Package: libx11-6 Version: 4.3.0-7 Severity: grave Tags: patch l10n Justification: causes non-serious data loss
Hello, If _XimProtoCreateIC() in xc/lib/X11/imDefIc.c fails to create an input context, it cleans up by freeing the input context and its private resources (see the label "ErrorOnCreatingIC:" at the bottom of the function). However, the failure may be encountered inside _XimEncodeICATTRIBUTE() (see line 1506), which may in turn have registered an event filter with a pointer to the input context, as shown in the following stack trace. #0 _XimRegisterKeyPressFilter (ic=0x8235be8) at imDefFlt.c:275 #1 0x400065c4 in _XimRegisterFilter (ic=0x8235be8) at imDefFlt.c:334 #2 0x400179ab in _XimEncodeTopValue (ic=0x8235be8, res=0x8235e14, p=0x8236348) at imRmAttr.c:957 #3 0x40018063 in _XimEncodeICATTRIBUTE (ic=0x8235be8, res_list=0x8235e00, res_num=18, arg=0x8236340, arg_ret=0xbfffddf4, buf=0xbfffe610, size=2032, ret_len=0xbfffddf8, top=0xbfffee10 "\004\004", flag=0x0, mode=2) at imRmAttr.c:1139 #4 0x4000820c in _XimProtoCreateIC (xim=0x811bac8, arg=0x8236340) at imDefIc.c:1506 #5 0x400bfd04 in XCreateIC (im=0x811bac8) at ICWrap.c:250 #6 0x40192b5c in Tk_HandleEvent () from /usr/lib/libtk8.4.so.0 #7 0x40193556 in TkQueueEventForAllChildren () from /usr/lib/libtk8.4.so.0 #8 0x402b5919 in Tcl_ServiceEvent () from /usr/lib/libtcl8.4.so.0 #9 0xfffffffd in ?? () #10 0xbffff038 in ?? () #11 0x402c6a1c in Tcl_DeleteTimerHandler () from /usr/lib/libtcl8.4.so.0 In such a situation, when _XimProtoCreateIC() returns, it leaves a dangling pointer from the event filter list of the display to the freed input context. This can easily cause a segfault later. The following one-line patch fixes this problem: --- xc/lib/X11/imDefIc.c.orig 2001-01-17 14:41:51.000000000 -0500 +++ xc/lib/X11/imDefIc.c 2004-03-24 23:47:54.000000000 -0500 @@ -1591,6 +1591,7 @@ return (XIC)ic; ErrorOnCreatingIC: + _XimUnregisterFilter(ic); if (ic->private.proto.ic_resources) Xfree(ic->private.proto.ic_resources); if (ic->private.proto.ic_inner_resources) I have verified that this patch eliminates the segfault that I encounter on the second keystroke when running wnb in the wordnet package (version 2.0g-4 or earlier, LC_CTYPE=zh_TW.UTF-8), with xcin (version 2.5.2.99.pre2+cvs20030224-1) running in the background (LANG=zh_TW.Big5 LC_CTYPE=zh_TW.Big5 LC_MESSAGES=zh_TW.Big5 LC_ALL=zh_TW.Big5). However, I am not sure that the above fix is the right one -- perhaps it is the responsibility of _XimEncodeICATTRIBUTE() or _XimEncodeTopValue() to unregister the event filter. Thank you, Ken -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.3 Locale: LANG=C, LC_CTYPE=zh_TW.UTF-8 Versions of packages libx11-6 depends on: ii libc6 2.3.2.ds1-11 GNU C Library: Shared libraries an ii xfree86-common 4.3.0-7 X Window System (XFree86) infrastr ii xlibs-data 4.3.0-7 X Window System client data -- no debconf information -- Edit this signature at http://www.digitas.harvard.edu/cgi-bin/ken/sig BBC News: Universities face week of protest http://news.bbc.co.uk/1/hi/education/3508209.stm
signature.asc
Description: Digital signature