Bug#779312: freerdp-x11: Segfaults on start 100% of the time

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#779312: freerdp-x11: Segfaults on start 100% of the time

John Goerzen-3
Package: freerdp-x11
Version: 1.1.0~git20140921.1.440916e+dfsg1-3
Severity: grave
Justification: renders package unusable

This behavior started just recently:

xfreerdp -z --plugin cliprdr \
        --plugin rdpsnd --data alsa latency:100 -- \
        --plugin rdpdr --data disk:w7share:/home/jgoerzen/w7share -- \
        --plugin drdynvc --data tsmf:decoder:gstreamer -- \
        -u jgoerzen "$@" host.example.com
--plugin cliprdr -> +clipboard
Segmentation fault

I notice that packages like libxfreerdp-client1.1 and libfreerdp-gdi1.1 and such were recently
updated.  That is when this all broke.

-- System Information:
Debian Release: 8.0
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages freerdp-x11 depends on:
ii  libc6                     2.19-13
ii  libfreerdp-cache1.1       1.1.0~git20140921.1.440916e+dfsg1-3
ii  libfreerdp-client1.1      1.1.0~git20140921.1.440916e+dfsg1-3
ii  libfreerdp-codec1.1       1.1.0~git20140921.1.440916e+dfsg1-3
ii  libfreerdp-common1.1.0    1.1.0~git20140921.1.440916e+dfsg1-3
ii  libfreerdp-core1.1        1.1.0~git20140921.1.440916e+dfsg1-3
ii  libfreerdp-crypto1.1      1.1.0~git20140921.1.440916e+dfsg1-3
ii  libfreerdp-gdi1.1         1.1.0~git20140921.1.440916e+dfsg1-3
ii  libfreerdp-locale1.1      1.1.0~git20140921.1.440916e+dfsg1-3
ii  libfreerdp-primitives1.1  1.1.0~git20140921.1.440916e+dfsg1-3
ii  libfreerdp-rail1.1        1.1.0~git20140921.1.440916e+dfsg1-3
ii  libfreerdp-utils1.1       1.1.0~git20140921.1.440916e+dfsg1-3
ii  libjpeg62-turbo           1:1.3.1-11
ii  libssl1.0.0               1.0.1k-1
ii  libwinpr-crt0.1           1.1.0~git20140921.1.440916e+dfsg1-3
ii  libwinpr-crypto0.1        1.1.0~git20140921.1.440916e+dfsg1-3
ii  libwinpr-dsparse0.1       1.1.0~git20140921.1.440916e+dfsg1-3
ii  libwinpr-environment0.1   1.1.0~git20140921.1.440916e+dfsg1-3
ii  libwinpr-file0.1          1.1.0~git20140921.1.440916e+dfsg1-3
ii  libwinpr-handle0.1        1.1.0~git20140921.1.440916e+dfsg1-3
ii  libwinpr-heap0.1          1.1.0~git20140921.1.440916e+dfsg1-3
ii  libwinpr-input0.1         1.1.0~git20140921.1.440916e+dfsg1-3
ii  libwinpr-interlocked0.1   1.1.0~git20140921.1.440916e+dfsg1-3
ii  libwinpr-library0.1       1.1.0~git20140921.1.440916e+dfsg1-3
ii  libwinpr-path0.1          1.1.0~git20140921.1.440916e+dfsg1-3
ii  libwinpr-pool0.1          1.1.0~git20140921.1.440916e+dfsg1-3
ii  libwinpr-registry0.1      1.1.0~git20140921.1.440916e+dfsg1-3
ii  libwinpr-rpc0.1           1.1.0~git20140921.1.440916e+dfsg1-3
ii  libwinpr-sspi0.1          1.1.0~git20140921.1.440916e+dfsg1-3
ii  libwinpr-synch0.1         1.1.0~git20140921.1.440916e+dfsg1-3
ii  libwinpr-sysinfo0.1       1.1.0~git20140921.1.440916e+dfsg1-3
ii  libwinpr-thread0.1        1.1.0~git20140921.1.440916e+dfsg1-3
ii  libwinpr-utils0.1         1.1.0~git20140921.1.440916e+dfsg1-3
ii  libx11-6                  2:1.6.2-3
ii  libxcursor1               1:1.1.14-1+b1
ii  libxext6                  2:1.3.3-1
ii  libxfreerdp-client1.1     1.1.0~git20140921.1.440916e+dfsg1-3
ii  libxi6                    2:1.7.4-1+b2
ii  libxinerama1              2:1.1.3-1+b1
ii  libxkbfile1               1:1.0.8-1
ii  libxrender1               1:0.9.8-1+b1
ii  libxv1                    2:1.0.10-1+b1
ii  zlib1g                    1:1.2.8.dfsg-2+b1

Versions of packages freerdp-x11 recommends:
ii  libfreerdp-plugins-standard  1.1.0~git20140921.1.440916e+dfsg1-3

freerdp-x11 suggests no packages.

-- no debconf information


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Bug#779312: freerdp-x11: Segfaults on start 100% of the time

Bernhard Übelacker-2
Hello John Goerzen,
I was able to reproduce a crash with xfreerdp.

First a question:
does the crash still happen, if you omit this part of the command line:
    --plugin rdpsnd --data alsa latency:100 --

---------------

After installing the 5 *-dbg packages I get such a stack:
gdb --args xfreerdp --plugin rdpsnd --data alsa latency:100 -- /v:192.168.178.45
    directory libfreerdp/core:libfreerdp/common:client/common
    set height 0
    set width 0
    run
        Starting program: /usr/bin/xfreerdp --plugin rdpsnd --data alsa latency:100 -- /v:192.168.178.45
        [Thread debugging using libthread_db enabled]
        Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

        Program received signal SIGSEGV, Segmentation fault.
        0x00007ffff5bb058c in freerdp_static_channel_collection_add (settings=settings@entry=0x65ac10, channel=channel@entry=0x666bb0) at /build/freerdp-oDMFQO/freerdp-1.1.0~git20140921.1.440916e+dfsg1/libfreerdp/common/settings.c:214
        214             settings->StaticChannelArray[settings->StaticChannelCount++] = channel;

        (gdb) bt
        #0  0x00007ffff5bb058c in freerdp_static_channel_collection_add (settings=settings@entry=0x65ac10, channel=channel@entry=0x666bb0) at /build/freerdp-oDMFQO/freerdp-1.1.0~git20140921.1.440916e+dfsg1/libfreerdp/common/settings.c:214
        #1  0x00007ffff6ce5563 in freerdp_client_add_static_channel (settings=settings@entry=0x65ac10, count=<optimized out>, params=0x666b60) at /build/freerdp-oDMFQO/freerdp-1.1.0~git20140921.1.440916e+dfsg1/client/common/cmdline.c:393
        #2  0x00007ffff6ce8252 in freerdp_client_old_process_plugin (settings=settings@entry=0x65ac10, args=args@entry=0x666b40) at /build/freerdp-oDMFQO/freerdp-1.1.0~git20140921.1.440916e+dfsg1/client/common/compatibility.c:176
        #3  0x00007ffff6ce863c in freerdp_client_old_command_line_pre_filter (context=context@entry=0x65ac10, index=5, index@entry=1, argc=argc@entry=8, argv=argv@entry=0x7fffffffe018) at /build/freerdp-oDMFQO/freerdp-1.1.0~git20140921.1.440916e+dfsg1/client/common/compatibility.c:292
        #4  0x00007ffff3baed6e in CommandLineParseArgumentsA (argc=argc@entry=8, argv=argv@entry=0x7fffffffe018, options=options@entry=0x7ffff6efd1c0 <old_args>, flags=flags@entry=1036, context=context@entry=0x65ac10, preFilter=preFilter@entry=0x7ffff6ce83e0 <freerdp_client_old_command_line_pre_filter>, postFilter=0x0) at /build/freerdp-oDMFQO/freerdp-1.1.0~git20140921.1.440916e+dfsg1/winpr/libwinpr/utils/cmdline.c:88
        #5  0x00007ffff6ce884b in freerdp_detect_old_command_line_syntax (argc=argc@entry=8, argv=argv@entry=0x7fffffffe018, count=count@entry=0x7fffffffddcc) at /build/freerdp-oDMFQO/freerdp-1.1.0~git20140921.1.440916e+dfsg1/client/common/compatibility.c:346
        #6  0x00007ffff6ce5ff2 in freerdp_client_detect_command_line (argc=8, argv=0x7fffffffe018, flags=0x7fffffffde30) at /build/freerdp-oDMFQO/freerdp-1.1.0~git20140921.1.440916e+dfsg1/client/common/cmdline.c:911
        #7  0x00007ffff6ce62b3 in freerdp_client_parse_command_line_arguments (argc=8, argv=0x7fffffffe018, settings=0x60e8e0) at /build/freerdp-oDMFQO/freerdp-1.1.0~git20140921.1.440916e+dfsg1/client/common/cmdline.c:1014
        #8  0x00007ffff6ce4d56 in freerdp_client_parse_command_line (context=context@entry=0x609420, argc=argc@entry=8, argv=argv@entry=0x7fffffffe018) at /build/freerdp-oDMFQO/freerdp-1.1.0~git20140921.1.440916e+dfsg1/client/common/client.c:111
        #9  0x0000000000401be8 in main (argc=8, argv=0x7fffffffe018) at /build/freerdp-oDMFQO/freerdp-1.1.0~git20140921.1.440916e+dfsg1/client/X11/cli/xfreerdp.c:56

        (gdb) print settings->StaticChannelArray
        $1 = (ADDIN_ARGV **) 0x0
        (gdb) print settings->StaticChannelCount
        $2 = 2
        (gdb) print channel
        $3 = (ADDIN_ARGV *) 0x666bb0
        (gdb) print settings->StaticChannelArraySize
        $4 = 0

---------------

In my opinion the problem lies in the initialization of the "settings" structure.

In "freerdp_detect_old_command_line_syntax" the "settings" are only allocated and
the whole memory set to 0. Therefore  StaticChannelArraySize is 0.

Later when we get into this function we enter the if block. But because
StaticChannelArraySize equals still 0 the "*= 2" has no effect and it stays 0.
Therefore the realloc is done with size 0. Therefore a null pointer is returned.


void freerdp_static_channel_collection_add(rdpSettings* settings, ADDIN_ARGV* channel)
{
        if (settings->StaticChannelArraySize < (settings->StaticChannelCount + 1))
        {
                settings->StaticChannelArraySize *= 2;
                settings->StaticChannelArray = (ADDIN_ARGV**)
                                realloc(settings->StaticChannelArray, settings->StaticChannelArraySize);
        }

        settings->StaticChannelArray[settings->StaticChannelCount++] = channel;
}

---------------

Another example were a "settings" object is generated is in function "freerdp_settings_new".
There are also some default values set e.g. "settings->StaticChannelArraySize = 16;".

---------------

Attached patch does only make sure that StaticChannelArraySize is bigger than 0.
A local build with this patch applied does not crash anymore.

There are more of these "*= 2" constructs without checking the initial value is bigger than 0.

Kind regards,
Bernhard

779312-avoid-realloc-with-size-0.patch (816 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#779312: freerdp-x11: Segfaults on start 100% of the time

John Goerzen-3
Removing those parameters indeed fixes the crash.

John

On 03/01/2015 08:00 AM, Bernhard Übelacker wrote:

> Hello John Goerzen,
> I was able to reproduce a crash with xfreerdp.
>
> First a question:
> does the crash still happen, if you omit this part of the command line:
>     --plugin rdpsnd --data alsa latency:100 --
>
> ---------------
>
> After installing the 5 *-dbg packages I get such a stack:
> gdb --args xfreerdp --plugin rdpsnd --data alsa latency:100 -- /v:192.168.178.45
>     directory libfreerdp/core:libfreerdp/common:client/common
>     set height 0
>     set width 0
>     run
>         Starting program: /usr/bin/xfreerdp --plugin rdpsnd --data alsa latency:100 -- /v:192.168.178.45
>         [Thread debugging using libthread_db enabled]
>         Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
>
>         Program received signal SIGSEGV, Segmentation fault.
>         0x00007ffff5bb058c in freerdp_static_channel_collection_add (settings=settings@entry=0x65ac10, channel=channel@entry=0x666bb0) at /build/freerdp-oDMFQO/freerdp-1.1.0~git20140921.1.440916e+dfsg1/libfreerdp/common/settings.c:214
>         214             settings->StaticChannelArray[settings->StaticChannelCount++] = channel;
>
>         (gdb) bt
>         #0  0x00007ffff5bb058c in freerdp_static_channel_collection_add (settings=settings@entry=0x65ac10, channel=channel@entry=0x666bb0) at /build/freerdp-oDMFQO/freerdp-1.1.0~git20140921.1.440916e+dfsg1/libfreerdp/common/settings.c:214
>         #1  0x00007ffff6ce5563 in freerdp_client_add_static_channel (settings=settings@entry=0x65ac10, count=<optimized out>, params=0x666b60) at /build/freerdp-oDMFQO/freerdp-1.1.0~git20140921.1.440916e+dfsg1/client/common/cmdline.c:393
>         #2  0x00007ffff6ce8252 in freerdp_client_old_process_plugin (settings=settings@entry=0x65ac10, args=args@entry=0x666b40) at /build/freerdp-oDMFQO/freerdp-1.1.0~git20140921.1.440916e+dfsg1/client/common/compatibility.c:176
>         #3  0x00007ffff6ce863c in freerdp_client_old_command_line_pre_filter (context=context@entry=0x65ac10, index=5, index@entry=1, argc=argc@entry=8, argv=argv@entry=0x7fffffffe018) at /build/freerdp-oDMFQO/freerdp-1.1.0~git20140921.1.440916e+dfsg1/client/common/compatibility.c:292
>         #4  0x00007ffff3baed6e in CommandLineParseArgumentsA (argc=argc@entry=8, argv=argv@entry=0x7fffffffe018, options=options@entry=0x7ffff6efd1c0 <old_args>, flags=flags@entry=1036, context=context@entry=0x65ac10, preFilter=preFilter@entry=0x7ffff6ce83e0 <freerdp_client_old_command_line_pre_filter>, postFilter=0x0) at /build/freerdp-oDMFQO/freerdp-1.1.0~git20140921.1.440916e+dfsg1/winpr/libwinpr/utils/cmdline.c:88
>         #5  0x00007ffff6ce884b in freerdp_detect_old_command_line_syntax (argc=argc@entry=8, argv=argv@entry=0x7fffffffe018, count=count@entry=0x7fffffffddcc) at /build/freerdp-oDMFQO/freerdp-1.1.0~git20140921.1.440916e+dfsg1/client/common/compatibility.c:346
>         #6  0x00007ffff6ce5ff2 in freerdp_client_detect_command_line (argc=8, argv=0x7fffffffe018, flags=0x7fffffffde30) at /build/freerdp-oDMFQO/freerdp-1.1.0~git20140921.1.440916e+dfsg1/client/common/cmdline.c:911
>         #7  0x00007ffff6ce62b3 in freerdp_client_parse_command_line_arguments (argc=8, argv=0x7fffffffe018, settings=0x60e8e0) at /build/freerdp-oDMFQO/freerdp-1.1.0~git20140921.1.440916e+dfsg1/client/common/cmdline.c:1014
>         #8  0x00007ffff6ce4d56 in freerdp_client_parse_command_line (context=context@entry=0x609420, argc=argc@entry=8, argv=argv@entry=0x7fffffffe018) at /build/freerdp-oDMFQO/freerdp-1.1.0~git20140921.1.440916e+dfsg1/client/common/client.c:111
>         #9  0x0000000000401be8 in main (argc=8, argv=0x7fffffffe018) at /build/freerdp-oDMFQO/freerdp-1.1.0~git20140921.1.440916e+dfsg1/client/X11/cli/xfreerdp.c:56
>
>         (gdb) print settings->StaticChannelArray
>         $1 = (ADDIN_ARGV **) 0x0
>         (gdb) print settings->StaticChannelCount
>         $2 = 2
>         (gdb) print channel
>         $3 = (ADDIN_ARGV *) 0x666bb0
>         (gdb) print settings->StaticChannelArraySize
>         $4 = 0
>
> ---------------
>
> In my opinion the problem lies in the initialization of the "settings" structure.
>
> In "freerdp_detect_old_command_line_syntax" the "settings" are only allocated and
> the whole memory set to 0. Therefore  StaticChannelArraySize is 0.
>
> Later when we get into this function we enter the if block. But because
> StaticChannelArraySize equals still 0 the "*= 2" has no effect and it stays 0.
> Therefore the realloc is done with size 0. Therefore a null pointer is returned.
>
>
> void freerdp_static_channel_collection_add(rdpSettings* settings, ADDIN_ARGV* channel)
> {
> if (settings->StaticChannelArraySize < (settings->StaticChannelCount + 1))
> {
> settings->StaticChannelArraySize *= 2;
> settings->StaticChannelArray = (ADDIN_ARGV**)
> realloc(settings->StaticChannelArray, settings->StaticChannelArraySize);
> }
>
> settings->StaticChannelArray[settings->StaticChannelCount++] = channel;
> }
>
> ---------------
>
> Another example were a "settings" object is generated is in function "freerdp_settings_new".
> There are also some default values set e.g. "settings->StaticChannelArraySize = 16;".
>
> ---------------
>
> Attached patch does only make sure that StaticChannelArraySize is bigger than 0.
> A local build with this patch applied does not crash anymore.
>
> There are more of these "*= 2" constructs without checking the initial value is bigger than 0.
>
> Kind regards,
> Bernhard


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]