The XCreateFontSet function frees the given base_font_name_list argument when it's an empty string (possibly in other circumstances too). In this case the client application may crash because of double-free problems or other side effects. The problem may only occur for invalid font names but the function should not free any client pointer in any case. See the attached test program which triggers the problem. When using an empty string, the pointer is freed by XCreateFontSet (see attached valgrind output), but when using "foo" as base_font_name_list the string isn't freed. In both cases the function returns NULL as expected. Platform: -------------------------------------- $ X -version X Window System Version 6.8.2 Release Date: 9 February 2005 X Protocol Version 11, Revision 0, Release 6.8.2 Build Operating System: SuSE Linux [ELF] SuSE Current Operating System: Linux equinox 2.6.13-15.8-smp #1 SMP Tue Feb 7 11:07:24 UTC 2006 i686 Build Date: 18 March 2006 Before reporting problems, check http://wiki.X.Org to make sure that you have the latest version. Module Loader present -------------------------------------- If it helps, here's my guess about the problem after taking a peek at the X source code: The function XCreateFontSet in FSWrap.c create an OC with XCreateOC using given base_font_name_list so it looks like core.base_name_list is the actual pointer to the base_font_name_list string from the client. destroy_oc in omGeneric.c frees core.base_name_list which is allocated in parse_fontname (using the original pointer). But the first function call _XParseBaseFontNameList returns without going to label "err" leaving the original pointer in core.base_name_list. So destroy_oc frees this pointer (which matches the valgrind output).
Created attachment 5829 [details] basic testcase which triggers the problem The described bug is triggered by using an empty fontname, using something like this: fontname = strdup( "foo" ) it doesn't occur.
Created attachment 5830 [details] valgrind output
Sorry about the phenomenal bug spam, guys. Adding xorg-team@ to the QA contact so bugs don't get lost in future.
This does not crash for me. I'm assuming it was fixed at some point over the past few years.
Hi, it might be an old bug and maybe it's fixed but have you checked the valgrind output for the given testcase? For me it still gives an error because of the double-free. This is my current X version: $ X -version X.Org X Server 1.6.3 Release Date: 2009-7-31 X Protocol Version 11, Revision 0 Build Operating System: Slackware 13.0 Slackware Linux Project Current Operating System: Linux firetower 2.6.29.6 #2 SMP Mon Dec 7 14:40:49 CST 2009 x86_64 Build Date: 26 August 2010 03:57:06PM Before reporting problems, check http://wiki.x.org to make sure that you have the latest version.
Yes, I saw your valgrind data, but I cannot reproduce the issue with recent bits. You have an old server, so I assume you also have an old libX11 as well. I ran your test under guard malloc and did not run into any issues. Please update your system and try again. If you have issues with current deliverables, reopen.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.