Description Caolán McNamara 2005-11-22 19:24:34 UTC 
*** glibc detected *** ./a.out: double free or corruption (fasttop): 0x09c2b020 ***
======= Backtrace: =========
/lib/libc.so.6[0x4208e0]
/lib/libc.so.6(__libc_free+0x79)[0x420fa2]
/usr/lib/libX11.so.6(XPolygonRegion+0xc38)[0x553953]
./a.out[0x8048464]
/lib/libc.so.6(__libc_start_main+0xdf)[0x3d262f]
./a.out[0x80483a1]
======= Memory map: ========
003a0000-003b9000 r-xp 00000000 03:02 3688599    /lib/ld-2.3.90.so
003b9000-003ba000 r-xp 00018000 03:02 3688599    /lib/ld-2.3.90.so
003ba000-003bb000 rwxp 00019000 03:02 3688599    /lib/ld-2.3.90.so
003bd000-004e3000 r-xp 00000000 03:02 3688603    /lib/libc-2.3.90.so
004e3000-004e5000 r-xp 00125000 03:02 3688603    /lib/libc-2.3.90.so
004e5000-004e7000 rwxp 00127000 03:02 3688603    /lib/libc-2.3.90.so
004e7000-004e9000 rwxp 004e7000 00:00 0
00512000-00514000 r-xp 00000000 03:02 3688645    /lib/libdl-2.3.90.so
00514000-00515000 r-xp 00001000 03:02 3688645    /lib/libdl-2.3.90.so
00515000-00516000 rwxp 00002000 03:02 3688645    /lib/libdl-2.3.90.so
00518000-0051a000 r-xp 00000000 03:02 1943506    /usr/lib/libXau.so.6.0.0
0051a000-0051b000 rwxp 00001000 03:02 1943506    /usr/lib/libXau.so.6.0.0
0051d000-00521000 r-xp 00000000 03:02 1943637    /usr/lib/libXdmcp.so.6.0.0
00521000-00523000 rwxp 00003000 03:02 1943637    /usr/lib/libXdmcp.so.6.0.0
00525000-0061a000 r-xp 00000000 03:02 1947356    /usr/lib/libX11.so.6.2.0
0061a000-0061e000 rwxp 000f5000 03:02 1947356    /usr/lib/libX11.so.6.2.0
0061e000-0061f000 rwxp 0061e000 00:00 0
0088f000-00898000 r-xp 00000000 03:02 3688649    /lib/libgcc_s-4.0.2-20051109.so.1
00898000-00899000 rwxp 00009000 03:02 3688649    /lib/libgcc_s-4.0.2-20051109.so.1
00cb2000-00cb3000 r-xp 00cb2000 00:00 0          [vdso]
08048000-08049000 r-xp 00000000 03:02 1328092    /tmp/newooo/a.out
08049000-0804a000 rw-p 00000000 03:02 1328092    /tmp/newooo/a.out
09c2b000-09c4c000 rw-p 09c2b000 00:00 0          [heap]
b7e00000-b7e21000 rw-p b7e00000 00:00 0
b7e21000-b7f00000 ---p b7e21000 00:00 0
b7f07000-b7f09000 rw-p b7f07000 00:00 0
b7f1f000-b7f20000 rw-p b7f1f000 00:00 0
bfc0b000-bfc20000 rw-p bfc0b000 00:00 0          [stack]
Aborted
Comment 1 Caolán McNamara 2005-11-22 19:25:19 UTC 
Created attachment 3872 [details]
sample code to reproduce

Code similiar to this causes OOo impress 2.0 to crash on occassion
Comment 2 Caolán McNamara 2005-11-22 19:26:52 UTC 
Works using libX11 from FC-4 xorg-x11 6.8.2
Comment 3 Kevin E. Martin 2005-12-10 02:30:02 UTC 
Thanks Caolan!  The sample code helped me track down the problem -- it turned
out to be that Xlib requires not only malloc(0) return a valid pointer, but also
realloc(ptr,0) return a valid pointer.  However, most systems treat
realloc(ptr,0) as free(ptr).  I fixed it by updating the macro to set the
MALLOC_0_RETURNS_NULL define.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.