Bug 10918

Summary: Excessive stack usage in dixfonts.c can cause server crash
Product: xorg Reporter: Indan Zupancic <indan>
Component: Fonts/otherAssignee: Xorg Project Team <xorg-team>
Status: RESOLVED FIXED QA Contact: Xorg Project Team <xorg-team>
Severity: normal    
Priority: medium Keywords: patch
Version: git   
Hardware: x86 (IA32)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description Indan Zupancic 2007-05-11 15:27:34 UTC 
(This was also reported on the mailinglist.)

Short version:

- ulimit -s 512
- doListFontsAndAliases() in dixfonts.c uses ALLOCATE_LOCAL
  to allocate more than 512 Kb.

Result: mysterious X crash when doing certain things,
        like starting OpenOffice.

With a normal X:

$ grep stack -A1 /proc/`pidof X`/smaps
afce0000-afcf6000 rw-p afce0000 00:00 0          [stack]
Size:                 88 kB

But after starting e.g. open office:

$ grep stack -A1 /proc/`pidof X`/smaps
afc63000-afcf6000 rw-p afc63000 00:00 0          [stack]
Size:                588 kB

Not only causes this a crash when ulimit -s is too low, it is also wasting half a megabyte of memory, which is never returned because it's autogrown for the stack.

A simple fix is to replace ALLOCATE_LOCAL() with xalloc():

--- dix/dixfonts.c.orig	2007-05-01 03:03:20.000000000 +0200
+++ dix/dixfonts.c	2007-05-01 03:03:33.000000000 +0200
@@ -781,7 +781,7 @@ finish:
     reply.nFonts = nnames;
     reply.sequenceNumber = client->sequence;
 
-    bufptr = bufferStart = (char *) ALLOCATE_LOCAL(reply.length << 2);
+    bufptr = bufferStart = (char *) xalloc(reply.length << 2);
 
     if (!bufptr && reply.length) {
 	SendErrorToClient(client, X_ListFonts, 0, 0, BadAlloc);
@@ -806,7 +806,7 @@ finish:
     client->pSwapReplyFunc = ReplySwapVector[X_ListFonts];
     WriteSwappedDataToClient(client, sizeof(xListFontsReply), &reply);
     (void) WriteToClient(client, stringLens + nnames, bufferStart);
-    DEALLOCATE_LOCAL(bufferStart);
+    xfree(bufferStart);
 
 bail:
     if (c->slept)
Comment 1 Adam Jackson 2007-11-18 08:10:03 UTC 
Nothing uses ALLOCATE_LOCAL anymore.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.