Debian Bug report logs - #630169
libx11-6: crash in SetHints.c:217

Reply or subscribe to this bug.

Display info messages

Message #5 received at [email protected] (full text, mbox, reply):

From: kakadu <[email protected]>

To: Debian Bug Tracking System <[email protected]>

Subject: libx11-6: crash in SetHints.c:217

Date: Sat, 11 Jun 2011 23:27:40 +0400

Package: libx11-6
Version: 2:1.4.3-1
Severity: important

Greetings!

So this is a peace of code from SetHints.c, I'm think this source file is up to
date, but I didn't found url to debian code:
http://cgit.freedesktop.org/xorg/lib/libX11/tree/src/SetHints.c?id=libX11-1.3.4#n216

I run my program without arguments, only executable
gdb says that argv[0]='path to my file', argv[1]=0, argv[2]=0,
argv[3]=argv[4]=access violation
But the main problem is that argc=134653564, thats why program crashes at line
217 somewhere in strlen when i=3...
Tested on stable i386 and testing amd64

How to reproduce:
clone repository https://github.com/Kakadu/lablqt/tree/master/simple_signals
(git clone git://github.com/Kakadu/lablqt.git)
I think, that you will need qt4-dev and ocaml packages to be installed
cd simple_signals && make --- dlllablqt.so will be created.
cd test && ln -s ../dlllablqt.so && make && ./test --- Segmentation fault


-------------------------------
Kakadu




-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (990, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32kakadu2 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libx11-6 depends on:
ii  libc6                         2.13-4     Embedded GNU C Library: Shared lib
ii  libx11-data                   2:1.4.3-1  X11 client-side library
ii  libxcb1                       1.7-2      X C Binding

libx11-6 recommends no packages.

libx11-6 suggests no packages.

-- no debconf information

Message #10 received at [email protected] (full text, mbox, reply):

From: Stefan Huehner <[email protected]>

To: Debian Bug Tracking System <[email protected]>

Subject: libx11-6: not fault of libx11-6: reassign?

Date: Sat, 17 Aug 2013 14:53:20 +0200

Package: libx11-6
Followup-For: Bug #630169

Hello,
i took a stab at reproducing the issue and think it is not really a bug in libx11.

Getting a backtrace of the problem with debug symbols confirms that the XSetWMProperties function is called with bogus arguments.

Specifically bogus value for argc which lets XSetCommand (called from XSetWMProperties) trying to access the argv array out of its bound -> segv.

The bogus value is being passed in from some qt code.

Searching a bit shows that this seems to be a known problem for some years [1] [2].

Note: [1] seems to be post from the bug-reporter here.

[3] Seems to indicate wrong usage of qt api by the programs using it.

So not completely clear to where the bug should be reassigned to (qt4? ocaml used by the sample-code?, but looks like its definitely not the fault of libx11 when bogus input data is sent in.

Also i see no way at the moment to enhance the XSetWMProperties with some arguments checking for this specific case.

Regards,
Stefan

[1] http://qt-project.org/forums/viewthread/7838
[2] http://lists.qt.nokia.com/public/qt-interest/2009-March/003675.html
[3] http://www.qtcentre.org/archive/index.php/t-28785.html


-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.10-2-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Send a report that this bug log contains spam.