Bad Bug in XFree86 4.0.2

[Wolfgang Wieser <wwieser () GMX DE>]

While originally looking for bugs in KDE 2.1, I found a severe bug in
XFree86 4.0.2. (server crash; possibly even exploitable remotely)

I just can't figure out which function causes it (gdb reports an address but
cannot resolve the function although debugging symbols were compiled in.)
And I do not know which client-side action (Xlib function call) provokes the
bug. (Help appreciated.)

Here is how to reproduce it:
(Please try out and drop me some feedback;
XFree86 < 4.0.0 does not seem to be affected.)

- Load konqueror (I'm doing this with konqueror 2.1 and
  fvwm as windowmanager).
- Insert 1024 `a' in a text editor (I'm using NEdit).
- Select the 1024 `a' (without tailing newline).
- Press the middle mouse button in konqueror's location bar
  four times (be sure not to perform a double-click).
- Now, Press the `Pos1' or `Home' key to get to the beginning of
  the location bar, then press the right arrow to get one letter rigt
  (maybe not necessary).
- Now paste again two times the `a's using the middle mouse button.
- Now press the `End'-key (the one doing the opposite of the `Home'
  key) to get to the end of the location bar's text again.

This causes my XFree86-4.0.2 to catch a SIGSEGV and it exits
(cleaning up the terminal without problems so you just have to
start it again). I've done this frequently in the last day and it worked
always. It may even work with fewer characters; didn't test that.

Regards,
wwieser

--
        /"\                             |   Wolfgang
        \ /     ASCII Ribbon Campaign   |   Wieser
         X      Against HTML Mail       |
        / \                             |

Some operating systems are called ``user friendly''.
      Linux, however, is ``expert friendly''.