Bug 173798

Summary: XPolygonRegion double free segv
Product: [Fedora] Fedora Reporter: Caolan McNamara <caolanm>
Component: libX11Assignee: X/OpenGL Maintenance List <xgl-maint>
Status: CLOSED RAWHIDE QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: mefoster, mgalgoci
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-02-09 11:13:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 150222    
Attachments:
Description Flags
sample program none

Description Caolan McNamara 2005-11-21 12:26:19 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20051018 Fedora/1.7.12-2

Description of problem:
*** glibc detected *** ./a.out: double free or corruption (fasttop): 0x09c2b020 ***
======= Backtrace: =========
/lib/libc.so.6[0x4208e0]
/lib/libc.so.6(__libc_free+0x79)[0x420fa2]
/usr/lib/libX11.so.6(XPolygonRegion+0xc38)[0x553953]
./a.out[0x8048464]
/lib/libc.so.6(__libc_start_main+0xdf)[0x3d262f]
./a.out[0x80483a1]
======= Memory map: ========
003a0000-003b9000 r-xp 00000000 03:02 3688599    /lib/ld-2.3.90.so
003b9000-003ba000 r-xp 00018000 03:02 3688599    /lib/ld-2.3.90.so
003ba000-003bb000 rwxp 00019000 03:02 3688599    /lib/ld-2.3.90.so
003bd000-004e3000 r-xp 00000000 03:02 3688603    /lib/libc-2.3.90.so
004e3000-004e5000 r-xp 00125000 03:02 3688603    /lib/libc-2.3.90.so
004e5000-004e7000 rwxp 00127000 03:02 3688603    /lib/libc-2.3.90.so
004e7000-004e9000 rwxp 004e7000 00:00 0
00512000-00514000 r-xp 00000000 03:02 3688645    /lib/libdl-2.3.90.so
00514000-00515000 r-xp 00001000 03:02 3688645    /lib/libdl-2.3.90.so
00515000-00516000 rwxp 00002000 03:02 3688645    /lib/libdl-2.3.90.so
00518000-0051a000 r-xp 00000000 03:02 1943506    /usr/lib/libXau.so.6.0.0
0051a000-0051b000 rwxp 00001000 03:02 1943506    /usr/lib/libXau.so.6.0.0
0051d000-00521000 r-xp 00000000 03:02 1943637    /usr/lib/libXdmcp.so.6.0.0
00521000-00523000 rwxp 00003000 03:02 1943637    /usr/lib/libXdmcp.so.6.0.0
00525000-0061a000 r-xp 00000000 03:02 1947356    /usr/lib/libX11.so.6.2.0
0061a000-0061e000 rwxp 000f5000 03:02 1947356    /usr/lib/libX11.so.6.2.0
0061e000-0061f000 rwxp 0061e000 00:00 0
0088f000-00898000 r-xp 00000000 03:02 3688649    /lib/libgcc_s-4.0.2-20051109.so.1
00898000-00899000 rwxp 00009000 03:02 3688649    /lib/libgcc_s-4.0.2-20051109.so.1
00cb2000-00cb3000 r-xp 00cb2000 00:00 0          [vdso]
08048000-08049000 r-xp 00000000 03:02 1328092    /tmp/newooo/a.out
08049000-0804a000 rw-p 00000000 03:02 1328092    /tmp/newooo/a.out
09c2b000-09c4c000 rw-p 09c2b000 00:00 0          [heap]
b7e00000-b7e21000 rw-p b7e00000 00:00 0
b7e21000-b7f00000 ---p b7e21000 00:00 0
b7f07000-b7f09000 rw-p b7f07000 00:00 0
b7f1f000-b7f20000 rw-p b7f1f000 00:00 0
bfc0b000-bfc20000 rw-p bfc0b000 00:00 0          [stack]
Aborted


Version-Release number of selected component (if applicable):
libX11-0.99.3-3

How reproducible:
Always

Steps to Reproduce:
1. gcc testme.c -lX11
2. ./a.out

Actual Results:  crash

Expected Results:  no crash

Additional info:

affects OOo impress, ok in FC-4

Comment 1 Caolan McNamara 2005-11-21 12:27:34 UTC
Created attachment 121295 [details]
sample program

Comment 2 Caolan McNamara 2005-11-21 12:28:03 UTC
*** Bug 173799 has been marked as a duplicate of this bug. ***

Comment 3 Caolan McNamara 2005-11-21 12:30:25 UTC
ooo backtrace for reference

#6  0x00553953 in XPolygonRegion () from /usr/lib/libX11.so.6
#7  0x00e71e7e in X11SalGraphics::drawPolyPolygon (this=0x52b2530, nPoly=4,
pPoints=0xbf9d4220,
    pPtAry=0xbf9d41a0) at
/usr/src/debug/SRC680_m141/vcl/unx/source/gdi/salgdi.cxx:843
#8  0x03c6e29b in SalGraphics::DrawPolyPolygon (this=0x52b2530, nPoly=4,
pPoints=0xbf9d4220,
    pPtAry=0xbf9d41a0, pOutDev=0x52c35d0) at
/usr/src/debug/SRC680_m141/vcl/source/gdi/salgdilayout.cxx:347
#9  0x03c069e1 in OutputDevice::ImplDrawPolyPolygon (this=0x52c35d0, nPoly=4,
rPolyPoly=@0xbf9d42c8)
    at /usr/src/debug/SRC680_m141/vcl/source/gdi/outdev.cxx:344
#10 0x03c092b2 in OutputDevice::DrawPolyPolygon (this=0x52c35d0,
rPolyPoly=@0xbf9d465c)
    at /usr/src/debug/SRC680_m141/vcl/source/gdi/outdev.cxx:2467
#11 0x087895f2 in XOutputDevice::ImpDrawFillPolyPolygon (this=0x539fe60,
rPolyPoly=@0xbf9d465c,
    bRect=0 '\0', bPrinter=0 '\0') at
/usr/src/debug/SRC680_m141/svx/source/xoutdev/_ximp.cxx:138
#12 0x08789eba in XOutputDevice::DrawFillPolyPolygon (this=0x539fe60,
rPolyPoly=@0xbf9d465c, bRect=0 '\0')    at
/usr/src/debug/SRC680_m141/svx/source/xoutdev/_ximp.cxx:119
#13 0x08763908 in XOutputDevice::DrawXPolyPolygon (this=0x539fe60,
rXPolyPoly=@0x3478574)
    at /usr/src/debug/SRC680_m141/svx/source/xoutdev/xout.cxx:365
#14 0x0855a709 in SdrPathObj::DoPaintObject (this=0x34784b0, rXOut=@0x539fe60,
rInfoRec=@0x332f370)
    at /usr/src/debug/SRC680_m141/svx/source/svdraw/svdopath.cxx:411
#15 0x08522d37 in sdr::contact::ViewContactOfSdrObj::PaintObject (this=0x34799e0,
    rDisplayInfo=@0xbf9d4c30, rPaintRectangle=@0xbf9d4784,
rAssociatedVOC=@0x5421620)
    at /usr/src/debug/SRC680_m141/svx/source/sdr/contact/viewcontactofsdrobj.cxx:260
#16 0x08528c79 in sdr::contact::ViewObjectContact::PaintObject (this=0x5421620,
rDisplayInfo=@0xbf9d4c30)
    at /usr/src/debug/SRC680_m141/svx/source/sdr/contact/viewobjectcontact.cxx:288
#17 0xb6f8f6bb in sd::ViewRedirector::PaintObject (this=0xbf9d4d98,
rOriginal=@0x5421620,
    rDisplayInfo=@0xbf9d4c30) at
/usr/src/debug/SRC680_m141/sd/source/ui/view/sdview.cxx:454
#18 0x08528d8d in sdr::contact::ViewObjectContact::PaintObjectHierarchy
(this=0x5421620,
    rDisplayInfo=@0xbf9d4c30)
    at /usr/src/debug/SRC680_m141/svx/source/sdr/contact/viewobjectcontact.cxx:367
#19 0x08528e26 in sdr::contact::ViewObjectContact::PaintDrawHierarchy
(this=0x54214c8,
    rDisplayInfo=@0xbf9d4c30)
    at /usr/src/debug/SRC680_m141/svx/source/sdr/contact/viewobjectcontact.cxx:326


Comment 5 Mike A. Harris 2005-11-21 23:16:11 UTC
Please report to X.Org bugzilla, http://bugs.freedesktop.org in "xorg"
component, and mark it as blocking bug 1690 the release blocker.  Final
freeze for RC3 is soon, so this will flag it for investigation for X11R7.

After you file, please paste the upstream URL here for tracking.

TIA

Comment 6 Caolan McNamara 2005-12-12 08:39:51 UTC
*** Bug 175409 has been marked as a duplicate of this bug. ***

Comment 7 Caolan McNamara 2005-12-12 08:43:44 UTC
https://bugs.freedesktop.org/show_bug.cgi?id=5125

Comment 8 Mike A. Harris 2006-02-09 11:13:48 UTC
This was fixed in X11R7.0 release already, indicated in upstream report:

------- Additional comment #3  from Kevin E. Martin on 2005-12-10 02:30  [reply]
-------

Thanks Caolan!  The sample code helped me track down the problem -- it turned
out to be that Xlib requires not only malloc(0) return a valid pointer, but also
realloc(ptr,0) return a valid pointer.  However, most systems treat
realloc(ptr,0) as free(ptr).  I fixed it by updating the macro to set the
MALLOC_0_RETURNS_NULL define.