Bug 10536 - libX11 patch for CVE-2007-1667 causes Opera to segfault
Summary: libX11 patch for CVE-2007-1667 causes Opera to segfault
Alias: None
Product: xorg
Classification: Unclassified
Component: Lib/Xlib (show other bugs)
Version: unspecified
Hardware: Other All
: medium major
Assignee: Xorg Project Team
QA Contact: Xorg Project Team
URL: http://xorg.freedesktop.org/archive/X...
Depends on:
Reported: 2007-04-05 16:07 UTC by Jakub Moc
Modified: 2007-04-06 10:29 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:


Note You need to log in before you can comment on or make changes to this bug.
Description Jakub Moc 2007-04-05 16:07:56 UTC
With this patch, Opera (both static and shared QT versions) just segfaults. 

Downstream bugs:
Comment 1 Axel Siebert 2007-04-06 01:40:40 UTC
The crash happens because the patch is buggy:

min_bytes_per_line = ROUNDUP((bits_per_pixel * width), image->bitmap_pad);

It must be (bits_per_pixel * width)/8, obviously!
Comment 2 Axel Siebert 2007-04-06 02:07:07 UTC
Uh, forget that. ROUNDUP does not do what its name implies it does. Not only does it round up, but also divide by 8. Sheesh.
Comment 3 Julien Cristau 2007-04-06 06:26:27 UTC
This also seems to break rdesktop, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=418021 .
It looks like some apps don't check the return value from XCreateImage(), and that the added checks make it return NULL where the apps expected success.
See also http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=418016;msg=24
Comment 4 Daniel Stone 2007-04-06 09:30:10 UTC
it looks like opera have issued a fix.  from what i was seeing, some apps were assuming they needed to allocate w*depth, instead of w*bpp, so maybe this was the problem with opera.  axel, can you confirm?
Comment 5 Axel Siebert 2007-04-06 10:13:05 UTC
Yes, exactly. We now changed the code to just not specify image_bytes_per_line - XCreateImage does that just fine itself when specifying 0. 
Comment 6 Daniel Stone 2007-04-06 10:29:25 UTC
thanks a lot for the followup.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.