[comp.windows.x] Extreme coordinates to XDrawText cause server core dump.

medmunds@VERITY.COM (12/12/90)

			  X Window System Bug Report
			    xbugs@expo.lcs.mit.edu


VERSION:
    R4

CLIENT MACHINE and OPERATING SYSTEM:
    DECstation 2100/3100 running Ultrix 3.1
    Sun 3 or 4 running SunOS 4.0.3
    Probably others

DISPLAY TYPE:
    Digital or Sun color or monochrome.  Probably others.

WINDOW MANAGER:
    n/a

AREA:
    Server (mi layer?)

SYNOPSIS:
    Extreme coordinates to XDrawText cause server core dump.

DESCRIPTION:
    Attempting to XDrawString at y = 32769 reliably crashes the
    server.  I've tried this with Xcfbpmax, Xmfbpmax and Xsun (running
    on both color and monochrome displays), but would guess that the
    problem occurs in any server using the mi layer.  A test program
    is below.

    [Incidentally, I realize that 32769 is -32767 after it gets
    through the protocol, and is also an unlikely location to draw a
    string.  Still, the server shouldn't crash.]


    Stack trace running Xmfbpmax:
       0 mfbPolyGlyphBltBlack(pDrawable = 0x10015800, pGC = 0x10038200,
	   x = 100, y = -65367, nglyph = 4, ppci = 0x10026b40,
	   pglyphBase = 0x100328a0 = "") ["mfbpgbblak.c":189, 0x474d2c]
       1 miPolyText8(pDraw = 0x10015800, pGC = 0x10038200, x = 0,
	   y = -32767, count = 5, chars = 0x10039012 = "crash")
	   ["mipolytext.c":89, 0x489f54]
       2 .block19 ["dispatch.c":2084, 0x40f27c]
       3 ProcPolyText(client = 0x10038100) ["dispatch.c":2084, 0x40f27c]
       4 dispatch.Dispatch() ["dispatch.c":256, 0x408f30]
       5 main.main(argc = 1, argv = 0x7fffeec4) ["main.c":248, 0x403de0]

    For Xcfbpmax, substitute:
       0 cfbPolyGlyphBlt8(pDrawable = 0x10016700, pGC = 0x10038300,
	   x = 100, y = -65367, nglyph = 4, ppci = 0x10029b44,
	   pglyphBase = 0x100358a0 = "") ["cfbglblt8.c":165, 0x47831c]



REPEAT BY:

    #include <X11/Xlib.h>

    void main()
    {
      Display	*dpy;
      int	screen;
      Window	clip, child;
      XEvent	event;
      GC	gc;

      if (!(dpy = XOpenDisplay(0))) exit(1);
      screen = DefaultScreen(dpy);

      clip = XCreateSimpleWindow(dpy, RootWindow(dpy, screen),
				 100, 100, 300, 300, 0, 0, 0);
      child = XCreateSimpleWindow(dpy, clip,
				  0, -32700, 300, 40000, 0,
				  0, WhitePixel(dpy, screen));

      gc = XCreateGC(dpy, child, 0, 0);
      XSetForeground(dpy, gc, BlackPixel(dpy, screen));

      XSelectInput(dpy, child, ExposureMask);
      XMapWindow(dpy, child);
      XMapWindow(dpy, clip);

      while (1) {
	XNextEvent(dpy, &event);
	switch (event.type) {
	case Expose:
	  XDrawString(dpy, child, gc, 0, 32769, "crash", 5);
	  break;
	}
      }
    }


- Mike Edmunds		(medmunds@verity.com)
  Verity, Inc.