#11 fbBlt crash

[Gary Kratkin]

I have a reproducible crash with Google Chrome over x2go. The (inexact) scenario involves opening and closing Chrome's menu (the item to the right of the address bar), and repeatedly choosing About or Settings. I can crash vcxsrc within a minute or so.

I'm new to the code, and I haven't tried to dig too deeply, but I can describe the crash site:

00 vcxsrv!fbBlt
01 vcxsrv!fbCopyWindowProc
02 vcxsrv!miCopyRegion
03 vcxsrv!fbCopyWindow
04 vcxsrv!damageCopyWindow
05 vcxsrv!miSpriteCopyWindow
06 vcxsrv!winCopyWindowMultiWindow
07 vcxsrv!compCopyWindow
08 vcxsrv!glxWinCopyWindow
09 vcxsrv!miSlideAndSizeWindow
0a vcxsrv!winResizeWindowMultiWindow
0b vcxsrv!compResizeWindow
0c vcxsrv!ConfigureWindow
0d vcxsrv!ProcConfigureWindow
0e vcxsrv!Dispatch
0f vcxsrv!main
10 vcxsrv!tmainCRTStartup
11 vcxsrv!mainCRTStartup
12 kernel32!BaseThreadInitThunk
13 ntdll!RtlUserThreadStart
14 ntdll!_RtlUserThreadStart

The current parameter values to fbBlt are:
vcxsrv!fbBlt(unsigned long * srcLine = 0x0677d444, int srcStride = 0n-945, int srcX = 0n31, unsigned long * dstLine = 0x0677f1d0, int dstStride = 0n-945, int dstX = 0n31, int width = 0n32, int height = 0n0, int alu = 0n3, unsigned long pm = 0xffffffff, int bpp = 0n32, int reverse = 0n1, int upsidedown = 0n1)+0x57b

The code faults on the starred line below:

if (srcX == dstX) {
    while (height--) {
        src = srcLine;
        srcLine += srcStride;
        dst = dstLine;
        dstLine += dstStride;
        if (reverse) {
            if (endmask) {
                bits = READ(--src);
                --dst;
                FbDoRightMaskByteMergeRop(dst, bits, endbyte, endmask);
            }
            n = nmiddle;
            if (destInvarient) {
                while (n--)

*** WRITE(--dst, FbDoDestInvarientMergeRop(READ(--src))); **

It's dereferencing src:
00e53b18 8b45fc mov eax,dword ptr [ebp-4]
00e53b1b 8b08 mov ecx,dword ptr [eax] ds:002b:0677e304=????????

Any guidance on how to proceed?

I've attached a better stack and variable values in fbBlt-fault.txt. You can also find a crash dump with pdb symbols at https://www.dropbox.com/s/ofp3jue33scy7f7/vcxsrv-dump.zip. It's a debug build from unmodified 1.13.2.0 source.

Thanks!

[Gary Kratkin]

More info: this is a use-after-free. The heap block in question was freed from the following call chain:

68ef90b2 verifier!AVrfDebugPageHeapFree+0x000000c2
778414d4 ntdll!RtlDebugFreeHeap+0x0000002f
777fab9a ntdll!RtlpFreeHeap+0x0000005d
777a3492 ntdll!RtlFreeHeap+0x00000142
68f0cc4f verifier!AVrfpRtlFreeHeap+0x00000086
75b214dd kernel32!HeapFree+0x00000014
68f0dd48 verifier!AVrfpHeapFree+0x00000097
66b47f59 MSVCR100D!_free_base+0x00000029
66b57a4e MSVCR100D!_free_dbg_nolock+0x000004ae
66b57560 MSVCR100D!_free_dbg+0x00000050
66b59c80 MSVCR100D!free+0x00000010
012944c1 vcxsrv!FreePixmap+0x00000021
015958a6 vcxsrv!fbDestroyPixmap+0x00000036
0134d940 vcxsrv!damageDestroyPixmap+0x000000b0
0158a016 vcxsrv!compCheckRedirect+0x00000136
0158a54e vcxsrv!compUnrealizeWindow+0x0000005e
0130d59c vcxsrv!glxWinUnrealizeWindow+0x000000bc
012b1c09 vcxsrv!UnrealizeTree+0x000000e9
012b1a30 vcxsrv!UnmapWindow+0x00000180
01283377 vcxsrv!ProcUnmapWindow+0x00000067
01281d5e vcxsrv!Dispatch+0x000002de
01281594 vcxsrv!main+0x00000594
01582abf vcxsrv!__tmainCRTStartup+0x000001bf
015828ef vcxsrv!mainCRTStartup+0x0000000f
75b233aa kernel32!BaseThreadInitThunk+0x0000000e
777a9ef2 ntdll!__RtlUserThreadStart+0x00000070
777a9ec5 ntdll!_RtlUserThreadStart+0x0000001b

This is from my debug build, but please note that the crash is the same in the 1.13.2.0 release binaries.