Hello John Goerzen,
I was able to reproduce a crash with xfreerdp.
First a question:
does the crash still happen, if you omit this part of the command line:
--plugin rdpsnd --data alsa latency:100 --
---------------
After installing the 5 *-dbg packages I get such a stack:
gdb --args xfreerdp --plugin rdpsnd --data alsa latency:100 -- /v:192.168.178.45
directory libfreerdp/core:libfreerdp/common:client/common
set height 0
set width 0
run
Starting program: /usr/bin/xfreerdp --plugin rdpsnd --data alsa
latency:100 -- /v:192.168.178.45
[Thread debugging using libthread_db enabled]
Using host libthread_db library
"/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff5bb058c in freerdp_static_channel_collection_add
(settings=settings@entry=0x65ac10, channel=channel@entry=0x666bb0) at
/build/freerdp-oDMFQO/freerdp-1.1.0~git20140921.1.440916e+dfsg1/libfreerdp/common/settings.c:214
214
settings->StaticChannelArray[settings->StaticChannelCount++] = channel;
(gdb) bt
#0 0x00007ffff5bb058c in freerdp_static_channel_collection_add
(settings=settings@entry=0x65ac10, channel=channel@entry=0x666bb0) at
/build/freerdp-oDMFQO/freerdp-1.1.0~git20140921.1.440916e+dfsg1/libfreerdp/common/settings.c:214
#1 0x00007ffff6ce5563 in freerdp_client_add_static_channel
(settings=settings@entry=0x65ac10, count=<optimized out>, params=0x666b60) at
/build/freerdp-oDMFQO/freerdp-1.1.0~git20140921.1.440916e+dfsg1/client/common/cmdline.c:393
#2 0x00007ffff6ce8252 in freerdp_client_old_process_plugin
(settings=settings@entry=0x65ac10, args=args@entry=0x666b40) at
/build/freerdp-oDMFQO/freerdp-1.1.0~git20140921.1.440916e+dfsg1/client/common/compatibility.c:176
#3 0x00007ffff6ce863c in freerdp_client_old_command_line_pre_filter
(context=context@entry=0x65ac10, index=5, index@entry=1, argc=argc@entry=8,
argv=argv@entry=0x7fffffffe018) at
/build/freerdp-oDMFQO/freerdp-1.1.0~git20140921.1.440916e+dfsg1/client/common/compatibility.c:292
#4 0x00007ffff3baed6e in CommandLineParseArgumentsA
(argc=argc@entry=8, argv=argv@entry=0x7fffffffe018,
options=options@entry=0x7ffff6efd1c0 <old_args>, flags=flags@entry=1036,
context=context@entry=0x65ac10, preFilter=preFilter@entry=0x7ffff6ce83e0
<freerdp_client_old_command_line_pre_filter>, postFilter=0x0) at
/build/freerdp-oDMFQO/freerdp-1.1.0~git20140921.1.440916e+dfsg1/winpr/libwinpr/utils/cmdline.c:88
#5 0x00007ffff6ce884b in freerdp_detect_old_command_line_syntax
(argc=argc@entry=8, argv=argv@entry=0x7fffffffe018,
count=count@entry=0x7fffffffddcc) at
/build/freerdp-oDMFQO/freerdp-1.1.0~git20140921.1.440916e+dfsg1/client/common/compatibility.c:346
#6 0x00007ffff6ce5ff2 in freerdp_client_detect_command_line (argc=8,
argv=0x7fffffffe018, flags=0x7fffffffde30) at
/build/freerdp-oDMFQO/freerdp-1.1.0~git20140921.1.440916e+dfsg1/client/common/cmdline.c:911
#7 0x00007ffff6ce62b3 in freerdp_client_parse_command_line_arguments
(argc=8, argv=0x7fffffffe018, settings=0x60e8e0) at
/build/freerdp-oDMFQO/freerdp-1.1.0~git20140921.1.440916e+dfsg1/client/common/cmdline.c:1014
#8 0x00007ffff6ce4d56 in freerdp_client_parse_command_line
(context=context@entry=0x609420, argc=argc@entry=8,
argv=argv@entry=0x7fffffffe018) at
/build/freerdp-oDMFQO/freerdp-1.1.0~git20140921.1.440916e+dfsg1/client/common/client.c:111
#9 0x0000000000401be8 in main (argc=8, argv=0x7fffffffe018) at
/build/freerdp-oDMFQO/freerdp-1.1.0~git20140921.1.440916e+dfsg1/client/X11/cli/xfreerdp.c:56
(gdb) print settings->StaticChannelArray
$1 = (ADDIN_ARGV **) 0x0
(gdb) print settings->StaticChannelCount
$2 = 2
(gdb) print channel
$3 = (ADDIN_ARGV *) 0x666bb0
(gdb) print settings->StaticChannelArraySize
$4 = 0
---------------
In my opinion the problem lies in the initialization of the "settings"
structure.
In "freerdp_detect_old_command_line_syntax" the "settings" are only allocated
and
the whole memory set to 0. Therefore StaticChannelArraySize is 0.
Later when we get into this function we enter the if block. But because
StaticChannelArraySize equals still 0 the "*= 2" has no effect and it stays 0.
Therefore the realloc is done with size 0. Therefore a null pointer is returned.
void freerdp_static_channel_collection_add(rdpSettings* settings, ADDIN_ARGV*
channel)
{
if (settings->StaticChannelArraySize < (settings->StaticChannelCount +
1))
{
settings->StaticChannelArraySize *= 2;
settings->StaticChannelArray = (ADDIN_ARGV**)
realloc(settings->StaticChannelArray,
settings->StaticChannelArraySize);
}
settings->StaticChannelArray[settings->StaticChannelCount++] = channel;
}
---------------
Another example were a "settings" object is generated is in function
"freerdp_settings_new".
There are also some default values set e.g. "settings->StaticChannelArraySize =
16;".
---------------
Attached patch does only make sure that StaticChannelArraySize is bigger than 0.
A local build with this patch applied does not crash anymore.
There are more of these "*= 2" constructs without checking the initial value is
bigger than 0.
Kind regards,
Bernhard
diff -Nurp a/freerdp-1.1.0~git20140921.1.440916e+dfsg1/libfreerdp/common/settings.c b/freerdp-1.1.0~git20140921.1.440916e+dfsg1/libfreerdp/common/settings.c
--- a/freerdp-1.1.0~git20140921.1.440916e+dfsg1/libfreerdp/common/settings.c 2013-07-03 21:07:12.000000000 +0200
+++ b/freerdp-1.1.0~git20140921.1.440916e+dfsg1/libfreerdp/common/settings.c 2015-03-01 13:42:52.298995675 +0100
@@ -207,6 +207,7 @@ void freerdp_static_channel_collection_a
if (settings->StaticChannelArraySize < (settings->StaticChannelCount + 1))
{
settings->StaticChannelArraySize *= 2;
+ settings->StaticChannelArraySize = MAX(settings->StaticChannelArraySize, 1);
settings->StaticChannelArray = (ADDIN_ARGV**)
realloc(settings->StaticChannelArray, settings->StaticChannelArraySize);
}
