Newsgroups: comp.windows.x
Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!think.com!snorkelwacker.mit.edu!bloom-picayune.mit.edu!bloom-beacon!dont-send-mail-to-path-lines
From: jlv@kirk.UUCP (Jeffrey L. Vogel)
Subject: Bug Report
Message-ID: <9106262116.AA14562@kirk>
Sender: daemon@athena.mit.edu (Mr Background)
Organization: The Internet
Date: Wed, 26 Jun 1991 21:16:55 GMT


SunOS 4.1
X11R4 with all 18 patches applied
Bug is in Xt

Description:
  When using XtVaCreatePopupShell, we can cause a seg fault due to
  uninitialized memory.  

  Apparently, the VarArgs routines call _XtVaToTypedList to create a typed
  arg list.  However, this routine, doesn't always initialize the
  .size field, as shown below.

   _XtCreate, called by lots of stuff, will perform an XtFree  when
   .size < 0. However, if .size is not initialized, this XtFree is
   inadvertently performed mainy times.  I believe the easy fix
   it to initialize .size to 0 in _XtVaToTypedList.



Create.c lines 269-275

These lines reak havok if typed_args[i].size was never initialized.

_XtCreate()
..
        for (i = 0; i < num_typed_args; i++) {
                if (typed_args[i].size < 0) { /* we alloc`ed store dynamically *
/
                        XtFree((XtPointer)typed_args[i].value);
                        typed_args[i].size = -(typed_args[i].size);
                }
        }



These lines create a typed arg list which might be passed to _XtCreate.
However, in the third case below, .size is never initialized.


Varargs.c
lines 476 to 491
_XtVaToTypedArgList()

        if (strcmp(attr, XtVaTypedArg) == 0) {
            args[count].name = va_arg(var, String);
            args[count].type = va_arg(var, String);
            args[count].value = va_arg(var, XtArgVal);
            args[count].size = va_arg(var, int);
            ++count;
        } else if (strcmp(attr, XtVaNestedList) == 0) {
            count += _XtNestedArgtoTypedArg(&args[count],
                        va_arg(var, XtTypedArgList));
        } else {
            args[count].name = attr;
            args[count].type = NULL;
            args[count].value = va_arg(var, XtArgVal);
            ++count;
        }










--------------------------------------------------------------------
| Jeff Vogel                    |  Lead Engineer                   |
| jlv%ebt-inc@uunet.uu.net      |  EBT Inc.                        |
| uunet!ebt-inc!jlv             |  One Richmond Square             |
| 401-421-9550                  |  Providence, RI 02906 	   |       
--------------------------------------------------------------------