[X2Go-Dev] Bug#900: Gedit, gnome-terminal and others crash in rootless mode

Package: libnx-X11

Version: 2.3.5

Setup:

1. x2goserver in a debian testing machine.
2. x2goclient in a windows machine.
3. Create a session with a virtual desktop.
4. Run gedit in the session created in 3.
5. Create a session in windows launching only xterm.
6. Run gedit from the console created in 5.
7. Create a session in windows launching only gedit.

Results:

1. Steps from Setup 3, 4 and 5 work fine.
2. Steps from Setup 6 and 7 crash (close the session).

A quick look in dmesg shows that *libNX_X11.so.6.2* caused a SEGFAULT.

Running x2goagent with a debugger gives the following backtrace:

*(gdb) backtrace* #0 _XData32 (dpy=dpy@entry=0xf591b0, data=data@entry=0x163c2c4, len=len@entry=18652) at XlibInt.c:3775 #1 0x00007f759e34dce1 in XChangeProperty (dpy=0xf591b0, w=<optimized out>, property=<optimized out>, type=6, format=<optimized out>, mode=<optimized out>, data=0x163c2c4 "\377\377\377\377\354\356\356\377\377\377\377\377\354\356\356\377\377\377\377\377\354\356\356\377\377\377\377\377\357\360\360\377\377\377\377\377\364\365\365\377\377\377\377\377\307\312\311\375\377\377\377\377\t\t\t\035", nelements=4663) at ChProp.c:85 #2 0x00000000004b1e37 in nxagentExportProperty (pWin=0x20, property=*4663*, type=23315140, format=4669, mode=32, nUnits=*4663*, value=0x15fc2e0) at Rootless.c:763 #3 0x000000000042222a in ProcChangeProperty (client=0xf591b0) at X/NXproperty.c:331 #4 0x000000000042eea2 in Dispatch () at X/NXdispatch.c:748

Looking at the highlighted values, it seems that gedit is sending a malformed ChangeProperty request, and rootless is failing to process it.

Specifically the segment between lines 735-780, tries to set a property that is bigger than the maximum size required, but because it's a malformed request it ends up writing in memory outside the boundaries of the output buffer.

Alternatives:

1. Ensure that nxagentExportProperty never writes beyond the boundaries of the output buffer.
2. Resize the output buffer to match the required size (ProcChangeProperty seems to do something similar).
3. Ignore big requests (see attached patch).

--