Bug 349 - Multiple glyphs in RenderAddGlyphs cause malloc() corruption
Summary: Multiple glyphs in RenderAddGlyphs cause malloc() corruption
Alias: None
Product: xorg
Classification: Unclassified
Component: Server/General (show other bugs)
Version: unspecified
Hardware: x86 (IA32) Linux (All)
: high normal
Assignee: Keith Packard
QA Contact:
Depends on:
Blocks: 213
  Show dependency treegraph
Reported: 2004-03-18 16:07 UTC by Stephen McCamant
Modified: 2011-10-15 17:21 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Patch to fix glyph adding loop (587 bytes, patch)
2004-03-18 16:09 UTC, Stephen McCamant
no flags Details | Splinter Review

Description Stephen McCamant 2004-03-18 16:07:21 UTC
The AddGlyphs request of the Render extension (ProcRenderAddGlyphs(), around
line 1043 of xserver/render/render.c) doesn't seem to correctly handle the
case when the request includes more than one glyph. It calls AddGlyph() in a
loop, but doesn't update the arguments to the call, so it tries to add the
same glyph repeatedly, which causes trouble when AddGlyph tries to free the
"old" glyph for that position, which is really the same as the one as it is
trying to add. Two times through the loop gives you a dangling pointer, and
three times gives you a double free, which in my case caused malloc's internal
state to be corrupted so that a future call to malloc() hangs.

I'll attach a patch.

I also reported this to XFree86 as their bug #1276, though at the time I
didn't understand the cause. I presume this bug exists everywhere, but
Xsdl was helpful in debugging it.
Comment 1 Stephen McCamant 2004-03-18 16:09:54 UTC
Created attachment 156 [details] [review]
Patch to fix glyph adding loop
Comment 2 Keith Packard 2004-03-19 08:02:40 UTC
Thanks for the bugfix; it's in the xserver tree and I've placed a link to the
monolithic release metabug so we can evaluate it for that tree as well.

So, I'll leave this bug open until we've got the monolithic release patched.
Comment 3 Egbert Eich 2004-03-24 08:42:19 UTC
Keith, could you please go ahead and commit the to the XORG-RELEASE-1
Comment 4 Keith Packard 2004-03-26 08:16:59 UTC
Closed by change log entry 64 in the CHANGELOG-RELEASE-1 file

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.