[cairo] [PATCH 2/2] xcb: Don't crash when swapping a 0-sized glyph

Adam Jackson ajax at redhat.com
Wed Oct 31 14:17:00 PDT 2012

On 10/31/12 4:46 PM, Uli Schlachter wrote:
> On 31.10.2012 21:13, Adam Jackson wrote:
>> malloc(0) needn't return NULL, and on glibc, doesn't.  Then we encounter
>> a loop of the form do { ... } while (--c), which doesn't do quite what
>> you were hoping for when c is initially 0.
>> Since there's nothing to swap in this case, just bomb out.
> could you tell us where you are seeing this? Would it be feasible to add a
> suitable test case to the test suite for this?

I personally haven't hit this, but I have a tester who's seeing it with 
various gtk apps from a ppc64 X client to an x86 X server (on the xlib 
path, haven't tried to provoke it over xcb).  You end up with a 
backtrace like this:


The fix was derived by inspection; it's been tested and works (again 
only through xlib, but the xcb path clearly has the same bug).  Though...

> Also:
> Hey Chris, do you still remember what you did last year? If yes, could you
> explain to me why the following commit "#if 0"s away the width==0||height==0
> case which would likely catch this bug?

... older xserver would crash when fed 0x0 glyphs, which is what that 
code is working around.  Perhaps we no longer care about servers that 
old, or at least, don't so care when using this path through cairo.

As far as a testcase, if you have one that tests non-A8 0x0 glyphs then 
you should be able to hit this already, iff you have the ability to run 
the tests against an opposite-endian server.  Honestly I'd expect one of 
the cairo perf traces of like firefox would hit this by accident.

- ajax

More information about the cairo mailing list