Bug 7242 - crash with massive session size
Summary: crash with massive session size
Status: CLOSED FIXED
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: VNC (show other bugs)
Version: 1.3.1
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.10.0
Assignee: Pierre Ossman
URL:
Keywords: ossman_tester, relnotes, upstream
Depends on: 7158
Blocks:
  Show dependency treegraph
 
Reported: 2018-08-27 16:41 CEST by Pierre Ossman
Modified: 2018-09-18 20:09 CEST (History)
1 user (show)

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Pierre Ossman cendio 2018-08-27 16:41:04 CEST 
When connecting to a very large session the client can crash with:

Thread 2 "vncviewer" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb5b4c410 (LWP 4400)]
0xb690f724 in memcpy () from /usr/lib/libc.so.6
(gdb) bt
#0  0xb690f724 in memcpy () from /usr/lib/libc.so.6
#1  0x2a035074 in rfb::ModifiablePixelBuffer::fillRect(rfb::Rect const&, void const*) ()
#2  0x2a0357b4 in rfb::ModifiablePixelBuffer::fillRect(rfb::PixelFormat const&, rfb::Rect const&, void const*) ()
#3  0x2a03d7cc in rfb::TightDecoder::decodeRect(rfb::Rect const&, void const*, unsigned int, rfb::ConnParams const&, rfb::ModifiablePixelBuffer*) ()
#4  0x2a031b30 in rfb::DecodeManager::DecodeThread::worker() ()
#5  0x2a04a868 in os::Thread::startRoutine(void*) ()
#6  0xb6d00f08 in start_thread () from /usr/lib/libpthread.so.0
#7  0xb696b938 in ?? () from /usr/lib/libc.so.6

Upstream report here:

https://github.com/TigerVNC/tigervnc/issues/645

Fix here:

https://github.com/TigerVNC/tigervnc/commit/f81148c43a25d4c69e635b6ad13eab674b473aca
Comment 1 Pierre Ossman cendio 2018-09-17 14:34:28 CEST 
Should be fixed now with new vendor drop of TigerVNC.
Comment 3 Pierre Ossman cendio 2018-09-17 14:47:53 CEST 
I'm seeing crashes with both the server and client when using 4.9.0. But both work fine when using trunk.
Note You need to log in before you can comment on or make changes to this bug.