Skip to content

Xorg crashes with SIGSEV in ProcXFixesGetCursorImageAndName()

Submitted by Pierre Ossman (Work account) @CendioOssman

Assigned to Xorg Project Team

Link to original bug (#100721)

Description

We got this crash in Xvnc based on Xorg 1.14:

Core was generated by `/opt/thinlinc/libexec/Xvnc'. Program terminated with signal 11, Segmentation fault. #0 ProcXFixesGetCursorImageAndName (client=0x2d583b0) at cursor.c:517 517 width = pCursor->bits->width;

More detail in our bugzilla here:

https://www.cendio.com/bugzilla/show_bug.cgi?id=6234

It seems to be the same issue reported for Xorg 1.17 here:

https://bugzilla.redhat.com/show_bug.cgi?id=1357694

I.e. the XFixes code tries to access a cursor that has already been freed.

The code isn't obvious though, but our thinking is that a reference count is needed in CursorDisplayCursor(). Is this the right approach here?

(There's also bug 99034 and bug 18451 reported here, but they seem to be other crashes.)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information