Public bug reported:
Ubuntu version: 18.04
libx11-xcb-dev version:1.6.2
Hello,I found some potential bugs in package libx11-xcb-dev,and the word file
in the attachment I uploaded shows the occurrence process of the bug in a
graphical way.Would you help me check whether the bugs mentioned below are
true? I'm not 100% sure that the bugs I submitted is correct. I hope you don't
mind seeing the wrong bug I submitted.Thank you very much for your patience.
In file libx11-1.6.2/src/Xrm.c,defination of function
XrmCombineFileDatabase,line 1700 or line 1702.
there is a statement call function NewDataBase(),load its return value to
db,and this function may return a null pointer.in line 1703,there is a
statement derefer db without check it.the process of this potential bug is
shown in figure 1.
In file libx11-1.6.2/src/Xrm.c,defination of function XrmGetStringDatebase,line
1559.
there is a statement call function NewDataBase(),load its return value to
db,and this function may return a null pointer.in line 1560,there is a
statement derefer db without check it.the process of this potential bug is
shown in figure 2.
In file libx11-1.6.2/src/Xrm.c,defination of function append_value_list,line
489.
there is a statement call function Xmalloc to allocate memory,load its return
value to value_list,but Xmalloc may fail to allocate memory,so value_list may
be a null pointer.in line 490,there is a statement derefer value_list without
check it.the process of this potential bug is shown in figure 3.
In file libx11-1.6.2/modules/im/ximcp/imLcIm.c,defination of function
_XimWriteCachedDefaultTree,line 472.
there is a statement call function Xmalloc to allocate memory,load its return
value to m,but Xmalloc may fail to allocate memory,so m may be a null
pointer.statements after derefer value_list without check it.the process of
this potential bug is shown in figure 4.
In file libx11-1.6.2/src/PolyReg.c,defination of function InsertEdgeInET,line
98.
there is a statement call function Xmalloc to allocate memory,load its return
value to tmpSLLBlock,but Xmalloc may fail to allocate memory,so tmpSLLBlock may
be a null pointer.in line 100,there is a statement derefer tmpSLLBlock without
check it.the process of this potential bug is shown in figure 5.
In file libx11-1.6.2/modules/im/ximcp/imCallbk.c,defination of function
_XimStrConversionCallback,line 342.
there is a statement call function Xmalloc to allocate memory,load its return
value to buf,but Xmalloc may fail to allocate memory,so buf may be a null
pointer.in line 344,buf act as the first parameter of funcion
_XimSetHeader(this function is in file
libx11-1.6.2/modules/im/ximcp/imDefIm.c,line 78),in this function there are
several statement derefer buf without check.the process of this potential bug
is shown in figure 6.
In file libx11-1.6.2/modules/im/ximcp/imCallbk.c,defination of function
_read_text_from_packet,line 532.
there is a statement call function Xmalloc to allocate memory,load its return
value to text->feedback,but Xmalloc may fail to allocate memory,so
text->feedback may be a null pointer.In line 535,there is a statement derefer
text->feedback without check it.the process of this potential bug is shown in
figure 7.
In file libx11-1.6.2/src/xcms/cmsColNm.c,defination of function
_XcmsParseColorString,line 212.
there is a statement call function Xmalloc to allocate memory,load its return
value to string_lowered ,but Xmalloc may fail to allocate memory,so
string_lowered may be a null pointer.In line 219,there is a statement derefer
string_lowered without check it.the process of this potential bug is shown in
figure 8.
In file libx11-1.6.2/src/xcms/cmsColNm.c,defination of function
_XcmsLookupColorName,line 421.
there is a statement call function Xmalloc to allocate memory,load its return
value to name_lowered ,but Xmalloc may fail to allocate memory,so name_lowered
may be a null pointer.In line 432,there is a statement derefer name_lowered
without check it.the process of this potential bug is shown in figure 9.
In file libx11-1.6.2/src/xcms/IdOfPr.c,defination of function
XcmsFormatOfPrefix,line 70.
there is a statement call function Xmalloc to allocate memory,load its return
value to string_lowered ,but Xmalloc may fail to allocate memory,so
string_lowered may be a null pointer.In line 82,there is a statement derefer
string_lowered without check it.the process of this potential bug is shown in
figure 10.
In file libx11-1.6.2/src/InitExt.c,defination of function XESetWireToError,line
332.
there is a statement call function Xmalloc to allocate memory,load its return
value to dpy->error_vec ,but Xmalloc may fail to allocate memory,so
dpy->error_vec may be a null pointer.In line 334,there is a statement derefer
dpy->error_vec without check it.the process of this potential bug is shown in
figure 11.
In file libx11-1.6.2/src/xlibi18n/XDefaultIMIF.c,defination of function
_SetIMValues,line 279.
there is a statement call function Xmalloc to allocate memory,load its return
value to styles ,but Xmalloc may fail to allocate memory,so styles may be a
null pointer.In line 281,there is a statement derefer styles without check
it.the process of this potential bug is shown in figure 12.
In file libx11-1.6.2/src/xlibi18n/lcFile.c,defination of function
_XlcResolveLocaleName,line 561.
there is a statement call function strdup,load its return value to
pub->siname,but strdup may fail to allocate memory,so pub->siname may be a null
pointer.In line 566,there is a statement derefer pub->siname without check
it.the process of this potential bug is shown in figure 13.
In file libx11-1.6.2/src/xkb/XKBGeom.c,defination of function
_XkbReadGeomOverlay,478.
row load the return value of function XkbAddGeomOverlayRow(this function is in
file libx11-1.6.2/src/xkb/XKBGAlloc.c),as you can see in the figure 14,there
are several branch in the function XkbAddGeomOverlayRow return NULL,so row may
be a null pointer.In line 479,there is a statement derefer row without
check.btw,It seems like you write your check statement in line 480.the process
of this potential bug is shown in figure 14.
In file libx11-1.6.2\src\Quarks.c,defination of function XrmQuarkToString,line
395.
if select true at this point.NULLSTRING will load to s and return it to caller.
In file libx11-1.6.2/src/Xrm.c,defination of DumpEntry,line 2039.the return
value of XrmQuarkToString act as argument of fprintf,which can be null.the
process of this potential bug is shown in figure 15.
In file libx11-1.6.2\modules\im\ximcp\imDefLkup.c,defination of function
_XimICOfXICID,line 48.
null will returned to caller.
In same file ,defination of _XimSetEventMaskCallback,line 91.the return value
of _XimICOfXICID loaded to ic.In line 92,ic act as the first parameter of
_XimProcICSetEventMask.
In same file ,defination of _XimProcICSetEventMask.statements in line 70 an
line 71 derefer ic without check it,so null pointer dereference may happen.
the process of this potential bug is shown in figure 16.
** Affects: libx11 (Ubuntu)
Importance: Undecided
Status: New
** Patch added: "libx11_nullptr_dereference.docx"
https://bugs.launchpad.net/bugs/1939658/+attachment/5517481/+files/libx11_nullptr_dereference.docx
--
You received this bug notification because you are a member of Ubuntu-X,
which is subscribed to libx11 in Ubuntu.
https://bugs.launchpad.net/bugs/1939658
Title:
Several potential bugs of null pointer dereference
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libx11/+bug/1939658/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~ubuntu-x-swat
Post to : ubuntu-x-swat@lists.launchpad.net
Unsubscribe : https://launchpad.net/~ubuntu-x-swat
More help : https://help.launchpad.net/ListHelp
