Comment # 22 on bug 1222442 from Michael Pujos

I could finally get a detailed stack trace in gdb:


#0  0x00007f03c5c949ec in __pthread_kill_implementation () at /lib64/libc.so.6
#1  0x00007f03c5c41176 in raise () at /lib64/libc.so.6
#2  0x00007f03c5c28917 in abort () at /lib64/libc.so.6
#3  0x0000561d2962eefc in OsAbort () at ../../os/utils.c:1361
#4  0x0000561d2962ff5f in AbortServer () at ../../os/log.c:879
#5  FatalError (f=f@entry=0x561d2965b308 "Caught signal %d (%s). Server
aborting\n") at ../../os/log.c:1017
#6  0x0000561d29632652 in OsSigHandler (unused=<optimized out>, sip=<optimized
out>, signo=6) at ../../os/osinit.c:156
#7  OsSigHandler (signo=6, sip=<optimized out>, unused=<optimized out>) at
../../os/osinit.c:110
#8  0x00007f03c5c41240 in <signal handler called> () at /lib64/libc.so.6
#9  0x00007f03c5c949ec in __pthread_kill_implementation () at /lib64/libc.so.6
#10 0x00007f03c5c41176 in raise () at /lib64/libc.so.6
#11 0x00007f03c5c28917 in abort () at /lib64/libc.so.6
#12 0x00007f03c5c297e8 in _IO_peekc_locked.cold () at /lib64/libc.so.6
#13 0x00007f03c5c9f3c7 in  () at /lib64/libc.so.6
#14 0x00007f03c5ca3cdc in malloc () at /lib64/libc.so.6
#15 0x0000561d2958836d in AllocateGlyph (gi=0x561d2b58339c, fdepth=<optimized
out>) at ../../render/glyph.c:355
#16 0x0000561d29593b8a in ProcRenderAddGlyphs (client=<optimized out>) at
../../render/render.c:1085
#17 0x0000561d294a0707 in Dispatch () at ../../dix/dispatch.c:550
#18 dix_main (envp=<optimized out>, argv=0x7fffca74c508, argc=<optimized out>)
at ../../dix/main.c:276
#19 main (argc=<optimized out>, argv=0x7fffca74c508, envp=<optimized out>) at
../../dix/stubmain.c:34
(gdb) frame 15
#15 0x0000561d2958836d in AllocateGlyph (gi=0x561d2b58339c, fdepth=<optimized
out>) at ../../render/glyph.c:355
355         glyph = (GlyphPtr) malloc(size);


So it is crashing in malloc() triggered from AllocateGlyph().
Would not be surprised it is caused by a double free() or something caused by
the relevant CVE patch.

Will open a bug on the Xorg bug tracker.