Bug 831620

Summary: mozc_renderer crashed only once with Segmentation fault caused by XauFileName that pulse audio calls
Product: [openSUSE] openSUSE Tumbleweed Reporter: Mitsutoshi NAKANO <bkbin005>
Component: X.OrgAssignee: E-mail List <xorg-maintainer-bugs>
Status: RESOLVED FIXED QA Contact: E-mail List <xorg-maintainer-bugs>
Severity: Normal    
Priority: P3 - Medium CC: ftake
Version: 13.1 Milestone 3   
Target Milestone: ---   
Hardware: x86-64   
OS: SUSE Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: GDB backtrace file

Description Mitsutoshi NAKANO 2013-07-26 13:07:49 UTC 
Created attachment 549732 [details]
GDB backtrace file

User-Agent:       Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.72 Safari/537.36

I am testing openSUSE 13.1 Milestone 3 x86_64 with KDE desktop in VirtualBox 4.2.16 r86992 on Windows 7 SP1 64 bit .
Host information: https://dl.dropboxusercontent.com/u/86335040/DxDiag17.txt .

/usr/lib64/mozc/mozc_renderer crashed only once with Segmentation fault in ___vsnprintf_chk (s=0x0, maxlen=<optimized out>, flags=1, 
    slen=<optimized out>, format=0x7f8405c30cc5 "%s%s", args=args@entry=0x7f83fc8c5f58) at vsnprintf_chk.c:55 .

> rpm -qf  /usr/lib64/mozc/mozc_renderer
ibus-mozc-candidate-window-1.10.1390.102-2.3.x86_64
> rpm -qa mozc
mozc-1.10.1390.102-2.3.x86_64
> rpm -qa ibus
ibus-1.5.2-1.1.x86_64

I attached GDB backtrace file .

Reproducible: Couldn't Reproduce

Steps to Reproduce:
1. Use IBus and mozc in Japanese mode .
Actual Results:  
/usr/lib64/mozc/mozc_renderer crashed only once with Segmentation fault in ___vsnprintf_chk (s=0x0, maxlen=<optimized out>, flags=1,     slen=<optimized out>, format=0x7f8405c30cc5 "%s%s", args=args@entry=0x7f83fc8c5f58) at vsnprintf_chk.c:55 .


Expected Results:  
The mozc_renderer should not crash with SIGSEGV .
Comment 1 Fuminobu Takeyama 2013-09-27 17:21:03 UTC 
As far as I understand from the stack trace, the segmentation fault is caused by pulse audio not by Mozc.

I need pulse audio maintainers' help.


#0  ___vsnprintf_chk
#2  0x00007f8405c3027b in snprintf (__fmt=0x7f8405c30cc5 "%s%s", 
    __n=<optimized out>, __s=<optimized out>)
    at /usr/include/bits/stdio2.h:64
No locals.
#3  XauFileName () at AuFileName.c:83
        slashDotXauthority = 0x7f8405c30cca "/.Xauthority"
        name = 0x7fffd72e8e4a "/home/mitsutoshi"
        bsize = 29
        atexit_registered = 1
        size = 29
#4  XauGetBestAuthByAddr at AuGetBest.c:74
#5  0x00007f840844ef62 in get_authptr at xcb_auth.c:164
// snip
#9  0x00007f8401ce229a in pa_client_conf_from_x11 at pulse/client-conf-x11.c:53
#10 0x00007f840211fc05 in pa_context_new_with_proplist (
// snip
#16 pa_mainloop_dispatch (m=m@entry=0x11195a0) at pulse/mainloop.c:904
// snip
#21 0x00007f840c265e0b in start_thread (arg=0x7f83fc8c7700)
#22 0x00007f840bf9506d in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113
Comment 2 Fuminobu Takeyama 2013-09-27 18:26:13 UTC 
problem with libXau?

"___vsnprintf_chk (s=0x0 /*snip*/)" means "buf == 0". At least "bsize = 0;" is missing in AuFileName.c before "return NULL", and so buf might be NULL if malloc failed in previous time.

> size = strlen (name) + strlen(&slashDotXauthority[1]) + 2;
> if (size > bsize) {
>     buf = malloc (size);
>     if (!buf)
>         return NULL;
> /* snip */
> }


Its code was also changed recently.
-    strcpy (buf, name);
-    strcat (buf, slashDotXauthority + (name[1] == '\0' ? 1 : 0));
+    snprintf (buf, bsize, "%s%s", name,
+              slashDotXauthority + (name[1] == '\0' ? 1 : 0));
http://cgit.freedesktop.org/xorg/lib/libXau/commit/AuFileName.c?id=704beb71768cdaa2448da6edfa219b4a7bf862f1

According to the stack trace:
slashDotXauthority = 0x7f8405c30cca "/.Xauthority"
name = 0x7fffd72e8e4a "/home/mitsutoshi"
bsize = 29
atexit_registered = 1
size = 29
Comment 3 Fuminobu Takeyama 2013-09-29 13:50:46 UTC 
I reported to the upstream:
https://bugs.freedesktop.org/show_bug.cgi?id=69929
Comment 4 Stefan Dirsch 2013-09-30 10:21:30 UTC 
Thanks. Fixed via SR#201452
Comment 5 Stefan Dirsch 2013-09-30 10:21:49 UTC 
Closing as such.
Comment 6 Bernhard Wiedemann 2013-09-30 11:00:22 UTC 
This is an autogenerated message for OBS integration:
This bug (831620) was mentioned in
https://build.opensuse.org/request/show/201452 Factory / libXau