HomeAbout Us A-Z IndexSearch * Contact Us Register LoginPress Shop

The Open Brand -- Problem Reporting and Interpretations System

Problem Report 1862 Details

Help Show help | Quick Search | Submit a Test Suite Support Request | Click here to view your privileges

This page provides all information on Problem Report 1862.

Report 1862 Actions

    Problem Report Number 1862
    Submitter's Classification Test Suite problem
    State Resolved
    Resolution Rejected (REJ)
    Problem Resolution ID REJ.X.0549
    Raised 1999-08-02 08:00
    Updated 2003-03-13 08:00
    Published null
    Product Standard Window System Application Interface V2
    Certification Program The Open Brand certification program
    Test Suite VSW version 5.0.2
    Test Identification Xproto/PutImage 3
    Problem Summary PG4W.00100 buffer not properly allocated prior to being accessed.
    Problem Text
    Problem appears to be a buffer not properly allocated prior to
    being accessed.
    The test code libproto/SendReq.c was modified to include
    additional calls to
    Log_Trace. The modified test code is as follows:

    case X_PutImage:
    {
    /*
    * Images are stored in the test programs in client byte
    order and
    * unpadded. This allows images to be independent of the
    server.
    * However the server will expect images in server byte
    order and
    * padded. This routine sends an altered xPutImageReq which
    the server
    * will like. Note that we're assuming client-normal form
    means that
    * rows are padded to a byte boundary; otherwise the
    translation is
    * more complex. Similarly, left-pad must be zero.
    */

    int row, col = 1;
    unsigned char my_sex = *((unsigned char *) &col)
    ^ 1;
    unsigned char server_sex =
    (Xst_clients[client].cl_dpy) ->
    byte_order;
    long flip = my_sex ^ server_sex; /* assume
    MSBFirst == 1 */
    int server_pad = (Xst_clients[client].cl_dpy) ->
    bitmap_pad;
    int server_unit = (Xst_clients[client].cl_dpy) ->
    bitmap_unit;
    int server_bitorder =
    (Xst_clients[client].cl_dpy) ->
    bitmap_bit_order;
    int src_width /*in bytes*/ =
    (int)(((xPutImageReq *)rp)->width + 7) >>
    3;
    int dst_width /*in bytes*/ = src_width +
    ((src_width % (server_pad>>3)) == 0 ? 0 :
    (server_pad>>3) - src_width %
    (server_pad>>3));
    char *src = (char *)rp + sizeof(xPutImageReq);
    char **dst = (&(Get_Display(client)->bufptr));
    char *drop;

    /*****
    if (server_bitorder != MSBFirst) {
    Log_Err("LSBFirst bit ordering not
    supported in
    Send_Req()\n");
    Abort();
    }
    *****/
    Log_Trace("Into X_PutImage case of switch
    statement\n");
    if (((xPutImageReq *)rp)->leftPad != 0) {
    Log_Err("leftPad != 0; not supported in
    Send_Req()\n");
    Abort();
    }
    Log_Trace("Calling send1 first time from PutImage
    case\n");
    Log_Trace("Parameters are %d and %d\n",client,
    (long) ((xPutImageReq *)rp)->reqType);
    Log_Trace ("call to send1 translates to %x and
    %d\n",
    (Xst_clients[client].cl_dpy->bufptr),
    (unsigned char) ((long) ((xPutImageReq
    *)rp)->reqType));
    Log_Trace("client is %d, bufmax is %x, buffer is
    %x,cl_display
    is %x \n",
    client,
    Xst_clients[client].cl_dpy->bufmax,
    Xst_clients[client].cl_dpy->buffer,
    Xst_clients[client].cl_dpy);
    /* send1(client,(long) ((xPutImageReq
    *)rp)->reqType);
    */
    /* Expand this macro by hand for debugging purposes
    */
    *((Xst_clients[client].cl_dpy->bufptr)++) =
    (unsigned char)
    ((long) ((xPutImag
    eReq *)rp)->reqType);

    The output from this code shows:

    520|1 3 125216 1 24937|TRACE: Into X_PutImage case of switch
    statement
    520|1 3 125216 1 24938|TRACE: Calling send1 first time from
    PutImage case
    520|1 3 125216 1 24939|TRACE: Parameters are 0 and 72
    520|1 3 125216 1 24940|TRACE: call to send1 translates to
    ffffffff and 72
    520|1 3 125216 1 24941|TRACE: client is 0, bufmax is fffffffe,
    buffer is
    ffffffff,cl_display i
    s 40039000
    520|1 3 125175 2 1|child process was terminated by signal 11
    (SIGSEGV)

    Thus, the value of Xst_clients[client].cl_dpy->bufptr is -1.
    This indicates
    that
    the buffer pointer has never been initialized with a proper
    address. This is
    what
    causes the segmentation violation.

    Test Output
    200|262 3 15:56:32|TP Start
    520|262 3 87955 1 1|VSW5TESTSUITE PURPOSE 3
    520|262 3 87955 1 2|Assertion PutImage-3.(B)
    520|262 3 87955 1 3|When a client sends an invalid PutImage
    protocol request to
    520|262 3 87955 1 4|the X server, in which the length field of
    the request
    520|262 3 87955 1 5|exceeds the maximum length accepted by the X
    server, then
    520|262 3 87955 1 6|the X server sends back a BadLength error to
    the client.
    520|262 3 87955 1 7|Reason for omission: There is no known
    portable test method
    for this asser
    tion
    520|262 3 87955 1 8|METH: Call library function testfunc() to do
    the following:
    520|262 3 87955 1 9|METH: Open a connection to the X server using
    native byte
    sex.
    520|262 3 87955 1 10|METH: Send an invalid PutImage protocol
    request to the X
    server with leng
    th
    520|262 3 87955 1 11|METH: one greater than the maximum length
    accepted by the
    server.
    520|262 3 87955 1 12|METH: Verify that the X server sends back a
    BadLength
    error.
    520|262 3 87955 1 13|METH: Open a connection to the X server
    using reversed byte
    sex.
    520|262 3 87955 1 14|METH: Send an invalid PutImage protocol
    request to the X
    server with leng
    th
    520|262 3 87955 1 15|METH: one greater than the maximum length
    accepted by the
    server.
    520|262 3 87955 1 16|METH: Verify that the X server sends back a
    BadLength
    error.
    520|262 3 87955 2 1|child process was terminated by signal 11
    (SIGSEGV)
    520|262 3 87955 3 1|child process was terminated by signal 11
    (SIGSEGV)
    220|262 3 2 15:56:37|UNRESOLVED
    410|262 3 1 15:56:37|IC End
    80|262 0 15:56:37|TC End

    Review Information

    Review Type TSMA Review
    Start Date null
    Completed null
    Status Complete
    Review Recommendation No Resolution Given
    Review Response
    The presented analysis appears to have errors in the added Log_Trace
    calls. Pointer values are being printed using "%x" - they should be
    printed using "%p" to see the true values.

    It is recommended that this request be refused, subject to further
    information.

    Review Type SA Review
    Start Date null
    Completed null
    Status Complete
    Review Resolution Rejected (REJ)
    Review Conclusion
    This request is refused.

    Problem Reporting System Options:

     

    Back   

Contact the Certification Authority