#268 segfault using 1.6.0 with seamlessrdp

Internals (36)

I'm using rdesktop 1.6.0 with seamlessrdp to a remote windows box. I'm running rdesktop on Fedora 8 x86_64 with the latest updates.

Rdesktop crashes out with a segfault at line 470 in ewmhints.c. It looks as though the WM is not giving an icon to update. This means that icon[0] = width causes a segfault.

Dump from gdb:

Program terminated with signal 11, Segmentation fault.
#0 ewmh_set_icon (wnd=33554776, width=16, height=16, rgba_data=0xa7f910 "")
at ewmhints.c:470
470 icon[0] = width;

(gdb) where
#0 ewmh_set_icon (wnd=33554776, width=16, height=16, rgba_data=0xa7f910 "")
at ewmhints.c:470
#1 0x00000000004087a3 in ui_seamless_seticon (id=65998,
format=0xa7a9b9 "RGBA", width=16, height=16, chunk=<value optimized out>,
data=0x7cbb80 "M�M�btQ�^\202q�;�i� \232\212�\006�\235�\021v\231�",
chunk_len=224) at xwin.c:3899
#2 0x000000000042d1aa in seamless_line_handler (
line=0xa7e9e0 "SETICON,551,0x000101ce,2,RGBA,16,16,4db44dff627451ff5e8271ff3ba969ff209a8aff06ac9dff117699ff", '0' <repeats 17 times>, "a7066ff0f5a6dff235d6dff3a636dff45664dff37aa1dff3fd34fff40c752ff557461ff53697bff377984ff1770"...,
data=<value optimized out>) at seamless.c:177
#3 0x00000000004066ac in str_handle_lines (input=<value optimized out>,
rest=0x7cbb60, linehandler=0x42ce30 <seamless_line_handler>, data=0x0)
at rdesktop.c:1344
#4 0x000000000042cdb1 in seamless_process (s=0x6bb9a0) at seamless.c:388
#5 0x000000000041a19a in sec_recv (rdpver=0x7fff8f5bd5df "\003�&\\\217�\177")
at secure.c:828
#6 0x000000000041ba61 in rdp_recv (type=0x7fff8f5c25df "") at rdp.c:89
#7 0x000000000041c0bd in rdp_loop (deactivated=0x7fff8f5c26ac,
ext_disc_reason=0x7fff8f5c26a8) at rdp.c:1411
#8 0x000000000041cd5b in rdp_main_loop (deactivated=0x7fff8f5c26ac,
ext_disc_reason=0x7fff8f5c26a8) at rdp.c:1396


  • TRK

    TRK - 2008-05-20

    Logged In: YES
    Originator: NO

    After a little more investigation with gdb I've found that the metacity WM appears to be returning a property block for _NET_WM_ICON that has the height set to 0. Changing line 453 in ewmhints.c from "if (i != nitems)" to "if (i < nitems)" catches the corruption and stops it using an invalid icon pointer.

  • Tris

    Tris - 2008-09-09

    confirm similar problem with identical fix under xfce+emerald+compiz

  • TRK

    TRK - 2008-09-10

    There's another problem in the ewmh_del_icon function that I've recently come across too. When closing a Windows Explorer window rdesktop would crash because of bad parameters being passed to memcpy(). Lines 515 & 523 need changing to cope with corrupted data, and I noticed line 524 needs changing to correct the pointer arithmetic for the delete.

    @@ -512,7 +512,7 @@
    i += 2 + cur_set[i] * cur_set[i + 1];

    - if (i == nitems)
    + if (i >= nitems)
    goto out;

    icon\_size = width \* height + 2;

    @@ -520,8 +520,8 @@

    if \(i \!= 0\)
        memcpy\(new\_set, cur\_set, i \* 4\);

    - if (i != nitems - icon_size)
    - memcpy(new_set + i * 4, cur_set + i * 4 + icon_size, nitems - icon_size);
    + if (i < nitems - icon_size)
    + memcpy(new_set + i, cur_set + i + icon_size, (nitems - (i + icon_size))*4);

    nitems -= icon\_size;
  • Nobody/Anonymous

    I can confirm similar problem with both rdesktop 1.5.0 (from my ubuntu distro) and 1.6.0 (compiled by me).

    Ubuntu 8.04, x86_64 architecture, using this command:
    rdesktop -A -s "c:\seamlessrdp\seamlessrdpshell.exe C:\windows\system32\notepad.exe" <ip>:3389 -u <user> -p <pass>

    On the first attempt it segfaults.
    On the second attempt it works (in seamless mode). But when I close the window, rdesktop doesn't exit, so I have to Control-C it.
    On the third and later it is not in seamless mode anymore (I have to logout and log back in for everything to work again).

  • Corey Puffalt

    Corey Puffalt - 2009-09-24

    I'm also running into this issue. What needs to be done to get these fixes applied to version control so they end up in an official release?

  • ChD

    ChD - 2009-10-06

    Isn't this bug a duplicate of 1970489 (or related) because the patch from this other bug seems to solve this one too.

  • TRK

    TRK - 2009-10-14

    Bug #1970489 is a duplicate of this bug (this one was reported earlier). However I like the fact the patch in #1970489 fixes the cause of the problem instead of simply catching it and handling/ignoring the problem.

  • Peter Åstrand

    Peter Åstrand - 2010-01-18

    It is correct that #1970489 is a duplicate of this one, but since I'm applying that patch, I'm actually marking this bug as a duplicate of that one instead.

  • Peter Åstrand

    Peter Åstrand - 2010-01-18
    • status: open --> closed-duplicate

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.

No, thanks