[Ubuntu-x-swat] [Bug 926714] Re: continuous jerky mouse movements while using nouveau driver in 12.04

2012-11-07 Thread Roger R. Cruz 
] nouveau 
:01:00.0: nouveau_connector_detect:238 - 
Nov  7 20:07:16 Precision-M4600-JRYQKQ1 kernel: [  646.286062] [drm] nouveau 
:01:00.0: nouveau_connector_detect:247 - Detecting DDC
Nov  7 20:07:16 Precision-M4600-JRYQKQ1 kernel: [  646.446019] [drm] nouveau 
:01:00.0: nouveau_connector_detect:249 - DDC not detected! === .16
Nov  7 20:07:16 Precision-M4600-JRYQKQ1 kernel: [  646.446021] 
[drm:output_poll_execute], [CONNECTOR:17:DP-3] status updated from 2 to 2
Nov  7 20:07:16 Precision-M4600-JRYQKQ1 kernel: [  646.446023] 
[drm:output_poll_execute], [CONNECTOR:20:VGA-1] Probing...
Nov  7 20:07:16 Precision-M4600-JRYQKQ1 kernel: [  646.446025] Got to 
nouveau_connector_detect
Nov  7 20:07:16 Precision-M4600-JRYQKQ1 kernel: [  646.446026] [drm] nouveau 
:01:00.0: nouveau_connector_detect:238 - 
Nov  7 20:07:16 Precision-M4600-JRYQKQ1 kernel: [  646.446027] [drm] nouveau 
:01:00.0: nouveau_connector_detect:247 - Detecting DDC
Nov  7 20:07:16 Precision-M4600-JRYQKQ1 kernel: [  646.449954] [drm] nouveau 
:01:00.0: nouveau_connector_detect:249 - DDC not detected!
Nov  7 20:07:16 Precision-M4600-JRYQKQ1 kernel: [  646.449955] 
[drm:output_poll_execute], [CONNECTOR:20:VGA-1] status updated from 2 to 2


Roger R. Cruz

-- 
You received this bug notification because you are a member of Ubuntu-X,
which is subscribed to xserver-xorg-video-nouveau in Ubuntu.
https://bugs.launchpad.net/bugs/926714

Title:
  continuous jerky mouse movements while using nouveau driver in 12.04

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xserver-xorg-video-nouveau/+bug/926714/+subscriptions

___
Mailing list: https://launchpad.net/~ubuntu-x-swat
Post to : ubuntu-x-swat@lists.launchpad.net
Unsubscribe : https://launchpad.net/~ubuntu-x-swat
More help   : https://help.launchpad.net/ListHelp

[Ubuntu-x-swat] [Bug 770522] [NEW] copyRawEvent() copies data outside of allocated space causing heap corruption

2011-04-25 Thread Roger R. Cruz 
Public bug reported:

This fixes what I believe is a bug in libxi which causes my application
to crash.  I have reported it to FreeDesktop.org

https://bugs.freedesktop.org/show_bug.cgi?id=36592

diff ../../libXi-1.3-orig/src/XExtInt.c src/XExtInt.c
1196c1196
 ptr = cookie_out-data = malloc(sizeof(XIRawEvent));
---
 ptr = cookie_out-data = malloc(len);

In trying to understand a heap corruption when I added XI2 RawMotion event
handling to our Xinput-based application, I came across the following routine
copyRawEvent() in libxi-1.3/src/XExtInt.c.  My question is what is the purpose
of computing len if it is not used?  Should it have been used as an argument
to malloc(). 

copyRawEvent(XGenericEventCookie *cookie_in,
 XGenericEventCookie *cookie_out)
{
XIRawEvent *in, *out;
void *ptr;
int len;
int bits;

in = cookie_in-data;

bits = count_bits(in-valuators.mask, in-valuators.mask_len);
len = sizeof(XIRawEvent) + in-valuators.mask_len;
len += bits * sizeof(double) * 2;

ptr = cookie_out-data = malloc(sizeof(XIRawEvent));
if (!ptr)
return False;

out = next_block(ptr, sizeof(XIRawEvent));
*out = *in;
out-valuators.mask = next_block(ptr, out-valuators.mask_len);
memcpy(out-valuators.mask, in-valuators.mask, out-valuators.mask_len);

out-valuators.values = next_block(ptr, bits * sizeof(double));
memcpy(out-valuators.values, in-valuators.values, bits * sizeof(double));

out-raw_values = next_block(ptr, bits * sizeof(double));
memcpy(out-raw_values, in-raw_values, bits * sizeof(double));

return True;
}

When I use valgrind, I get the following output as the culprit for the
crash

==4166== Invalid write of size 1
==4166==at 0x4C29F04: memcpy (mc_replace_strmem.c:497)
==4166==by 0x8F39180: ??? (in /usr/lib/libXi.so.6.1.0)
==4166==by 0x7433D48: _XCopyEventCookie (in /usr/lib/libX11.so.6.3.0)
==4166==by 0x7425166: XPeekEvent (in /usr/lib/libX11.so.6.3.0)
==4166==by 0x49C3E3: process_key (x11_be.c:1065)
==4166==by 0x49EA5C: event_key_release (x11_be.c:2201)
==4166==by 0x49DD6E: x11_be_process_events (x11_be.c:1892)
==4166==by 0x4A38F4: x11_be_main_loop (x11_be.c:4353)
==4166==by 0x4A39E1: x11_be_thread_main (x11_be.c:4385)
==4166==by 0x87549C9: start_thread (pthread_create.c:300)
==4166==by 0x8A516FC: clone (clone.S:112)
==4166==  Address 0x168afe80 is 0 bytes after a block of size 96 alloc'd
==4166==at 0x4C284A8: malloc (vg_replace_malloc.c:236)
==4166==by 0x8F390BD: ??? (in /usr/lib/libXi.so.6.1.0)
==4166==by 0x7433D48: _XCopyEventCookie (in /usr/lib/libX11.so.6.3.0)
==4166==by 0x7425166: XPeekEvent (in /usr/lib/libX11.so.6.3.0)
==4166==by 0x49C3E3: process_key (x11_be.c:1065)
==4166==by 0x49EA5C: event_key_release (x11_be.c:2201)
==4166==by 0x49DD6E: x11_be_process_events (x11_be.c:1892)
==4166==by 0x4A38F4: x11_be_main_loop (x11_be.c:4353)
==4166==by 0x4A39E1: x11_be_thread_main (x11_be.c:4385)
==4166==by 0x87549C9: start_thread (pthread_create.c:300)

Thanks in advance,

Roger R. Cruz

** Affects: libxi (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu-X,
which is subscribed to libxi in Ubuntu.
https://bugs.launchpad.net/bugs/770522

Title:
  copyRawEvent() copies data outside of allocated space causing heap
  corruption

___
Mailing list: https://launchpad.net/~ubuntu-x-swat
Post to : ubuntu-x-swat@lists.launchpad.net
Unsubscribe : https://launchpad.net/~ubuntu-x-swat
More help   : https://help.launchpad.net/ListHelp