|
Home About Us A-Z Index Search * Contact Us Register Login Press ShopThe Open Brand -- Problem Reporting and Interpretations System |
Problem Report 1862 Details Show help | Quick Search | Submit a Test Suite Support Request | Click here to view your privileges
This page provides all information on Problem Report 1862.
Report 1862 Actions
Problem Report Number 1862 Submitter's Classification Test Suite problem State Resolved Resolution Rejected (REJ) Problem Resolution ID REJ.X.0549 Raised 1999-08-02 08:00 Updated 2003-03-13 08:00 Published null Product Standard Window System Application Interface V2 Certification Program The Open Brand certification program Test Suite VSW version 5.0.2 Test Identification Xproto/PutImage 3 Problem Summary PG4W.00100 buffer not properly allocated prior to being accessed. Problem Text
Problem appears to be a buffer not properly allocated prior to
being accessed.
The test code libproto/SendReq.c was modified to include
additional calls to
Log_Trace. The modified test code is as follows:
case X_PutImage:
{
/*
* Images are stored in the test programs in client byte
order and
* unpadded. This allows images to be independent of the
server.
* However the server will expect images in server byte
order and
* padded. This routine sends an altered xPutImageReq which
the server
* will like. Note that we're assuming client-normal form
means that
* rows are padded to a byte boundary; otherwise the
translation is
* more complex. Similarly, left-pad must be zero.
*/
int row, col = 1;
unsigned char my_sex = *((unsigned char *) &col)
^ 1;
unsigned char server_sex =
(Xst_clients[client].cl_dpy) ->
byte_order;
long flip = my_sex ^ server_sex; /* assume
MSBFirst == 1 */
int server_pad = (Xst_clients[client].cl_dpy) ->
bitmap_pad;
int server_unit = (Xst_clients[client].cl_dpy) ->
bitmap_unit;
int server_bitorder =
(Xst_clients[client].cl_dpy) ->
bitmap_bit_order;
int src_width /*in bytes*/ =
(int)(((xPutImageReq *)rp)->width + 7) >>
3;
int dst_width /*in bytes*/ = src_width +
((src_width % (server_pad>>3)) == 0 ? 0 :
(server_pad>>3) - src_width %
(server_pad>>3));
char *src = (char *)rp + sizeof(xPutImageReq);
char **dst = (&(Get_Display(client)->bufptr));
char *drop;
/*****
if (server_bitorder != MSBFirst) {
Log_Err("LSBFirst bit ordering not
supported in
Send_Req()\n");
Abort();
}
*****/
Log_Trace("Into X_PutImage case of switch
statement\n");
if (((xPutImageReq *)rp)->leftPad != 0) {
Log_Err("leftPad != 0; not supported in
Send_Req()\n");
Abort();
}
Log_Trace("Calling send1 first time from PutImage
case\n");
Log_Trace("Parameters are %d and %d\n",client,
(long) ((xPutImageReq *)rp)->reqType);
Log_Trace ("call to send1 translates to %x and
%d\n",
(Xst_clients[client].cl_dpy->bufptr),
(unsigned char) ((long) ((xPutImageReq
*)rp)->reqType));
Log_Trace("client is %d, bufmax is %x, buffer is
%x,cl_display
is %x \n",
client,
Xst_clients[client].cl_dpy->bufmax,
Xst_clients[client].cl_dpy->buffer,
Xst_clients[client].cl_dpy);
/* send1(client,(long) ((xPutImageReq
*)rp)->reqType);
*/
/* Expand this macro by hand for debugging purposes
*/
*((Xst_clients[client].cl_dpy->bufptr)++) =
(unsigned char)
((long) ((xPutImag
eReq *)rp)->reqType);
The output from this code shows:
520|1 3 125216 1 24937|TRACE: Into X_PutImage case of switch
statement
520|1 3 125216 1 24938|TRACE: Calling send1 first time from
PutImage case
520|1 3 125216 1 24939|TRACE: Parameters are 0 and 72
520|1 3 125216 1 24940|TRACE: call to send1 translates to
ffffffff and 72
520|1 3 125216 1 24941|TRACE: client is 0, bufmax is fffffffe,
buffer is
ffffffff,cl_display i
s 40039000
520|1 3 125175 2 1|child process was terminated by signal 11
(SIGSEGV)
Thus, the value of Xst_clients[client].cl_dpy->bufptr is -1.
This indicates
that
the buffer pointer has never been initialized with a proper
address. This is
what
causes the segmentation violation.Test Output
200|262 3 15:56:32|TP Start
520|262 3 87955 1 1|VSW5TESTSUITE PURPOSE 3
520|262 3 87955 1 2|Assertion PutImage-3.(B)
520|262 3 87955 1 3|When a client sends an invalid PutImage
protocol request to
520|262 3 87955 1 4|the X server, in which the length field of
the request
520|262 3 87955 1 5|exceeds the maximum length accepted by the X
server, then
520|262 3 87955 1 6|the X server sends back a BadLength error to
the client.
520|262 3 87955 1 7|Reason for omission: There is no known
portable test method
for this asser
tion
520|262 3 87955 1 8|METH: Call library function testfunc() to do
the following:
520|262 3 87955 1 9|METH: Open a connection to the X server using
native byte
sex.
520|262 3 87955 1 10|METH: Send an invalid PutImage protocol
request to the X
server with leng
th
520|262 3 87955 1 11|METH: one greater than the maximum length
accepted by the
server.
520|262 3 87955 1 12|METH: Verify that the X server sends back a
BadLength
error.
520|262 3 87955 1 13|METH: Open a connection to the X server
using reversed byte
sex.
520|262 3 87955 1 14|METH: Send an invalid PutImage protocol
request to the X
server with leng
th
520|262 3 87955 1 15|METH: one greater than the maximum length
accepted by the
server.
520|262 3 87955 1 16|METH: Verify that the X server sends back a
BadLength
error.
520|262 3 87955 2 1|child process was terminated by signal 11
(SIGSEGV)
520|262 3 87955 3 1|child process was terminated by signal 11
(SIGSEGV)
220|262 3 2 15:56:37|UNRESOLVED
410|262 3 1 15:56:37|IC End
80|262 0 15:56:37|TC EndReview Information
Review Type TSMA Review Start Date null Completed null Status Complete Review Recommendation No Resolution Given Review Response
The presented analysis appears to have errors in the added Log_Trace
calls. Pointer values are being printed using "%x" - they should be
printed using "%p" to see the true values.
It is recommended that this request be refused, subject to further
information.
Review Type SA Review Start Date null Completed null Status Complete Review Resolution Rejected (REJ) Review Conclusion
This request is refused.
Problem Reporting System Options:
- View Report 1862
- List All PRs
- Search Reports
- Email the System Administrator
- View the The Open Brand Interpretations Database User Manual
Contact the Certification Authority