Bug 10918 - Excessive stack usage in dixfonts.c can cause server crash
Summary: Excessive stack usage in dixfonts.c can cause server crash
Alias: None
Product: xorg
Classification: Unclassified
Component: Fonts/other (show other bugs)
Version: git
Hardware: x86 (IA32) Linux (All)
: medium normal
Assignee: Xorg Project Team
QA Contact: Xorg Project Team
Keywords: patch
Depends on:
Reported: 2007-05-11 15:27 UTC by Indan Zupancic
Modified: 2007-11-18 08:10 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Description Indan Zupancic 2007-05-11 15:27:34 UTC
(This was also reported on the mailinglist.)

Short version:

- ulimit -s 512
- doListFontsAndAliases() in dixfonts.c uses ALLOCATE_LOCAL
  to allocate more than 512 Kb.

Result: mysterious X crash when doing certain things,
        like starting OpenOffice.

With a normal X:

$ grep stack -A1 /proc/`pidof X`/smaps
afce0000-afcf6000 rw-p afce0000 00:00 0          [stack]
Size:                 88 kB

But after starting e.g. open office:

$ grep stack -A1 /proc/`pidof X`/smaps
afc63000-afcf6000 rw-p afc63000 00:00 0          [stack]
Size:                588 kB

Not only causes this a crash when ulimit -s is too low, it is also wasting half a megabyte of memory, which is never returned because it's autogrown for the stack.

A simple fix is to replace ALLOCATE_LOCAL() with xalloc():

--- dix/dixfonts.c.orig	2007-05-01 03:03:20.000000000 +0200
+++ dix/dixfonts.c	2007-05-01 03:03:33.000000000 +0200
@@ -781,7 +781,7 @@ finish:
     reply.nFonts = nnames;
     reply.sequenceNumber = client->sequence;
-    bufptr = bufferStart = (char *) ALLOCATE_LOCAL(reply.length << 2);
+    bufptr = bufferStart = (char *) xalloc(reply.length << 2);
     if (!bufptr && reply.length) {
 	SendErrorToClient(client, X_ListFonts, 0, 0, BadAlloc);
@@ -806,7 +806,7 @@ finish:
     client->pSwapReplyFunc = ReplySwapVector[X_ListFonts];
     WriteSwappedDataToClient(client, sizeof(xListFontsReply), &reply);
     (void) WriteToClient(client, stringLens + nnames, bufferStart);
-    DEALLOCATE_LOCAL(bufferStart);
+    xfree(bufferStart);
     if (c->slept)
Comment 1 Adam Jackson 2007-11-18 08:10:03 UTC
Nothing uses ALLOCATE_LOCAL anymore.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.