Bug 118733

Summary: [PATCH] xscreensaver coredumps with an older .xscreensaver file
Product: Red Hat Enterprise Linux 3 Reporter: Pancrazio `ezio' de Mauro <pdemauro>
Component: xscreensaverAssignee: Ray Strode [halfline] <rstrode>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3.0CC: tao
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-09-02 02:26:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 113479    
Attachments:
Description Flags
When copied to $HOME, this causes xscreensaver to dump core
none
xscreensaver-dont-trash-hack-list-when-hack-not-existant.patch none

Description Pancrazio `ezio' de Mauro 2004-03-19 17:04:15 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5)
Gecko/20031007 Firebird/0.7 StumbleUpon/1.89

Description of problem:
The attached .xscreensaver file causes xscreensaver to dump core

Version-Release number of selected component (if applicable):
xscreensaver-4.10-4

How reproducible:
Always

Steps to Reproduce:
1. copy the attached .xscreensaver to $HOME
2. start xscreensaver
3. watch it dump core :-)
    

Actual Results:  segmentation fault, a backtrace of the core shows:

#0  0xb6e5416e in malloc_consolidate () from /lib/tls/libc.so.6
#1  0xb6e53769 in _int_malloc () from /lib/tls/libc.so.6
#2  0xb6e52b0d in malloc () from /lib/tls/libc.so.6
#3  0x0804f185 in write_init_file ()
#4  0x0805543b in restart_menu_cb ()
#5  0x08056a26 in run_prev_cb ()
#6  0x08057737 in switch_page_cb ()
#7  0xb711bc87 in g_cclosure_marshal_VOID__VOID () from
/usr/lib/libgobject-2.0.so.0
#8  0xb7108ef7 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#9  0xb711b89e in g_signal_emit_by_name () from
/usr/lib/libgobject-2.0.so.0
#10 0xb711a8e8 in g_signal_emit_valist () from
/usr/lib/libgobject-2.0.so.0
#11 0xb711ab24 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#12 0xb74f9b0a in _gtk_tree_selection_internal_select_node () from
/usr/lib/libgtk-x11-2.0.so.0
#13 0xb74f88c0 in gtk_tree_selection_select_path () from
/usr/lib/libgtk-x11-2.0.so.0
#14 0xb74f8b30 in gtk_tree_selection_select_iter () from
/usr/lib/libgtk-x11-2.0.so.0
#15 0x08055829 in manual_cb ()
#16 0x080580c0 in settings_ok_cb ()
#17 0x0805bf39 in main ()


Expected Results:  xscreensaver should simply warn that the
configuration file is invalid or, even better, fix it, but it
shouldn't silently dump core.

Comment 1 Pancrazio `ezio' de Mauro 2004-03-19 17:05:32 UTC
Created attachment 98688 [details]
When copied to $HOME, this causes xscreensaver to dump core

Comment 2 Bill Nottingham 2004-03-19 17:24:10 UTC
This looks like #85205, which randomly resolved itself. :/

Comment 3 Bastien Nocera 2004-06-10 15:13:02 UTC
Better backtrace:
#0  0xb6e6334e in malloc_consolidate () from /lib/tls/libc.so.6
#1  0xb6e62949 in _int_malloc () from /lib/tls/libc.so.6
#2  0xb6e61ced in malloc () from /lib/tls/libc.so.6
#3  0x0804f185 in write_init_file (p=0xbfffcf38,
    version_string=0x7c <Address 0x7c out of bounds>, verbose_p=0)
    at prefs.c:704
#4  0x0805543b in demo_write_init_file (s=0xbfffcee0, p=0x7c)
    at demo-Gtk.c:894
#5  0x08056a26 in flush_dialog_changes_and_save (s=0xbfffcee0)
    at demo-Gtk.c:1449
#6  0x08057737 in list_select_changed_cb (selection=0x7c, data=0xbfffcee0)
    at demo-Gtk.c:1664
#7  0xb712ac87 in g_cclosure_marshal_VOID__VOID ()
   from /usr/lib/libgobject-2.0.so.0
#8  0xb7117ef7 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#9  0xb712a89e in g_signal_emit_by_name () from
/usr/lib/libgobject-2.0.so.0
#10 0xb71298e8 in g_signal_emit_valist () from
/usr/lib/libgobject-2.0.so.0
#11 0xb7129b24 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#12 0xb7502b0a in _gtk_tree_selection_internal_select_node ()
   from /usr/lib/libgtk-x11-2.0.so.0
#13 0xb75018c0 in gtk_tree_selection_select_path ()
   from /usr/lib/libgtk-x11-2.0.so.0
#14 0xb7501b30 in gtk_tree_selection_select_iter ()
   from /usr/lib/libgtk-x11-2.0.so.0
#15 0x08055829 in force_list_select_item (s=0x7c, list=0x8118b98,
    list_elt=124, scroll_p=1) at demo-Gtk.c:994
#16 0x080580c0 in scroll_to_current_hack (s=0xbfffcee0) at demo-Gtk.c:2042
#17 0x0805bf39 in main (argc=1, argv=0xbfffd0a4) at demo-Gtk.c:4386


Comment 4 Bastien Nocera 2004-06-10 15:55:39 UTC
This is the only interesting thing so far with my friend Valgrind:
==14815== Invalid write of size 4
==14815==    at 0x8058BCB: initialize_sort_map (demo-Gtk.c:2969)
==14815==    by 0x805A789: main (demo-Gtk.c:4285)
==14815==    by 0xB6BC7BC6: __libc_start_main (in /lib/libc-2.3.2.so)
==14815==    by 0x804E0B8: (within
/usr/src/redhat/BUILD/xscreensaver-4.10/driver/xscreensaver-demo)
==14815==    Address 0xB481C00C is 4 bytes before a block of size 800
alloc'd
==14815==    at 0xB74D3B2A: calloc (vg_replace_malloc.c:284)
==14815==    by 0x8058A80: initialize_sort_map (demo-Gtk.c:2908)
==14815==    by 0x805A789: main (demo-Gtk.c:4285)
==14815==    by 0xB6BC7BC6: __libc_start_main (in /lib/libc-2.3.2.so)


Comment 5 Bastien Nocera 2004-06-10 16:33:50 UTC
Created attachment 101038 [details]
xscreensaver-dont-trash-hack-list-when-hack-not-existant.patch

The problem was caused by some memory trashing when building the initial list
of hacks, and the reverse list. Hacks that wouldn't be available would get the
ID of "-1" and try to access the array at -1, corrupting the memory (in this
case the configuration struct).

Comment 6 Bastien Nocera 2004-06-10 16:46:07 UTC
Adding to the errata candidate list.

Comment 7 Ray Strode [halfline] 2004-06-17 15:09:18 UTC
Marking MODIFIED while QA tests the fix.

Comment 8 Jay Turner 2004-09-02 02:26:13 UTC
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2004-257.html