Debian Bug report logs - #394366
int/long confusion causes xsetbg segfault on AMD64

Package: xloadimage; Maintainer for xloadimage is Dominik George <>; Source for xloadimage is src:xloadimage.

Reported by: Stephen McCamant <smcc@CSAIL.MIT.EDU>

Date: Fri, 20 Oct 2006 21:18:28 UTC

Severity: normal

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to, Someone else <>:
Bug#394366; Package xloadimage. Full text and rfc822 format available.

Acknowledgement sent to Stephen McCamant <smcc@CSAIL.MIT.EDU>:
New Bug report received and forwarded. Copy sent to Someone <>. Full text and rfc822 format available.

Message #5 received at (full text, mbox):

From: Stephen McCamant <smcc@CSAIL.MIT.EDU>
Subject: int/long confusion causes xsetbg segfault on AMD64
Date: Fri, 20 Oct 2006 17:04:02 -0400
[Message part 1 (text/plain, inline)]
Package: xloadimage
Version: 4.1-14.3

A call to XGetWindowProperty() in root.c incorrectly casts between
pointers to ints and longs, causing the values returned from the
function to be incorrect on platforms such as AMD64 where longs are
larger than ints. Under some circumstances, this seems to cause the
program to believe the function has returned a correct value when it
has not, and then dereference a null pointer in the argument to the
following call to XKillClient(), though this crash occurs only
intermittently. (I can see the crash when loading a PPM image with
"xsetbg -fullscreen", but whether it shows up seems to vary depending
on whether I pass the image by filename or on stdin, and other aspects
of the environment; and I wasn't able to reproduce with optimization
disabled for that file or a different GCC version.)

The attached patch fixes the types of the locals used for the return
values to what the function expects, and seems to fix the bug.

 -- Stephen
[xsetbg.patch (text/plain, inline)]
--- root.c.orig	2006-10-20 16:05:45.000000000 -0400
+++ root.c	2006-10-20 16:18:09.000000000 -0400
@@ -68,16 +68,16 @@
   Pixmap *pm;			
   Atom	actual_type;		/* NOTUSED */
   int	format;
-  int	nitems;
-  int	bytes_after;
+  unsigned long	nitems;
+  unsigned long	bytes_after;
   /* intern the property name */
   Atom atom = XInternAtom(dpy, RETAIN_PROP_NAME, 0);
   /* look for existing resource allocation */
   if ((XGetWindowProperty(dpy, w, atom, 0, 1, 1/*delete*/,
-			  AnyPropertyType, &actual_type, &format, (unsigned long *)&nitems,
-			  (unsigned long *)&bytes_after, (unsigned char **)&pm) == Success) &&
+			  AnyPropertyType, &actual_type, &format, &nitems,
+			  &bytes_after, (unsigned char **)&pm) == Success) &&
       nitems == 1) {
     if ((actual_type == XA_PIXMAP) && (format == 32) &&
 	(nitems == 1) && (bytes_after == 0)) {

Send a report that this bug log contains spam.

Debian bug tracking system administrator <>. Last modified: Wed Apr 23 14:09:44 2014; Machine Name:

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.