Bug 840433

Summary: Xvnc crashes
Product: [openSUSE] openSUSE Tumbleweed Reporter: Ulf Lange <mopp>
Component: X.OrgAssignee: Michal Srb <msrb>
Status: RESOLVED FIXED QA Contact: E-mail List <xorg-maintainer-bugs>
Severity: Normal    
Priority: P3 - Medium CC: msrb
Version: 13.1 Milestone 4   
Target Milestone: ---   
Hardware: x86-64   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Fix use after free.

Description Ulf Lange 2013-09-15 08:11:25 UTC 
User-Agent:       Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0

Xvnc crashes after the second reconnection.
It is exactly the same bug as already reported for openSUSE 11.4, see bug 631994 as a reference.


Reproducible: Always

Steps to Reproduce:
1. vncviewer :99
2. Connect with a VNC client
3. Disconnect with VNC client => crash
Actual Results:  
 Connections: closed: 192.168.yyy.xxx::57920 (Clean disconnection)
 SMsgWriter:  framebuffer updates 1
(EE)
(EE) Backtrace:
(EE) 0: Xvnc (xorg_backtrace+0x3d) [0x5a60dd]
(EE) 1: Xvnc (0x400000+0x1a9af9) [0x5a9af9]
(EE) 2: /lib64/libpthread.so.0 (0x7f6e5a300000+0xf260) [0x7f6e5a30f260]
(EE) 3: Xvnc (_ZN3rdr13ZlibOutStream7deflateEi+0x44) [0x547644]
(EE) 4: Xvnc (_ZN3rdr13ZlibOutStream5flushEv+0x2b) [0x5477db]
(EE) 5: Xvnc (_ZN3rdr13ZlibOutStreamD1Ev+0x17) [0x547807]
(EE) 6: Xvnc (_ZN3rfb11ZRLEEncoderD2Ev+0x2d) [0x53edfd]
(EE) 7: Xvnc (_ZN3rfb11ZRLEEncoderD0Ev+0x9) [0x53ee59]
(EE) 8: Xvnc (_ZN3rfb10SMsgWriterD1Ev+0x74) [0x52daf4]
(EE) 9: Xvnc (_ZN3rfb12SMsgWriterV3D0Ev+0x9) [0x52fa49]
(EE) 10: Xvnc (_ZN3rfb11SConnection21deleteReaderAndWriterEv+0x33) [0x52b113]
(EE) 11: Xvnc (_ZN3rfb11SConnectionD2Ev+0x31) [0x52b151]
(EE) 12: Xvnc (_ZN3rfb16VNCSConnectionSTD0Ev+0x9) [0x5399d9]
(EE) 13: Xvnc (_ZN3rfb11VNCServerST12removeSocketEPN7network6SocketE+0x4b) [0x52190b]
(EE) 14: Xvnc (_ZN14XserverDesktop17writeBlockHandlerEP6fd_set+0x73) [0x514753]
(EE) 15: Xvnc (vncWriteBlockHandler+0x41) [0x50c521]
(EE) 16: Xvnc (0x400000+0x10c5be) [0x50c5be]
(EE) 17: Xvnc (BlockHandler+0xd2) [0x55d8a2]
(EE) 18: Xvnc (WaitForSomething+0x124) [0x5a3bb4]
(EE) 19: Xvnc (Dispatch+0x9d) [0x5594ad]
(EE) 20: Xvnc (main+0x3aa) [0x44d3ea]
(EE) 21: /lib64/libc.so.6 (__libc_start_main+0xf5) [0x7f6e59754a35]
(EE) 22: Xvnc (0x400000+0x4e8bd) [0x44e8bd]
(EE)
(EE) Segmentation fault at address 0x0

Fatal server error:
Caught signal 11 (Segmentation fault). Server aborting


Expected Results:  
No crash
Comment 1 Ulf Lange 2013-09-15 08:13:13 UTC 
Sorry "Xvnc crashes after the second reconnection." is incorrect. Xvnc crashes after disconnecting.
Comment 2 Stefan Dirsch 2013-09-16 09:33:37 UTC 
Closing as dup.

*** This bug has been marked as a duplicate of bug 631994 ***
Comment 3 Stefan Dirsch 2013-09-16 19:00:08 UTC 
Reopen, since the reporter figured out it isn't a duplicate.
Comment 4 Stefan Dirsch 2013-09-16 19:02:08 UTC 
Reporter:
"After reading my post twice I found the solution. The problem is the client
compression which used the zlib. I used UltraVNC with auto detection for format and encoding. These encodings will crash Xvnc: ZRLE, Zlib, ZlibHex, Ultra, CoRRE, ZYWRLE and u2. They are all based on Zlib. An workaround is to use a different encoding, e. g. hextile works fine. Does somebody have an idea how to fix it?"
Comment 5 Michal Srb 2013-09-16 22:15:04 UTC 
Created attachment 558340 [details]
Fix use after free.

There is a use-after-free error when zrle compression is used. Details in the patch.
Comment 6 Ulf Lange 2013-09-16 22:59:42 UTC 
The patch fixed the problem. Thank you.
Comment 7 Bernhard Wiedemann 2013-09-17 02:00:09 UTC 
This is an autogenerated message for OBS integration:
This bug (840433) was mentioned in
https://build.opensuse.org/request/show/199342 Factory / xorg-x11-Xvnc
Comment 8 Michal Srb 2013-10-14 11:35:28 UTC 
Fix released.