After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 772794 - segfault when on unchecked XListInputDevices return value
segfault when on unchecked XListInputDevices return value
Status: RESOLVED FIXED
Product: gtk+
Classification: Platform
Component: Backend: X11
2.24.x
Other Linux
: Normal normal
: ---
Assigned To: gtk-bugs
gtk-bugs
Depends on:
Blocks:
 
 
Reported: 2016-10-12 09:49 UTC by Jouke Witteveen
Modified: 2016-10-20 19:33 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
Test the return value (1.48 KB, patch)
2016-10-12 09:49 UTC, Jouke Witteveen 		committed Details | Review

Description Jouke Witteveen 2016-10-12 09:49:29 UTC 
Created attachment 337505 [details] [review]
Test the return value

When XListInputDevices fails, it returns a NULL pointer. The current code does not test for this and assumes the return value to be an initialized array. Moreover, the assumed length of the array may be an uninitialized integer.

Starting with libxi 1.7.7, XListInputDevices is more likely to fail, so the segmentation fault is hit more often: https://bugs.freedesktop.org/show_bug.cgi?id=98204
Comment 1 Matthias Clasen 2016-10-13 10:31:37 UTC 
Reading the XListInputDevices docs, this is clearly a libxi bug.
Comment 2 Jouke Witteveen 2016-10-13 10:41:19 UTC 
It is [1], but it is also a gtk2 bug. Nowhere in the specification does it say that num_devices is set to 0 on failure, so gtk2 should either initialize num_devices to 0 so that it will be 0 when XListInputDevices fails, or check whether NULL was returned. The first approach does not work with libxi 1.7.7 since it sets num_devices (see [1]). The second approach is suggested in the patch to this bug. It might be best to simply do both.

[1] https://bugs.freedesktop.org/show_bug.cgi?id=98204
Comment 3 Matthias Clasen 2016-10-13 14:55:15 UTC 
the documentation doesn't mention any failure conditions for XListInputDevices, and makes it clear that there will always be at least one device (the core pointer) in the returned list.
Comment 4 Jouke Witteveen 2016-10-13 15:58:07 UTC 
So the documentation is wrong. There are 4 places in the code of XListInputDevices where it returns NULL (a locking error, an X-request error, two OOM errors) and two places where it bails out and returns NULL as a result (both out-of-bounds checks). This should be more than enough reason to check the result of XListInputDevices, regardless of whether the documentation is wrong. As I see it, the documentation being incomplete is a different bug.
Comment 5 Oleg Vinichenko 2016-10-20 06:11:38 UTC 
how is this bug fixed? No links  and information where and how this bug fixed. According to libXi git repository https://cgit.freedesktop.org/xorg/lib/libXi/log/
nothing happened.
Comment 6 Oleg Vinichenko 2016-10-20 06:14:09 UTC 
its fixed in:
https://git.gnome.org/browse/gtk+/commit/?h=gtk-2-24&id=c5872e2ab9b775071b067a1a23a964a94553741c
would be good to have links whenever bug reports is set to RESOLVED FIXED.
Comment 7 Matthias Clasen 2016-10-20 14:32:07 UTC 
write a patch for git-bz, then
Comment 8 Oleg Vinichenko 2016-10-20 15:10:27 UTC 
i don't think such twisted approach is the way. What i mean is just put message like
fixed in: url of commit, etc. It's a matter of time save for searching for actual fix and is a good manner. Thx
Comment 9 Jouke Witteveen 2016-10-20 19:33:02 UTC 
I agree with Oleg. In this case, most of the bug will get fixed by this:
https://lists.freedesktop.org/archives/xorg-devel/2016-October/051607.html

In the thread a bug with chromium is referenced, but this is actually the exact same bug as was present in gtk, but mostly fixed by my patch which was applied:
https://git.gnome.org/browse/gtk+/commit/?h=gtk-2-24&id=c5872e2ab9b775071b067a1a23a964a94553741c