Public bug reported:

Ubuntu version: 18.04
libx11-xcb-dev version:1.6.2
Hello,I found some potential bugs in package libx11-xcb-dev,and the word file 
in the attachment I uploaded shows the occurrence process of the bug in a 
graphical way.Would you help me check whether the bugs mentioned below are 
true? I'm not 100% sure that the bugs I submitted is correct. I hope you don't 
mind seeing the wrong bug I submitted.Thank you very much for your patience.

In file libx11-1.6.2/src/Xrm.c,defination of function 
XrmCombineFileDatabase,line 1700 or line 1702.
there is a statement call function NewDataBase(),load its return value to 
db,and this function may return a null pointer.in line 1703,there is a 
statement derefer db without check it.the process of this potential bug is 
shown in figure 1. 

In file libx11-1.6.2/src/Xrm.c,defination of function XrmGetStringDatebase,line 
1559.
there is a statement call function NewDataBase(),load its return value to 
db,and this function may return a null pointer.in line 1560,there is a 
statement derefer db without check it.the process of this potential bug is 
shown in figure 2. 

In file libx11-1.6.2/src/Xrm.c,defination of function append_value_list,line 
489.
there is a statement call function Xmalloc to allocate memory,load its return 
value to value_list,but Xmalloc may fail to allocate memory,so value_list may 
be a null pointer.in line 490,there is a statement derefer value_list without 
check it.the process of this potential bug is shown in figure 3. 

In file libx11-1.6.2/modules/im/ximcp/imLcIm.c,defination of function 
_XimWriteCachedDefaultTree,line 472.
there is a statement call function Xmalloc to allocate memory,load its return 
value to m,but Xmalloc may fail to allocate memory,so m may be a null 
pointer.statements after derefer value_list without check it.the process of 
this potential bug is shown in figure 4. 

In file libx11-1.6.2/src/PolyReg.c,defination of function InsertEdgeInET,line 
98.
there is a statement call function Xmalloc to allocate memory,load its return 
value to tmpSLLBlock,but Xmalloc may fail to allocate memory,so tmpSLLBlock may 
be a null pointer.in line 100,there is a statement derefer tmpSLLBlock without 
check it.the process of this potential bug is shown in figure 5. 

In file libx11-1.6.2/modules/im/ximcp/imCallbk.c,defination of function 
_XimStrConversionCallback,line 342.
there is a statement call function Xmalloc to allocate memory,load its return 
value to buf,but Xmalloc may fail to allocate memory,so buf may be a null 
pointer.in line 344,buf act as the first parameter of funcion 
_XimSetHeader(this function is in file 
libx11-1.6.2/modules/im/ximcp/imDefIm.c,line 78),in this function there are 
several statement derefer buf without check.the process of this potential bug 
is shown in figure 6. 

In file libx11-1.6.2/modules/im/ximcp/imCallbk.c,defination of function 
_read_text_from_packet,line 532.
there is a statement call function Xmalloc to allocate memory,load its return 
value to text->feedback,but Xmalloc may fail to allocate memory,so 
text->feedback may be a null pointer.In line 535,there is a statement derefer 
text->feedback without check it.the process of this potential bug is shown in 
figure 7. 

In file libx11-1.6.2/src/xcms/cmsColNm.c,defination of function 
_XcmsParseColorString,line 212.
there is a statement call function Xmalloc to allocate memory,load its return 
value to string_lowered ,but Xmalloc may fail to allocate memory,so 
string_lowered may be a null pointer.In line 219,there is a statement derefer 
string_lowered without check it.the process of this potential bug is shown in 
figure 8. 

In file libx11-1.6.2/src/xcms/cmsColNm.c,defination of function 
_XcmsLookupColorName,line 421.
there is a statement call function Xmalloc to allocate memory,load its return 
value to name_lowered ,but Xmalloc may fail to allocate memory,so name_lowered 
may be a null pointer.In line 432,there is a statement derefer name_lowered 
without check it.the process of this potential bug is shown in figure 9.

In file libx11-1.6.2/src/xcms/IdOfPr.c,defination of function 
XcmsFormatOfPrefix,line 70.
there is a statement call function Xmalloc to allocate memory,load its return 
value to string_lowered ,but Xmalloc may fail to allocate memory,so 
string_lowered  may be a null pointer.In line 82,there is a statement derefer 
string_lowered without check it.the process of this potential bug is shown in 
figure 10.

In file libx11-1.6.2/src/InitExt.c,defination of function XESetWireToError,line 
332.
there is a statement call function Xmalloc to allocate memory,load its return 
value to dpy->error_vec ,but Xmalloc may fail to allocate memory,so 
dpy->error_vec may be a null pointer.In line 334,there is a statement derefer 
dpy->error_vec without check it.the process of this potential bug is shown in 
figure 11.

In file libx11-1.6.2/src/xlibi18n/XDefaultIMIF.c,defination of function 
_SetIMValues,line 279.
there is a statement call function Xmalloc to allocate memory,load its return 
value to styles ,but Xmalloc may fail to allocate memory,so styles may be a 
null pointer.In line 281,there is a statement derefer styles without check 
it.the process of this potential bug is shown in figure 12.

In file libx11-1.6.2/src/xlibi18n/lcFile.c,defination of function 
_XlcResolveLocaleName,line 561.
there is a statement call function strdup,load its return value to 
pub->siname,but strdup may fail to allocate memory,so pub->siname may be a null 
pointer.In line 566,there is a statement derefer pub->siname without check 
it.the process of this potential bug is shown in figure 13.

In file libx11-1.6.2/src/xkb/XKBGeom.c,defination of function 
_XkbReadGeomOverlay,478.
row load the return value of function XkbAddGeomOverlayRow(this function is in 
file libx11-1.6.2/src/xkb/XKBGAlloc.c),as you can see in the figure 14,there 
are several branch in the function XkbAddGeomOverlayRow return NULL,so row may 
be a null pointer.In line 479,there is a statement derefer row without 
check.btw,It seems like you write your check statement in line 480.the process 
of this potential bug is shown in figure 14.

In file libx11-1.6.2\src\Quarks.c,defination of function XrmQuarkToString,line 
395.
if select true at this point.NULLSTRING will load to s and return it to caller.
In file libx11-1.6.2/src/Xrm.c,defination of DumpEntry,line 2039.the return 
value of XrmQuarkToString act as argument of fprintf,which can be null.the 
process of this potential bug is shown in figure 15.


In file libx11-1.6.2\modules\im\ximcp\imDefLkup.c,defination of function 
_XimICOfXICID,line 48.
null will returned to caller.
In same file ,defination of _XimSetEventMaskCallback,line 91.the return value 
of _XimICOfXICID loaded to ic.In line 92,ic act as the first parameter of 
_XimProcICSetEventMask.
In same file ,defination of _XimProcICSetEventMask.statements in line 70 an 
line 71 derefer ic without check it,so null pointer dereference may happen.
the process of this potential bug is shown in figure 16.

** Affects: libx11 (Ubuntu)
     Importance: Undecided
         Status: New

** Patch added: "libx11_nullptr_dereference.docx"
   
https://bugs.launchpad.net/bugs/1939658/+attachment/5517481/+files/libx11_nullptr_dereference.docx

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to libx11 in Ubuntu.
https://bugs.launchpad.net/bugs/1939658

Title:
  Several potential bugs of null pointer dereference

Status in libx11 package in Ubuntu:
  New

Bug description:
  Ubuntu version: 18.04
  libx11-xcb-dev version:1.6.2
  Hello,I found some potential bugs in package libx11-xcb-dev,and the word file 
in the attachment I uploaded shows the occurrence process of the bug in a 
graphical way.Would you help me check whether the bugs mentioned below are 
true? I'm not 100% sure that the bugs I submitted is correct. I hope you don't 
mind seeing the wrong bug I submitted.Thank you very much for your patience.

  In file libx11-1.6.2/src/Xrm.c,defination of function 
XrmCombineFileDatabase,line 1700 or line 1702.
  there is a statement call function NewDataBase(),load its return value to 
db,and this function may return a null pointer.in line 1703,there is a 
statement derefer db without check it.the process of this potential bug is 
shown in figure 1. 

  In file libx11-1.6.2/src/Xrm.c,defination of function 
XrmGetStringDatebase,line 1559.
  there is a statement call function NewDataBase(),load its return value to 
db,and this function may return a null pointer.in line 1560,there is a 
statement derefer db without check it.the process of this potential bug is 
shown in figure 2. 

  In file libx11-1.6.2/src/Xrm.c,defination of function append_value_list,line 
489.
  there is a statement call function Xmalloc to allocate memory,load its return 
value to value_list,but Xmalloc may fail to allocate memory,so value_list may 
be a null pointer.in line 490,there is a statement derefer value_list without 
check it.the process of this potential bug is shown in figure 3. 

  In file libx11-1.6.2/modules/im/ximcp/imLcIm.c,defination of function 
_XimWriteCachedDefaultTree,line 472.
  there is a statement call function Xmalloc to allocate memory,load its return 
value to m,but Xmalloc may fail to allocate memory,so m may be a null 
pointer.statements after derefer value_list without check it.the process of 
this potential bug is shown in figure 4. 

  In file libx11-1.6.2/src/PolyReg.c,defination of function InsertEdgeInET,line 
98.
  there is a statement call function Xmalloc to allocate memory,load its return 
value to tmpSLLBlock,but Xmalloc may fail to allocate memory,so tmpSLLBlock may 
be a null pointer.in line 100,there is a statement derefer tmpSLLBlock without 
check it.the process of this potential bug is shown in figure 5. 

  In file libx11-1.6.2/modules/im/ximcp/imCallbk.c,defination of function 
_XimStrConversionCallback,line 342.
  there is a statement call function Xmalloc to allocate memory,load its return 
value to buf,but Xmalloc may fail to allocate memory,so buf may be a null 
pointer.in line 344,buf act as the first parameter of funcion 
_XimSetHeader(this function is in file 
libx11-1.6.2/modules/im/ximcp/imDefIm.c,line 78),in this function there are 
several statement derefer buf without check.the process of this potential bug 
is shown in figure 6. 

  In file libx11-1.6.2/modules/im/ximcp/imCallbk.c,defination of function 
_read_text_from_packet,line 532.
  there is a statement call function Xmalloc to allocate memory,load its return 
value to text->feedback,but Xmalloc may fail to allocate memory,so 
text->feedback may be a null pointer.In line 535,there is a statement derefer 
text->feedback without check it.the process of this potential bug is shown in 
figure 7. 

  In file libx11-1.6.2/src/xcms/cmsColNm.c,defination of function 
_XcmsParseColorString,line 212.
  there is a statement call function Xmalloc to allocate memory,load its return 
value to string_lowered ,but Xmalloc may fail to allocate memory,so 
string_lowered may be a null pointer.In line 219,there is a statement derefer 
string_lowered without check it.the process of this potential bug is shown in 
figure 8. 

  In file libx11-1.6.2/src/xcms/cmsColNm.c,defination of function 
_XcmsLookupColorName,line 421.
  there is a statement call function Xmalloc to allocate memory,load its return 
value to name_lowered ,but Xmalloc may fail to allocate memory,so name_lowered 
may be a null pointer.In line 432,there is a statement derefer name_lowered 
without check it.the process of this potential bug is shown in figure 9.

  In file libx11-1.6.2/src/xcms/IdOfPr.c,defination of function 
XcmsFormatOfPrefix,line 70.
  there is a statement call function Xmalloc to allocate memory,load its return 
value to string_lowered ,but Xmalloc may fail to allocate memory,so 
string_lowered  may be a null pointer.In line 82,there is a statement derefer 
string_lowered without check it.the process of this potential bug is shown in 
figure 10.

  In file libx11-1.6.2/src/InitExt.c,defination of function 
XESetWireToError,line 332.
  there is a statement call function Xmalloc to allocate memory,load its return 
value to dpy->error_vec ,but Xmalloc may fail to allocate memory,so 
dpy->error_vec may be a null pointer.In line 334,there is a statement derefer 
dpy->error_vec without check it.the process of this potential bug is shown in 
figure 11.

  In file libx11-1.6.2/src/xlibi18n/XDefaultIMIF.c,defination of function 
_SetIMValues,line 279.
  there is a statement call function Xmalloc to allocate memory,load its return 
value to styles ,but Xmalloc may fail to allocate memory,so styles may be a 
null pointer.In line 281,there is a statement derefer styles without check 
it.the process of this potential bug is shown in figure 12.

  In file libx11-1.6.2/src/xlibi18n/lcFile.c,defination of function 
_XlcResolveLocaleName,line 561.
  there is a statement call function strdup,load its return value to 
pub->siname,but strdup may fail to allocate memory,so pub->siname may be a null 
pointer.In line 566,there is a statement derefer pub->siname without check 
it.the process of this potential bug is shown in figure 13.

  In file libx11-1.6.2/src/xkb/XKBGeom.c,defination of function 
_XkbReadGeomOverlay,478.
  row load the return value of function XkbAddGeomOverlayRow(this function is 
in file libx11-1.6.2/src/xkb/XKBGAlloc.c),as you can see in the figure 14,there 
are several branch in the function XkbAddGeomOverlayRow return NULL,so row may 
be a null pointer.In line 479,there is a statement derefer row without 
check.btw,It seems like you write your check statement in line 480.the process 
of this potential bug is shown in figure 14.

  In file libx11-1.6.2\src\Quarks.c,defination of function 
XrmQuarkToString,line 395.
  if select true at this point.NULLSTRING will load to s and return it to 
caller.
  In file libx11-1.6.2/src/Xrm.c,defination of DumpEntry,line 2039.the return 
value of XrmQuarkToString act as argument of fprintf,which can be null.the 
process of this potential bug is shown in figure 15.

  
  In file libx11-1.6.2\modules\im\ximcp\imDefLkup.c,defination of function 
_XimICOfXICID,line 48.
  null will returned to caller.
  In same file ,defination of _XimSetEventMaskCallback,line 91.the return value 
of _XimICOfXICID loaded to ic.In line 92,ic act as the first parameter of 
_XimProcICSetEventMask.
  In same file ,defination of _XimProcICSetEventMask.statements in line 70 an 
line 71 derefer ic without check it,so null pointer dereference may happen.
  the process of this potential bug is shown in figure 16.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libx11/+bug/1939658/+subscriptions


-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to     : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to