Received: from ccs.mt.nec.co.jp (splpe877.ccs.mt.nec.co.jp [172.16.4.121]) by mail.ccs.mt.nec.co.jp (8.9.1a/3.6W-CCS_Master) with ESMTP id VAA08576; Tue, 11 Apr 2000 21:49:28 +0900 (JST) Message-ID: <38F31E47.5AD4D252@ccs.mt.nec.co.jp> Date: Tue, 11 Apr 2000 21:44:55 +0900 From: Tomohisa Tanaka X-Mailer: Mozilla 4.6 [ja] (Win98; I) X-Accept-Language: en,pdf MIME-Version: 1.0 To: xbugs@opengroup.org CC: Tomohisa Tanaka Subject: Xlib: XCreateFontSet() causes segmentation fault. Content-Type: text/plain; charset=iso-2022-jp Content-Transfer-Encoding: 7bit X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 28fd9i-ld9"#6e9>Kjd9 VERSION: R6.4, public-patch-3 (as well as R6.3, public-patch-3) CLIENT MACHINE and OPERATING SYSTEM: FreeBSD 2.2.8-RELEASE DISPLAY TYPE: XF86_SVGA WINDOW MANAGER: qvwm COMPILER: gcc 2.7.2.1 AREA: Xlib SYNOPSIS: The function `XCreateFontSet()' causes segmentation fault. DESCRIPTION: The function parse_all_name() in xc/lib/X11/omGeneric.c sometimes returns True with font_data->xlfd_name set to NULL. Then, calling strlen() in parse_fontdata() (at the line 976, shown below) causes a segmentaition fault. xc/lib/X11/omGeneric.c: ... 947 ret = parse_all_name(oc, font_data, font_name); 948 Xfree(font_name); 949 950 if (ret == -1) return -1; 951 if (ret == False) continue; ... 975 font_data_return->xlfd_name = (char *)Xmalloc 976 (strlen(font_data->xlfd_name) + 1); ^^^^^^^^^^^^^^^^^^^^ It seems that the error-recovery procedure of parse_all_name() is incorrect. It also has a possibility of causing a memory leak. (see SAMPLE FIX.) And this problem is also true with R6.3, public-patch-3. REPEAT BY: % cat sample.c #include #include #include #include #include int main(int ac, char **av) { Display *display; char *base_font_name_list = "-sony-fixed-medium-r-normal--16-120-100-100-c-80-iso8859-1," "-ricoh-fixed-medium-r-normal--16-154-75-75-c-0-jisx0208.1983-0," "-ricoh-fixed-medium-r-normal--16-160-100-100-c-80-jisx0201.1976-0"; char **missing_charset_list_return; int missing_charset_count_return; char *def_string_return; if ((display = XOpenDisplay("")) == NULL) { errx(1, "cannot open display."); } if (setlocale(LC_ALL, "") == NULL) { errx(1, "cannot set locale."); } if (XSupportsLocale() == False) { errx(1, "locale not supported."); } (void)XCreateFontSet(display, base_font_name_list, &missing_charset_list_return, &missing_charset_count_return, &def_string_return); exit(0); return (0); } % cat Makefile all: @gcc -I/usr/X11R6.4p3/xc/exports/include -o sample \ sample.c /usr/X11R6.4p3/xc/exports/lib/libX11.a -lxpg4 % make % ./sample Segmentation fault (core dumped) % gdb sample sample.core GDB is free software and you are welcome to distribute copies of it under certain conditions; type "show copying" to see the conditions. There is absolutely no warranty for GDB; type "show warranty" for details. GDB 4.16 (i386-unknown-freebsd), Copyright 1996 Free Software Foundation, Inc...(no debugging symbols found)... Core was generated by `sample'. Program terminated with signal 11, Segmentation fault. Cannot access memory at address 0x20062080. #0 0x1a0e5 in parse_fontdata () (gdb) bt #0 0x1a0e5 in parse_fontdata () #1 0x1a4d3 in parse_fontname () #2 0x1a8ea in create_fontset () #3 0x1acda in create_oc () #4 0x5a00 in XCreateOC () #5 0x58c0 in XCreateFontSet () #6 0x1781 in main () (gdb) Note: fonts.alias includes the following definition. -ricoh-fixed-medium-r-normal--0-0-0-0-c-0-jisx0208.1983-0 -ricoh-gothic-medium-r-normal--0-0-0-0-c-0-jisx0208.1983-0 -ricoh-fixed-medium-r-normal--0-0-0-0-c-0-jisx0201.1976-0 -ricoh-gothic-medium-r-normal--0-0-0-0-c-0-jisx0208.1976-0 SAMPLE FIX: diff -c xc.orig/lib/X11/omGeneric.c xc/lib/X11/omGeneric.c *** xc.orig/lib/X11/omGeneric.c Sun Apr 9 06:37:29 2000 --- xc/lib/X11/omGeneric.c Sun Apr 9 22:08:47 2000 *************** *** 694,715 **** int list_num; XFontStruct *fs_list; if(is_match_charset(font_data, pattern) != True) { ! if ((fn_list = XListFontsWithInfo(dpy, pattern, ! MAXFONTS, ! &list_num, &fs_list)) ! && (prop_fname = get_prop_name(dpy, fs_list)) ! && (is_match_charset(font_data, prop_fname) != True)) { ! if (fn_list) { ! XFreeFontInfo(fn_list, fs_list, list_num); ! fn_list = NULL; ! } return False; ! } ! font_data->xlfd_name = prop_fname; ! if (fn_list) { XFreeFontInfo(fn_list, fs_list, list_num); } - return True; } font_data->xlfd_name = (char *)Xmalloc(strlen(pattern)+1); --- 694,717 ---- int list_num; XFontStruct *fs_list; if(is_match_charset(font_data, pattern) != True) { ! if ((fn_list = XListFontsWithInfo(dpy, pattern, MAXFONTS, ! &list_num, &fs_list)) == NULL) { return False; ! } ! else if ((prop_fname = get_prop_name(dpy, fs_list)) == NULL) { ! XFreeFontInfo(fn_list, fs_list, list_num); ! return False; ! } ! else if ((is_match_charset(font_data, prop_fname) != True)) { ! XFree(prop_fname); ! XFreeFontInfo(fn_list, fs_list, list_num); ! return False; ! } ! else { ! font_data->xlfd_name = prop_fname; XFreeFontInfo(fn_list, fs_list, list_num); + return True; } } font_data->xlfd_name = (char *)Xmalloc(strlen(pattern)+1); -- NEC Networks Development Laboratories Tomohisa Tanaka tomohisa@netlab.nec.co.jp