Bugzilla – Bug 9160
XQueryColors doesn't bounds-check its ncolors argument
Last modified: 2011-12-15 16:46:38 UTC
As reported in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278984,
XQueryColors has poor behavior if more colors are passed than the server's core
maximum request length minus 2 (generally 65533 colors). Prior to the
introduction of XCB, the client would generally just hang, or sometimes report a
BadRequest error. With XCB, under some circumstances this bug triggers an
assertion failure in the client instead.
Xlib is delivering the right amount of data to the server, but overflowing the
16-bit request length field. It should split the request into chunks that fit in
the core maximum request length, and use an async reply handler to make all the
synchronous requests in one round-trip.
Created attachment 7902 [details] [review]
Kusanagi Kouichi's suggested fix
In the Debian bug report for this issue, Kusanagi Kouichi
<email@example.com> provided this proposed patch; I missed it on first
reading of the mail. On quick inspection, it looks like the right fix, except
that ideally it would use an async reply handler to issue all the requests in
one round-trip. I'm also not sure how apps would deal with multiple X errors
from a single call to XQueryColors.
Sorry about the phenomenal bug spam, guys. Adding xorg-team@ to the QA contact so bugs don't get lost in future.
yeah, this should get fixed up for 7.5.
Sent this to the mailing list. This bug report's not doing us any good, so I'll close it.
Created attachment 41238 [details] [review]
Use big request if the server supports it.
Could you please send this to xorg-devel for review, so we can close this up?
Has now been pushed to git master: