jlv@kirk.UUCP (Jeffrey L. Vogel) (06/27/91)
SunOS 4.1 X11R4 with all 18 patches applied Bug is in Xt Description: When using XtVaCreatePopupShell, we can cause a seg fault due to uninitialized memory. Apparently, the VarArgs routines call _XtVaToTypedList to create a typed arg list. However, this routine, doesn't always initialize the .size field, as shown below. _XtCreate, called by lots of stuff, will perform an XtFree when .size < 0. However, if .size is not initialized, this XtFree is inadvertently performed mainy times. I believe the easy fix it to initialize .size to 0 in _XtVaToTypedList. Create.c lines 269-275 These lines reak havok if typed_args[i].size was never initialized. _XtCreate() .. for (i = 0; i < num_typed_args; i++) { if (typed_args[i].size < 0) { /* we alloc`ed store dynamically * / XtFree((XtPointer)typed_args[i].value); typed_args[i].size = -(typed_args[i].size); } } These lines create a typed arg list which might be passed to _XtCreate. However, in the third case below, .size is never initialized. Varargs.c lines 476 to 491 _XtVaToTypedArgList() if (strcmp(attr, XtVaTypedArg) == 0) { args[count].name = va_arg(var, String); args[count].type = va_arg(var, String); args[count].value = va_arg(var, XtArgVal); args[count].size = va_arg(var, int); ++count; } else if (strcmp(attr, XtVaNestedList) == 0) { count += _XtNestedArgtoTypedArg(&args[count], va_arg(var, XtTypedArgList)); } else { args[count].name = attr; args[count].type = NULL; args[count].value = va_arg(var, XtArgVal); ++count; } -------------------------------------------------------------------- | Jeff Vogel | Lead Engineer | | jlv%ebt-inc@uunet.uu.net | EBT Inc. | | uunet!ebt-inc!jlv | One Richmond Square | | 401-421-9550 | Providence, RI 02906 | --------------------------------------------------------------------
swick@crltrx.crl.dec.com (Ralph Swick) (06/28/91)
In article <9106262116.AA14562@kirk>, jlv@kirk.UUCP (Jeffrey L. Vogel) writes: > > Description: > When using XtVaCreatePopupShell, we can cause a seg fault due to > uninitialized memory. > This bug was fixed in fix-1, published on 24 Jan 1990.