Bugzilla – Bug 10536
libX11 patch for CVE-2007-1667 causes Opera to segfault
Last modified: 2007-04-06 10:29:25 UTC
With this patch, Opera (both static and shared QT versions) just segfaults.
The crash happens because the patch is buggy:
min_bytes_per_line = ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
It must be (bits_per_pixel * width)/8, obviously!
Uh, forget that. ROUNDUP does not do what its name implies it does. Not only does it round up, but also divide by 8. Sheesh.
This also seems to break rdesktop, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=418021 .
It looks like some apps don't check the return value from XCreateImage(), and that the added checks make it return NULL where the apps expected success.
See also http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=418016;msg=24
it looks like opera have issued a fix. from what i was seeing, some apps were assuming they needed to allocate w*depth, instead of w*bpp, so maybe this was the problem with opera. axel, can you confirm?
Yes, exactly. We now changed the code to just not specify image_bytes_per_line - XCreateImage does that just fine itself when specifying 0.
thanks a lot for the followup.