Bug 503384 - free() of invalid pointer after "BOGUS LENGTH in write keyboard desc"
Summary: free() of invalid pointer after "BOGUS LENGTH in write keyboard desc"
Keywords:
Status: CLOSED DUPLICATE of bug 456376
Alias: None
Product: Fedora
Classification: Fedora
Component: xorg-x11-server
Version: rawhide
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
Assignee: Peter Hutterer
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-05-31 16:54 UTC by Lubomir Rintel
Modified: 2009-06-02 22:34 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2009-06-02 22:34:55 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Lubomir Rintel 2009-05-31 16:54:27 UTC 
Description of problem:

Xorg.0.log:
[xkb] BOGUS LENGTH in write keyboard desc, expected 6780, got 6796

The error message is produced by /usr/src/debug/xorg-server-1.6.1.901/xkb/xkb.c line 1396, 1409 frees an invalid pointer right away.

addr2line'd traceback:
/usr/src/debug/xorg-server-1.6.1.901/os/utils.c:1180
/usr/src/debug/xorg-server-1.6.1.901/xkb/xkb.c:1410
/usr/src/debug/xorg-server-1.6.1.901/xkb/xkb.c:5807
/usr/src/debug/xorg-server-1.6.1.901/xkb/xkb.c:6690
/usr/src/debug/xorg-server-1.6.1.901/dix/dispatch.c:438
/usr/src/debug/xorg-server-1.6.1.901/dix/main.c:399

foun*** glibc detected *** /usr/bin/Xorg: double free or corruption (!prev): 0x0a6f2840 ***
======= Backtrace: =========
/lib/libc.so.6[0x18b231]
/usr/bin/Xorg(Xfree+0x21)[0x8130e21]
/usr/bin/Xorg[0x818b6fd]
/usr/bin/Xorg(ProcXkbGetKbdByName+0xe33)[0x81931a3]
/usr/bin/Xorg[0x8196c78]
/usr/bin/Xorg(Dispatch+0x347)[0x80864d7]
/usr/bin/Xorg(main+0x395)[0x806baf5]
/lib/libc.so.6(__libc_start_main+0xe6)[0x131a66]
/usr/bin/Xorg[0x806afa1]
======= Memory map: ========
00101000-00119000 r-xp 00000000 fd:03 7599       /lib/libaudit.so.0.0.0
00119000-0011a000 r--p 00017000 fd:03 7599       /lib/libaudit.so.0.0.0
0011a000-0011b000 rw-p 00018000 fd:03 7599       /lib/libaudit.so.0.0.0
0011b000-00286000 r-xp 00000000 fd:03 44443      /lib/libc-2.10.1.so
00286000-00287000 ---p 0016b000 fd:03 44443      /lib/libc-2.10.1.so
00287000-00289000 r--p 0016b000 fd:03 44443      /lib/libc-2.10.1.so
00289000-0028a000 rw-p 0016d000 fd:03 44443      /lib/libc-2.10.1.so
0028a000-0028d000 rw-p 0028a000 00:00 0
0028d000-002ab000 r-xp 00000000 fd:03 214673     /usr/lib/xorg/modules/extensions/libextmod.so
002ab000-002ad000 rw-p 0001d000 fd:03 214673     /usr/lib/xorg/modules/extensions/libextmod.so
002ad000-002b6000 r-xp 00000000 fd:03 22625      /usr/lib/libdrm.so.2.4.0
002b6000-002b7000 rw-p 00009000 fd:03 22625      /usr/lib/libdrm.so.2.4.0
002b7000-002bd000 r-xp 00000000 fd:03 76071      /usr/lib/libdrm_nouveau.so.1.0.0
002bd000-002be000 rw-p 00005000 fd:03 76071      /usr/lib/libdrm_nouveau.so.1.0.0
002be000-002c2000 r-xp 00000000 fd:03 81570      /usr/lib/xorg/modules/linux/libfbdevhw.so
002c2000-002c3000 rw-p 00003000 fd:03 81570      /usr/lib/xorg/modules/linux/libfbdevhw.so
002c5000-002c7000 r-xp 00000000 fd:03 78728      /lib/libcom_err.so.2.1
002c7000-002c8000 rw-p 00001000 fd:03 78728      /lib/libcom_err.so.2.1
002c8000-0032b000 r-xp 00000000 fd:03 214674     /usr/lib/xorg/modules/extensions/libglx.so
0032b000-0032e000 rw-p 00062000 fd:03 214674     /usr/lib/xorg/modules/extensions/libglx.so
0032e000-00380000 r-xp 00000000 fd:03 84958      /usr/lib/xorg/modules/drivers/nouveau_drv.so
d this on a vt:

Version-Release number of selected component (if applicable):

xorg-x11-server-Xorg-1.6.1.901-1.fc11.i586

How reproducible:

Just happened once. I recall using qemu then, typing on a keyboard, no idea if that's related.

Additional info:

Feel free to ask for more info if needed.
Comment 1 Peter Hutterer 2009-06-02 22:34:55 UTC 
Please test 1.6.1.901-2, the patch to fix this was merged there (provided you can reproduce the bug)

http://koji.fedoraproject.org/koji/buildinfo?buildID=103514

Marking as a duplicate of 456376.

*** This bug has been marked as a duplicate of bug 456376 ***
Note You need to log in before you can comment on or make changes to this bug.