[Xspice] Segfault due to incorrect parsing of default values
When SurfaceBufferSize
is not set in the config, get_int_option
returns 0 instead of 128, causing Xorg to segfault when accessing the ram header:
Starting program: /usr/libexec/Xorg -config spiceqxl.xorg.conf -noreset :1
X.Org X Server 1.21.1.3
X Protocol Version 11, Revision 0
Current Operating System: Linux toshiro 5.15.52-0-lts #1-Alpine SMP Mon, 04 Jul 2022 07:49:33 +0000 x86_64
Kernel command line: <snip>
Current version of pixman: 0.40.0
Before reporting problems, check http://wiki.x.org
to make sure that you have the latest version.
Markers: (--) probed, (**) from config file, (==) default setting,
(++) from command line, (!!) notice, (II) informational,
(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(==) Log file: "/home/patrycja/.local/share/xorg/Xorg.1.log", Time: Fri Jul 8 20:48:56 2022
(++) Using config file: "/etc/X11/spiceqxl.xorg.conf"
(==) Using system config directory "/usr/share/X11/xorg.conf.d"
resizing surface0 to 0
memory space from 0x7ffff7c287b0 to 0x7ffff7c257b0
memory space from 0x7ffff7c28790 to 0x7ffff7c28790
Program received signal SIGSEGV, Segmentation fault.
xspice_init_qxl_ram (qxl=qxl@entry=0x7ffff6bad120) at spiceqxl_io_port.c:75
75 spiceqxl_io_port.c: No such file or directory.
(gdb) bt full
#0 xspice_init_qxl_ram (qxl=qxl@entry=0x7ffff6bad120) at spiceqxl_io_port.c:75
ram = 0x8000f7c267b0
item = <optimized out>
#1 0x00007ffff74f1614 in qxl_pre_init (pScrn=0x7ffff7c1cb10, flags=<optimized out>) at qxl_driver.c:1116
scrnIndex = <optimized out>
qxl = 0x7ffff6bad120
clockRanges = 0x0
max_x = 1433901016
max_y = 21845
playback_fifo_dir = <optimized out>
smartcard_file = <optimized out>
While debugging, the issue was narrowed down to usage of xf86GetOptValInteger
instead of options[option_index].value.num
, introduced in 4e1963a8; for some reason, most options - including SurfaceBufferSize
- have the found
field set to FALSE
(?), causing xf86GetOptValInteger
to return early, because it's explicitly not set in the config:
(gdb) call xf86TokenToOptinfo(options, 36)
$1 = (struct {...} *) 0x7ffff6bad940
(gdb) print $1->found
$2 = 0
(gdb) print *$1
$3 = {token = 36, name = 0x7ffff75079aa "SurfaceBufferSize",
type = OPTV_INTEGER, value = {num = 128,
str = 0x80 <error: Cannot access memory at address 0x80>,
realnum = 6.3240402667679558e-322, boolean = 128, freq = {
freq = 6.3240402667679558e-322, units = 0}}, found = 0}