XWin 4.3.0-50 crashes with -multiwindow (ping Earle)

[Harold L Hunt II]

Fabrizio,

It looks like your conclusions are correct.

I have included your suggested change in XFree86-xserv-4.3.0-60.  Please 
test this on a 24 bit depth system.  It seems to work okay on 32 bit 
depth systems.

I checked the change into CVS as well.  I think that Earle should 
probably take a look at it to verify that it is likely correct since 
there are several calculations to correct the depth and bpp values, 
which may be made redundant by just using PixmapBytePad instead; but the 
function confuses me too much to understand it quickly.

Harold

wrote:

> Harold and all,
> I built XWin from source and debugged with gdb, and in that way I was able
> to track down the bug. It is due to my visual being 24bpp. It does not occur
> if it is changed to 16bpp. 32bpp is not available, but I am confident everything
> would work in that case.
> 
> Here is what happens:
> - winScaleXBitmapToWindows is called. The pixmap passed has height 42, width
> 48 and bitsPerPixel 24
> - effXBPP is 24, xStride is 144 (48*(24/8))
> - iconData is allocated as an array of 144*42 bytes
> - then, miGetImage is called. Here the line
> 
> linelength = PixmapBytePad(w, depth);
> 
> is executed with w=48 and depth=24. As a result, linelength is 192 (48*4),
> not 144 (48*3).
> - in the following for cycle, pDst (initialized as iconData) is incremented
> by linelength(=192) each time. Soon the pointer overflows the allocated
> bounds, causing the crash.
> 
> It seems that handling of 24-bit display is broken. Maybe winScaleXBitmapToWindows
> should use PixmapBytePad to calculate xStride, but I'm only guessing as
> I'm not an expert.
> 
> Regards,
> Fabrizio