I have a reproducible crash with Google Chrome over x2go. The (inexact) scenario involves opening and closing Chrome's menu (the item to the right of the address bar), and repeatedly choosing About or Settings. I can crash vcxsrc within a minute or so.
I'm new to the code, and I haven't tried to dig too deeply, but I can describe the crash site:
00 vcxsrv!fbBlt
01 vcxsrv!fbCopyWindowProc
02 vcxsrv!miCopyRegion
03 vcxsrv!fbCopyWindow
04 vcxsrv!damageCopyWindow
05 vcxsrv!miSpriteCopyWindow
06 vcxsrv!winCopyWindowMultiWindow
07 vcxsrv!compCopyWindow
08 vcxsrv!glxWinCopyWindow
09 vcxsrv!miSlideAndSizeWindow
0a vcxsrv!winResizeWindowMultiWindow
0b vcxsrv!compResizeWindow
0c vcxsrv!ConfigureWindow
0d vcxsrv!ProcConfigureWindow
0e vcxsrv!Dispatch
0f vcxsrv!main
10 vcxsrv!tmainCRTStartup
11 vcxsrv!mainCRTStartup
12 kernel32!BaseThreadInitThunk
13 ntdll!RtlUserThreadStart
14 ntdll!_RtlUserThreadStart
The current parameter values to fbBlt are:
vcxsrv!fbBlt(unsigned long * srcLine = 0x0677d444, int srcStride = 0n-945, int srcX = 0n31, unsigned long * dstLine = 0x0677f1d0, int dstStride = 0n-945, int dstX = 0n31, int width = 0n32, int height = 0n0, int alu = 0n3, unsigned long pm = 0xffffffff, int bpp = 0n32, int reverse = 0n1, int upsidedown = 0n1)+0x57b
The code faults on the starred line below:
if (srcX == dstX) { while (height--) { src = srcLine; srcLine += srcStride; dst = dstLine; dstLine += dstStride; if (reverse) { if (endmask) { bits = READ(--src); --dst; FbDoRightMaskByteMergeRop(dst, bits, endbyte, endmask); } n = nmiddle; if (destInvarient) { while (n--)
*** WRITE(--dst, FbDoDestInvarientMergeRop(READ(--src))); **
It's dereferencing src:
00e53b18 8b45fc mov eax,dword ptr [ebp-4]
00e53b1b 8b08 mov ecx,dword ptr [eax] ds:002b:0677e304=????????
Any guidance on how to proceed?
I've attached a better stack and variable values in fbBlt-fault.txt. You can also find a crash dump with pdb symbols at https://www.dropbox.com/s/ofp3jue33scy7f7/vcxsrv-dump.zip. It's a debug build from unmodified 1.13.2.0 source.
Thanks!
More info: this is a use-after-free. The heap block in question was freed from the following call chain:
This is from my debug build, but please note that the crash is the same in the 1.13.2.0 release binaries.