Wireshark-bugs: [Wireshark-bugs] [Bug 2630] rtp_player crashes on decode of long call: BadAlloc

Date: Fri, 20 Feb 2015 02:49:51 +0000

Comment # 28 on bug 2630 from
A backtrace when run with "--sync"

~~~
(gdb) bt
#0  0x0000003e90c50c60 in g_logv () at /lib64/libglib-2.0.so.0
#1  0x0000003e90c50e9f in g_log () at /lib64/libglib-2.0.so.0
#2  0x00000039ad66824d in gdk_x_error () at /lib64/libgdk-x11-2.0.so.0
#3  0x00000039a26454dd in _XError () at /lib64/libX11.so.6
#4  0x00000039a2642427 in handle_error () at /lib64/libX11.so.6
#5  0x00000039a26424e5 in handle_response () at /lib64/libX11.so.6
#6  0x00000039a2643490 in _XReply () at /lib64/libX11.so.6
#7  0x00000039a263ed4d in XSync () at /lib64/libX11.so.6
#8  0x00000039a263edeb in _XSyncFunction () at /lib64/libX11.so.6
#9  0x00000039a2645e2f in _XPrivSyncFunction () at /lib64/libX11.so.6
#10 0x00000039a2e08fa2 in XShmCreatePixmap () at /lib64/libXext.so.6
#11 0x00000039a82928da in _cairo_xlib_shm_surface_create.isra.10 () at
/lib64/libcairo.so.2
#12 0x00000039a8292f51 in _cairo_xlib_surface_create_shm () at
/lib64/libcairo.so.2
#13 0x00000039a8292fa3 in _cairo_xlib_surface_create_similar_shm () at
/lib64/libcairo.so.2
#14 0x00000039a8269bf8 in cairo_surface_create_similar_image () at
/lib64/libcairo.so.2
#15 0x00000039a826a388 in cairo_surface_create_similar () at
/lib64/libcairo.so.2
#16 0x00000039ad64a1ec in gdk_window_create_similar_surface () at
/lib64/libgdk-x11-2.0.so.0
#17 0x00000000004ef1bf in configure_event_channels (widget=0x19274b0,
event=<optimized out>, user_data=0x56dd430) at
../../../ui/gtk/rtp_player.c:1646
~~~

Googling for "GdkPixmap BadAlloc" brought me some interesting hits including:

https://mail.gnome.org/archives/gtk-devel-list/2011-April/msg00124.html

which says, in part:

> The text is too long. Rendering it creates a Gdk pixmap that is *too
> wide* (width > 64 k - 1, not supported.)
> 
> AFAIY, X pixmaps can't be wider than 32 K - 1 but I may be wrong. This
> could relate to X, not GTK itself.

~~~
(gdb) frame 17
#17 0x00000000004ef1db in configure_event_channels (widget=0x1943e00,
event=<optimized out>, user_data=0x56fcad0) at
../../../ui/gtk/rtp_player.c:1649
1649        rci->surface = gdk_window_create_similar_surface
(gtk_widget_get_window(widget),
(gdb) print widget_alloc
$1 = {x = 0, y = 0, width = 54304, height = 100}
(gdb) 
~~~

So the problem is that we're trying to allocate a pixmap which is too wide.

If I modify the code like this:

~~~
--- a/ui/gtk/rtp_player.c
+++ b/ui/gtk/rtp_player.c
@@ -1643,6 +1643,9 @@ configure_event_channels(GtkWidget *widget,
GdkEventConfigure *event _U_, gpoint
         rci->surface=NULL;
     }
     gtk_widget_get_allocation(widget, &widget_alloc);
+g_warning("w=%d, h=%d", widget_alloc.width, widget_alloc.height);
+if (widget_alloc.width > 32000)
+       widget_alloc.width = 32000;
     rci->surface = gdk_window_create_similar_surface
(gtk_widget_get_window(widget),
             CAIRO_CONTENT_COLOR,
             widget_alloc.width,
~~~

It no longer crashes but it also clearly cuts off part of the graph.

(This also explains why the problem only happens on X-based systems: it's an X
limitation.)

I would imagine that reworking this to, erm, not create such a wide pixmap
would be a major challenge.  I'm tempted to check in something like the above
code just to stop the crashes; ideally, of course, it would tell you WHY it's
cutting off the graph but that's way beyond my (non-existent) GUI programming
skills.


You are receiving this mail because:
  • You are the assignee for the bug.
  • You are watching all bug changes.