Bug 236006 - New libX11 triggers seg fault in rdesktop
Summary: New libX11 triggers seg fault in rdesktop
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: rdesktop   
(Show other bugs)
Version: 6
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: David Zeuthen
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: 238580
TreeView+ depends on / blocked
 
Reported: 2007-04-11 13:40 UTC by Michael Young
Modified: 2018-04-11 13:41 UTC (History)
7 users (show)

Fixed In Version: rdesktop-1.5.0-2.fc6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-05-01 16:37:37 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
xorg.conf that triggers the bug (1.13 KB, application/octet-stream)
2007-04-11 16:22 UTC, Michael Young
no flags Details
Xorg.0.log when the bug is triggered (44.09 KB, application/octet-stream)
2007-04-11 16:23 UTC, Michael Young
no flags Details
Xorg.0.log when X is run without an xorg.conf file (fails to start) (16.17 KB, application/octet-stream)
2007-04-11 16:24 UTC, Michael Young
no flags Details

Description Michael Young 2007-04-11 13:40:56 UTC
Description of problem:
I have just updated to libX11-1.0.3-7.fc6 from libX11-1.0.3-6.fc6 and rdesktop
has stopped working, giving a Segmentation fault when I log in to the remote
system. I have obtained a core dump
#0  0x4820a2b2 in XPutImage () from /usr/lib/libX11.so.6
#1  0x0805155c in ui_desktop_restore (offset=0, x=303, y=144, cx=417, cy=263)
    at xwin.c:3226
#2  0x080633d0 in process_orders (s=0x80b5f20, num_orders=152) at orders.c:375
#3  0x080685f9 in rdp5_process (s=0x80b5f20) at rdp5.c:85
#4  0x08060311 in rdp_recv (type=0xbff77ceb "") at rdp.c:99
#5  0x080608d8 in rdp_loop (deactivated=0xbff78084, ext_disc_reason=0xbff78080)
    at rdp.c:1378
#6  0x080614ec in rdp_main_loop (deactivated=0xbff78084, 
    ext_disc_reason=0xbff78080) at rdp.c:1363
#7  0x0804d2f5 in main (argc=1, argv=Cannot access memory at address 0x5
) at rdesktop.c:912
which suggests the problem is in XPutImage.

Comment 1 Matěj Cepl 2007-04-11 15:23:07 UTC
Thanks for the bug report.  We have reviewed the information you have provided
above, and there is some additional information we require that will be helpful
in our diagnosis of this issue.

Please attach your X server config file (/etc/X11/xorg.conf) and X server log
file (/var/log/Xorg.*.log) to the bug report as individual uncompressed file
attachments using the bugzilla file attachment link below.

Could you please also try to run without any /etc/X11/xorg.conf whatsoever and
let X11 autodetect your display and video card? Attach to this bug
/var/log/Xorg.0.log from this attempt as well, please.

We will review this issue again once you've had a chance to attach this information.

Thanks in advance.


Comment 2 Michael Young 2007-04-11 16:22:47 UTC
Created attachment 152285 [details]
xorg.conf that triggers the bug

Here are the files you asked for. My testing while generating these files
indicates that the seg fault occurs when the colour depth is 16-bit, but
rdesktop runs successfully when the colour depth is 24-bit. Running without an
xorg.conf doesn't work as X isn't started.

Comment 3 Michael Young 2007-04-11 16:23:37 UTC
Created attachment 152286 [details]
Xorg.0.log when the bug is triggered

Comment 4 Michael Young 2007-04-11 16:24:48 UTC
Created attachment 152287 [details]
Xorg.0.log when X is run without an xorg.conf file (fails to start)

Comment 5 Michael Young 2007-04-11 16:35:10 UTC
Note that the remote desktop being contacted is 16-bit, as the WARNING message
WARNING: Remote desktop does not support colour depth 24; falling back to 16
is displayed when rdesktop is run from a 24-bit colour X session.

Comment 6 Adam Jackson 2007-04-13 13:35:50 UTC
Can you install libX11-debuginfo and repeat the backtrace from gdb please? 
Would be good to see exactly what's segfaulting in libX11.

Since 1.0.3-7 was a security fix only relative to -6, I rather suspect that this
is a bug in rdesktop that's always been there and is only now exposed.

Comment 7 Michael Young 2007-04-13 13:49:56 UTC
With libX11-debuginfo installed #0 of the above core is now
#0  0x4820a2b2 in XPutImage (dpy=0x8f606a0, d=41943045, gc=0x8f73688, 
    image=0x0, req_xoffset=0, req_yoffset=0, x=303, y=144, req_width=417, 
    req_height=263) at PutImage.c:967

Comment 8 Michael Young 2007-04-13 14:10:20 UTC
As image=0x0 (ie. null pointer), it might be useful to note that the code in
rdesktop (xwin.c) leading up to this call to the library is
ui_desktop_restore(uint32 offset, int x, int y, int cx, int cy)
{
        XImage *image;
        uint8 *data;

        offset *= g_bpp / 8;
        data = cache_get_desktop(offset, cx, cy, g_bpp / 8);
        if (data == NULL)
                return;

        image = XCreateImage(g_display, g_visual, g_depth, ZPixmap, 0,
                             (char *) data, cx, cy, BitmapPad(g_display), cx *
g_bpp / 8);

        if (g_ownbackstore)
        {
                XPutImage(g_display, g_backstore, g_gc, image, 0, 0, x, y, cx, cy);

Comment 9 Brian Daniels 2007-04-20 13:46:01 UTC
Happening here too on FC5 after updating to libX11.i386 1.0.0-4.fc5.  Core dumps
after the colour depth warning.  Let me know if you want me to open this as a
separate bug against FC5.



Comment 10 Brian Daniels 2007-04-20 14:11:00 UTC
The problem may be related to this?
http://www.nabble.com/Bug-418098:--PATCH--rdesktop-segfault-with-libx11-6-1.0.3-7-t3560107.html

Comment 11 Adam Jackson 2007-04-24 18:25:24 UTC
Looks like it to me.  Reassigning to rdesktop.

Comment 12 David Zeuthen 2007-04-26 16:52:56 UTC
rdesktop-1.5.0-2.fc6 packages are on it's way as soon as rel-eng gets around to
pushing them.

Comment 13 Fedora Update System 2007-04-27 05:59:51 UTC
rdesktop-1.5.0-2.fc6 has been pushed for fc6, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.

Comment 14 Brian Daniels 2007-05-01 15:10:56 UTC
Will there be any fix for FC5 users?

Comment 15 David Zeuthen 2007-05-01 16:37:37 UTC
OK, FC5 is tracked in bug 238580.


Note You need to log in before you can comment on or make changes to this bug.