crash report: dereference null XFontStruct

Kuang-che Wu kcwu at csie.org
Tue Sep 8 14:14:02 CEST 2015


"sleep 1" is necessary. The crash probability is low if removed the sleep.

$ gdb -q --args rxvt -e sh -c "sleep 1; echo -e '\x0a\t\e[r\e[M\e[8;;1t0000\xcc\x86\xdb\x93'"
(gdb) r
Program received signal SIGSEGV, Segmentation fault.
rxvt_font_x11::draw (this=0x7331b0, d=..., x=0, y=1222, text=0x7ffff7ff09e0, len=1, fg=1, bg=0) at rxvtfont.C:1057
1057      v.font = f->fid;
(gdb) p f
$1 = (XFontStruct *) 0x0
(gdb) bt
#0  rxvt_font_x11::draw (this=0x7331b0, d=..., x=0, y=1222, text=0x7ffff7ff09e0, len=1, fg=1, bg=0) at rxvtfont.C:1057
#1  0x00000000004100f6 in rxvt_term::scr_refresh (this=this at entry=0x7332d0) at screen.C:2419
#2  0x0000000000411f6c in flush (this=0x7332d0) at command.C:1006
#3  rxvt_term::flush_cb (this=0x7332d0, w=..., revents=<optimized out>) at command.C:1032
#4  0x0000000000433620 in ev_invoke_pending () at ./../libev/ev.c:3155
#5  0x000000000043484e in ev_run (flags=<optimized out>) at ./../libev/ev.c:3555
#6  0x000000000040ae73 in main (argc=5, argv=0x7fffffffd9c8) at rxvt.C:38

This is found by afl-fuzz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.schmorp.de/pipermail/rxvt-unicode/attachments/20150908/e7bb89f3/attachment.sig>


More information about the rxvt-unicode mailing list