Bug 349

Summary: Multiple glyphs in RenderAddGlyphs cause malloc() corruption
Product: xorg Reporter: Stephen McCamant <smcc>
Component: Server/GeneralAssignee: Keith Packard <keithp>
Status: CLOSED FIXED QA Contact:
Severity: normal    
Priority: high    
Version: unspecified   
Hardware: x86 (IA32)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:
Bug Depends on:    
Bug Blocks: 213    
Attachments:
Description Flags
Patch to fix glyph adding loop none

Description Stephen McCamant 2004-03-18 16:07:21 UTC 
The AddGlyphs request of the Render extension (ProcRenderAddGlyphs(), around
line 1043 of xserver/render/render.c) doesn't seem to correctly handle the
case when the request includes more than one glyph. It calls AddGlyph() in a
loop, but doesn't update the arguments to the call, so it tries to add the
same glyph repeatedly, which causes trouble when AddGlyph tries to free the
"old" glyph for that position, which is really the same as the one as it is
trying to add. Two times through the loop gives you a dangling pointer, and
three times gives you a double free, which in my case caused malloc's internal
state to be corrupted so that a future call to malloc() hangs.

I'll attach a patch.

I also reported this to XFree86 as their bug #1276, though at the time I
didn't understand the cause. I presume this bug exists everywhere, but
Xsdl was helpful in debugging it.
Comment 1 Stephen McCamant 2004-03-18 16:09:54 UTC 
Created attachment 156 [details] [review]
Patch to fix glyph adding loop
Comment 2 Keith Packard 2004-03-19 08:02:40 UTC 
Thanks for the bugfix; it's in the xserver tree and I've placed a link to the
monolithic release metabug so we can evaluate it for that tree as well.

So, I'll leave this bug open until we've got the monolithic release patched.
Comment 3 Egbert Eich 2004-03-24 08:42:19 UTC 
Keith, could you please go ahead and commit the to the XORG-RELEASE-1
branch?
Comment 4 Keith Packard 2004-03-26 08:16:59 UTC 
Closed by change log entry 64 in the CHANGELOG-RELEASE-1 file

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.