14689 – Invalid read in XCreateFontCursor

Bug 14689 - Invalid read in XCreateFontCursor

Summary: Invalid read in XCreateFontCursor

Status:	RESOLVED FIXED

Alias:	None

Product:	xorg
Classification:	Unclassified
Component:	Lib/Xlib (show other bugs)
Version:	unspecified
Hardware:	x86-64 (AMD64) Linux (All)

Importance:	high normal
Assignee:	Xorg Project Team
QA Contact:	Xorg Project Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2008-02-26 12:08 UTC by Tim Walters
Modified:	2010-10-17 18:37 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments
Simple Program Demonstrating the bug (462 bytes, text/x-c++src) 2008-02-26 12:08 UTC, Tim Walters	no flags	Details
View All

Description Tim Walters 2008-02-26 12:08:12 UTC

Created attachment 14590 [details]
Simple Program Demonstrating the bug

I noticed this error in valgrind yesterday when testing cursor support in my library. I wrote a minimal program to confirm this bug. Here's the output
from valgrind:

==7921== Invalid read of size 8
==7921==    at 0x4015B3E: (within /lib/ld-2.6.1.so)
==7921==    by 0x400A8F7: (within /lib/ld-2.6.1.so)
==7921==    by 0x4006174: (within /lib/ld-2.6.1.so)
==7921==    by 0x40085F7: (within /lib/ld-2.6.1.so)
==7921==    by 0x4011C98: (within /lib/ld-2.6.1.so)
==7921==    by 0x400DA05: (within /lib/ld-2.6.1.so)
==7921==    by 0x401155A: (within /lib/ld-2.6.1.so)
==7921==    by 0x6B17F8A: (within /lib/libdl-2.6.1.so)
==7921==    by 0x400DA05: (within /lib/ld-2.6.1.so)
==7921==    by 0x6B184EC: (within /lib/libdl-2.6.1.so)
==7921==    by 0x6B17EF0: dlopen (in /lib/libdl-2.6.1.so)
==7921==    by 0x505FB9C: (within /usr/lib/libX11.so.6.2.0)
==7921==    by 0x50601B3: XCreateGlyphCursor (in /usr/lib/libX11.so.6.2.0)
==7921==    by 0x50605F0: XCreateFontCursor (in /usr/lib/libX11.so.6.2.0)
==7921==    by 0x400A53: main (main.cpp:15)
==7921==  Address 0x7162b68 is 24 bytes inside a block of size 25 alloc'd
==7921==    at 0x4C21FAB: malloc (vg_replace_malloc.c:207)
==7921==    by 0x4008AF5: (within /lib/ld-2.6.1.so)
==7921==    by 0x4011C98: (within /lib/ld-2.6.1.so)
==7921==    by 0x400DA05: (within /lib/ld-2.6.1.so)
==7921==    by 0x401155A: (within /lib/ld-2.6.1.so)
==7921==    by 0x6B17F8A: (within /lib/libdl-2.6.1.so)
==7921==    by 0x400DA05: (within /lib/ld-2.6.1.so)
==7921==    by 0x6B184EC: (within /lib/libdl-2.6.1.so)
==7921==    by 0x6B17EF0: dlopen (in /lib/libdl-2.6.1.so)
==7921==    by 0x505FB9C: (within /usr/lib/libX11.so.6.2.0)
==7921==    by 0x50601B3: XCreateGlyphCursor (in /usr/lib/libX11.so.6.2.0)
==7921==    by 0x50605F0: XCreateFontCursor (in /usr/lib/libX11.so.6.2.0)
==7921==    by 0x400A53: main (main.cpp:15)
==7921== 
==7921== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 7 from 1)
==7921== malloc/free: in use at exit: 27,232 bytes in 285 blocks.
==7921== malloc/free: 1,020 allocs, 735 frees, 112,877 bytes allocated.
==7921== For counts of detected errors, rerun with: -v
==7921== searching for pointers to 285 not-freed blocks.
==7921== checked 350,488 bytes.
==7921== 
==7921== 
==7921== 192 (16 direct, 176 indirect) bytes in 1 blocks are definitely lost in loss record 10 of 22
==7921==    at 0x4C22082: realloc (vg_replace_malloc.c:429)
==7921==    by 0x50984F9: (within /usr/lib/libX11.so.6.2.0)
==7921==    by 0x5098D2F: (within /usr/lib/libX11.so.6.2.0)
==7921==    by 0x509A675: _XlcCreateLC (in /usr/lib/libX11.so.6.2.0)
==7921==    by 0x50B629F: _XlcDefaultLoader (in /usr/lib/libX11.so.6.2.0)
==7921==    by 0x50A0B43: _XOpenLC (in /usr/lib/libX11.so.6.2.0)
==7921==    by 0x50A0C0A: _XrmInitParseInfo (in /usr/lib/libX11.so.6.2.0)
==7921==    by 0x50886CF: (within /usr/lib/libX11.so.6.2.0)
==7921==    by 0x5089E6D: XrmGetStringDatabase (in /usr/lib/libX11.so.6.2.0)
==7921==    by 0x506668F: XGetDefault (in /usr/lib/libX11.so.6.2.0)
==7921==    by 0x755DD43: _XcursorGetDisplayInfo (in /usr/lib/libXcursor.so.1.0.2)
==7921==    by 0x755DF08: XcursorSupportsARGB (in /usr/lib/libXcursor.so.1.0.2)
==7921==    by 0x7560759: XcursorTryShapeCursor (in /usr/lib/libXcursor.so.1.0.2)
==7921==    by 0x5060093: XCreateGlyphCursor (in /usr/lib/libX11.so.6.2.0)
==7921==    by 0x50605F0: XCreateFontCursor (in /usr/lib/libX11.so.6.2.0)
==7921==    by 0x400A53: main (main.cpp:15)
==7921== 
==7921== LEAK SUMMARY:
==7921==    definitely lost: 16 bytes in 1 blocks.
==7921==    indirectly lost: 176 bytes in 4 blocks.
==7921==      possibly lost: 0 bytes in 0 blocks.
==7921==    still reachable: 27,040 bytes in 280 blocks.
==7921==         suppressed: 0 bytes in 0 blocks.

The leak may deserve some attention too but oddly it doesn't appear in my library where this invalid read does.

X -version returns:
X Window System Version 1.3.0
Release Date: 19 April 2007
X Protocol Version 11, Revision 0, Release 1.3
Build Operating System: Linux Ubuntu (xorg-server 2:1.3.0.0.dfsg-12ubuntu8.3)
Current Operating System: Linux localhost 2.6.22-14-generic #1 SMP Tue Feb 12 02:46:46 UTC 2008 x86_64
Build Date: 18 January 2008

Sorry if this isn't the latest version but I'm testing on Ubuntu whose packages don't remotely keep up with latest versions.
The version of valgrind I'm using is 3.3.0.

Comment 1 Tilman Sauerbeck 2008-04-13 05:20:31 UTC

Works for me. I suspect your Valgrind suppression files don't fit your libc.

Comment 2 Jesse Adkins 2010-10-17 18:37:44 UTC

I noticed this a year or so back in Ubuntu. Every single valgrind trace of anything was showing problems with dlopen. Those have been fixed since then (on my end, at least).

I'm not seeing the last one in a valgrind trace of my own.

I'm using Ubuntu 10.10's 1.9.0 xserver, if that makes a difference.

Since the last part seems like it was valid, closing as fixed.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.