Bug 5125 - XPolygonRegion double free segv
XPolygonRegion double free segv
Status: RESOLVED FIXED
Product: xorg
Classification: Unclassified
Component: Lib/Xlib
6.8.99.3
x86 (IA32) Linux (All)
: high normal
Assigned To: Xorg Project Team
:
Depends on:
Blocks: 1690
  Show dependency treegraph
 
Reported: 2005-11-22 19:24 UTC by Caolán McNamara
Modified: 2006-02-09 03:12 UTC (History)
1 user (show)

See Also:


Attachments
sample code to reproduce (215 bytes, text/plain)
2005-11-22 19:25 UTC, Caolán McNamara
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Caolán McNamara 2005-11-22 19:24:34 UTC
*** glibc detected *** ./a.out: double free or corruption (fasttop): 0x09c2b020 ***
======= Backtrace: =========
/lib/libc.so.6[0x4208e0]
/lib/libc.so.6(__libc_free+0x79)[0x420fa2]
/usr/lib/libX11.so.6(XPolygonRegion+0xc38)[0x553953]
./a.out[0x8048464]
/lib/libc.so.6(__libc_start_main+0xdf)[0x3d262f]
./a.out[0x80483a1]
======= Memory map: ========
003a0000-003b9000 r-xp 00000000 03:02 3688599    /lib/ld-2.3.90.so
003b9000-003ba000 r-xp 00018000 03:02 3688599    /lib/ld-2.3.90.so
003ba000-003bb000 rwxp 00019000 03:02 3688599    /lib/ld-2.3.90.so
003bd000-004e3000 r-xp 00000000 03:02 3688603    /lib/libc-2.3.90.so
004e3000-004e5000 r-xp 00125000 03:02 3688603    /lib/libc-2.3.90.so
004e5000-004e7000 rwxp 00127000 03:02 3688603    /lib/libc-2.3.90.so
004e7000-004e9000 rwxp 004e7000 00:00 0
00512000-00514000 r-xp 00000000 03:02 3688645    /lib/libdl-2.3.90.so
00514000-00515000 r-xp 00001000 03:02 3688645    /lib/libdl-2.3.90.so
00515000-00516000 rwxp 00002000 03:02 3688645    /lib/libdl-2.3.90.so
00518000-0051a000 r-xp 00000000 03:02 1943506    /usr/lib/libXau.so.6.0.0
0051a000-0051b000 rwxp 00001000 03:02 1943506    /usr/lib/libXau.so.6.0.0
0051d000-00521000 r-xp 00000000 03:02 1943637    /usr/lib/libXdmcp.so.6.0.0
00521000-00523000 rwxp 00003000 03:02 1943637    /usr/lib/libXdmcp.so.6.0.0
00525000-0061a000 r-xp 00000000 03:02 1947356    /usr/lib/libX11.so.6.2.0
0061a000-0061e000 rwxp 000f5000 03:02 1947356    /usr/lib/libX11.so.6.2.0
0061e000-0061f000 rwxp 0061e000 00:00 0
0088f000-00898000 r-xp 00000000 03:02 3688649    /lib/libgcc_s-4.0.2-20051109.so.1
00898000-00899000 rwxp 00009000 03:02 3688649    /lib/libgcc_s-4.0.2-20051109.so.1
00cb2000-00cb3000 r-xp 00cb2000 00:00 0          [vdso]
08048000-08049000 r-xp 00000000 03:02 1328092    /tmp/newooo/a.out
08049000-0804a000 rw-p 00000000 03:02 1328092    /tmp/newooo/a.out
09c2b000-09c4c000 rw-p 09c2b000 00:00 0          [heap]
b7e00000-b7e21000 rw-p b7e00000 00:00 0
b7e21000-b7f00000 ---p b7e21000 00:00 0
b7f07000-b7f09000 rw-p b7f07000 00:00 0
b7f1f000-b7f20000 rw-p b7f1f000 00:00 0
bfc0b000-bfc20000 rw-p bfc0b000 00:00 0          [stack]
Aborted
Comment 1 Caolán McNamara 2005-11-22 19:25:19 UTC
Created attachment 3872 [details]
sample code to reproduce

Code similiar to this causes OOo impress 2.0 to crash on occassion
Comment 2 Caolán McNamara 2005-11-22 19:26:52 UTC
Works using libX11 from FC-4 xorg-x11 6.8.2
Comment 3 Kevin E. Martin 2005-12-10 02:30:02 UTC
Thanks Caolan!  The sample code helped me track down the problem -- it turned
out to be that Xlib requires not only malloc(0) return a valid pointer, but also
realloc(ptr,0) return a valid pointer.  However, most systems treat
realloc(ptr,0) as free(ptr).  I fixed it by updating the macro to set the
MALLOC_0_RETURNS_NULL define.