Bug 372 - libX11: XPolygonRegion crashes with segfault if point count < 2
Summary: libX11: XPolygonRegion crashes with segfault if point count < 2
Alias: None
Product: xorg
Classification: Unclassified
Component: Lib/Xlib (show other bugs)
Version: unspecified
Hardware: All All
: high critical
Assignee: Jim Gettys
QA Contact:
Depends on:
Reported: 2004-03-24 05:14 UTC by Andreas Luik
Modified: 2004-08-10 05:26 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:

test program (457 bytes, text/plain)
2004-03-24 05:19 UTC, Andreas Luik
no flags Details

Description Andreas Luik 2004-03-24 05:14:21 UTC
The function XPolygonRegion crashes with a segmentation fault if it
is called with a point count of 0 or 1.  The manual page does not
list any restriction for the count.  Even if it did, the function should
not crash.

Obviously, the problem results from the fact that CreateETandAET() does
not initialize the ET and AET variables if count < 2, but they are
used (uninitialized) afterwards.
Comment 1 Andreas Luik 2004-03-24 05:19:32 UTC
Created attachment 166 [details]
test program

How to reproduce:
use the attached test program "polyregion.c"
compile and run it as follows:

marx:~/test/X11(1154)> ./polygonregion 4				       
bounding box x=1 y=4 w=4 h=6
marx:~/test/X11(1156)> ./polygonregion 2
bounding box x=0 y=0 w=0 h=0
marx:~/test/X11(1157)> ./polygonregion 1
Bus error (core dumped)
marx:~/test/X11(1158)> ./polygonregion 0
Bus error (core dumped)

The results for count==4 and ==2 are OK, but it crashes for count==1
and ==0.  Instead it should return an empty region.
Comment 2 Adam Jackson 2004-08-03 20:13:18 UTC
doesn't crash for me, but i do get warnings about calling free() on bogus
pointers.  running with MALLOC_CHECK_=2 makes it abort on the bad free:

(gdb) bt
#0  0xffffe410 in ?? ()
#1  0xbfffecb0 in ?? ()
#2  0x00000006 in ?? ()
#3  0x00004c4e in ?? ()
#4  0x46b6b3b5 in raise () from /lib/libc.so.6
#5  0x46b6ca22 in abort () from /lib/libc.so.6
#6  0x46bb2c89 in _IO_file_xsputn () from /lib/libc.so.6
#7  0x46bb3d55 in free () from /lib/libc.so.6
#8  0x4004450e in FreeStorage (pSLLBlock=0x0) at PolyReg.c:381
#9  0x400448e4 in XPolygonRegion (Pts=0xbffff3c0, Count=134518884, rule=1)
    at PolyReg.c:624
#10 0x0804858e in main (argc=2, argv=0xbffff474) at polygonregion-crasher.c:14

proposed fix in PolyReg.c:
@@ -494,6 +494,8 @@

     if (! (region = XCreateRegion())) return (Region) NULL;

+    if (Count == 0 || Count == 1) return region;
     /* special case a rectangle */
     pts = Pts;
     if (((Count == 4) ||
Comment 3 Adam Jackson 2004-08-04 17:41:17 UTC
actually since Count is signed that should be:

@@ -494,6 +494,8 @@

     if (! (region = XCreateRegion())) return (Region) NULL;

+    if (Count < 2) return region;
     /* special case a rectangle */
     pts = Pts;
     if (((Count == 4) ||

why Count is signed is a mystery, but trying to pass a negative value for Count
crashes really hard.
Comment 4 Adam Jackson 2004-08-10 22:26:14 UTC
fixed in CVS, with the count<2 check moved after the rectangle fast path.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.