[42036] in bugtraq
xorg server 6.8.2 and below on 64bit arch
daemon@ATHENA.MIT.EDU (serj@varna.net)
Mon Jan 9 13:12:58 2006
Date: 8 Jan 2006 15:26:05 -0000
Message-ID: <20060108152605.20293.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: serj@varna.net
To: bugtraq@securityfocus.com
This might be nothing or might be something comment please! My system is 64bit turion with 64 bit ubuntu on top. On this machine long = void* = 8 bytes. On a 32 bit arch long = void* = 4 bytes.
Great now lets have look on this.
typedef struct {
int type;
unsigned long serial;
Bool send_event;
Display *display;
Window window;
Atom message_type;
int format;
union {
char b[20];
short s[10];
long l[5];
} data;
} XClientMessageEvent;
struct taken from the man page (the same lays into Xlib.h) , which later says: "The format member is set to 8, 16, or 32 and specifies whether the data should be viewed as a list of bytes, shorts, or longs."
Problems:
1) if i choose to pass a long through this msg the X server is gonna screw it up. On the other end all i am gonna recieve is 0xffffffff+theotherhalf
I don't know what you think but i think on a 64 bit arch it could be used to crash an app atleast.
2) From the union 5*8 = 40 != 20 therefor XClientMessageEvent is 20 bytes LONGER on a 64 bit arch than on 32 bit.
Again comment pls as i spot some more code like this in Xlib.h
