Closed Bug 441995 Opened 12 years ago Closed 12 years ago

crash in cairo_surface_set_device_offset () from /usr/lib/libcairo.so.2

Categories

(Core :: Graphics, defect, critical)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla1.9.1a1

People

(Reporter: david.maciejak, Assigned: mats)

References

(Depends on 1 open bug)

Details

(Keywords: fixed1.9.0.2, testcase, Whiteboard: [sg:critical?] null-pointer access only?)

Attachments

(3 files)

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Gecko/2008061015 Firefox/3.0
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Gecko/2008061015 Firefox/3.0

Crash when trying to display an overlong alert messagebox after a refresh.

Reproducible: Always

Steps to Reproduce:
1.open the file, the alert box is displayed
2.hit escape button to close the box
3.hit f5 to refresh the page

Actual Results:  
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7cdb6c0 (LWP 1444)]
0xb6d892cb in cairo_surface_set_device_offset () from /usr/lib/libcairo.so.2

Expected Results:  
not crashed

seems to be something like Bug 439343, I will enclosed the poc in the report.
Don't know really the impact of that, if it can be worst than a crash.

#0  0xb6d4c2cb in cairo_surface_set_device_offset () from /usr/lib/libcairo.so.2
#1  0xb78db907 in gfxASurface::SetDeviceOffset () from /usr/lib/xulrunner-1.9/libxul.so
#2  0xb77e2652 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#3  0xb77e4f20 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#4  0xb68148d4 in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#5  0xb6bfb759 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#6  0xb6c0fd1d in ?? () from /usr/lib/libgobject-2.0.so.0
#7  0xb6c1164e in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#8  0xb6c11c59 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#9  0xb6933667 in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#10 0xb680edf6 in gtk_main_do_event () from /usr/lib/libgtk-x11-2.0.so.0
#11 0xb6657f33 in ?? () from /usr/lib/libgdk-x11-2.0.so.0
#12 0xb66585c8 in gdk_window_process_all_updates () from /usr/lib/libgdk-x11-2.0.so.0
#13 0xb66585eb in ?? () from /usr/lib/libgdk-x11-2.0.so.0
#14 0xb663e81b in ?? () from /usr/lib/libgdk-x11-2.0.so.0
#15 0xb6b76081 in ?? () from /usr/lib/libglib-2.0.so.0
#16 0xb6b77bf8 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#17 0xb6b7ae5e in ?? () from /usr/lib/libglib-2.0.so.0
#18 0xb6b7b3ac in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#19 0xb77e701c in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#20 0xb77fbdc4 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#21 0xb77fc20f in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#22 0xb78ab43a in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#23 0xb787aa83 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#24 0xb76767fd in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#25 0xb76735fd in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#26 0xb7652f3f in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#27 0xb7653225 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#28 0xb765479d in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#29 0xb7654e97 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#30 0xb764e217 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#31 0xb74b6792 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#32 0xb78b7781 in NS_InvokeByIndex_P () from /usr/lib/xulrunner-1.9/libxul.so
#33 0xb710b2bb in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#34 0xb711106d in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#35 0xb7be8176 in js_Invoke () from /usr/lib/xulrunner-1.9/libmozjs.so
#36 0xb7bdb0ef in ?? () from /usr/lib/xulrunner-1.9/libmozjs.so
#37 0xb7be7a31 in ?? () from /usr/lib/xulrunner-1.9/libmozjs.so
#38 0xb7bb3546 in JS_EvaluateUCScriptForPrincipals () from /usr/lib/xulrunner-1.9/libmozjs.so
#39 0xb74a230c in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#40 0xb73aaddf in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#41 0xb73ab663 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#42 0xb73ac58c in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#43 0xb73aa2a2 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#44 0xb7408da3 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#45 0xb7408420 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#46 0xb741c76c in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#47 0xb741dc6b in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#48 0xb741e6d8 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#49 0xb71e00b2 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#50 0xb71e2f63 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#51 0xb71e3ba2 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#52 0xb71e0cf5 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#53 0xb71e9eb8 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#54 0xb71eb51a in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#55 0xb71e9d66 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#56 0xb7633fb5 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#57 0xb7122951 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#58 0xb71285de in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#59 0xb7128711 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#60 0xb7896977 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#61 0xb78ab496 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#62 0xb787aa83 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#63 0xb77fbefe in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#64 0xb768b946 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#65 0xb70e0688 in XRE_main () from /usr/lib/xulrunner-1.9/libxul.so
#66 0x08049033 in ?? ()
#67 0xb7cb6450 in __libc_start_main () from /lib/tls/i686/cmov/libc.so.6
#68 0x08048cc1 in ?? ()
Attached file poc
please take care it s an extract from a malicious sample
Component: General → GFX: Thebes
Product: Firefox → Core
QA Contact: general → thebes
I can confirm that this crashes Firefox 3, though my stack looks a bit different from David's.  I'll attach mine momentarily.
Severity: normal → critical
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:critical?]
Assignee: nobody → mats.palmgren
It's a null-pointer access for me (on x86_64 Linux):

*INT__moz_cairo_surface_set_device_offset (surface=0x0, x_offset=0, y_offset=0) at gfx/cairo/cairo/src/cairo-surface.c:821
821         assert (! surface->is_snapshot);
(gdb) p surface
$1 = (cairo_surface_t *) 0x0
Whiteboard: [sg:critical?] → [sg:critical?] null-pointer access only?
Attached patch Patch rev. 1Splinter Review
I wasn't able to make a crashtest that doesn't require user action --
script execution stops while the alert is posted.  Let me know if
you have ideas to make it work.  Firefox 3.0 on Windows XP and MacOSX
10.5.3 does not crash for me, so I think this is a GTK-only.
Attachment #327184 - Flags: superreview?(roc)
Attachment #327184 - Flags: review?(roc)
Flags: wanted1.9.1?
Flags: wanted1.9.0.x?
I was not able to reproduce it on Windows xp sp3 too, neither on latest Firefox 2.x version.
Why does the crash happen? We successfully created the pixmap so why can't cairo create a surface object wrapped around it?
CheckSurfaceSize() does its job:
http://hg.mozilla.org/mozilla-central/index.cgi/file/378495e669f9/gfx/thebes/src/gfxXlibSurface.cpp#l67
Limit is 65535, size.width is 76261.

BTW, with the patch in bug 409006 we wouldn't have allowed this
crazy window size in the first place ;-)
Attachment #327184 - Flags: superreview?(roc)
Attachment #327184 - Flags: superreview+
Attachment #327184 - Flags: review?(roc)
Attachment #327184 - Flags: review+
http://hg.mozilla.org/mozilla-central/index.cgi/rev/c5dc9d84d476

-> FIXED
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: wanted1.9.1? → in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.1a1
Attachment #327184 - Flags: approval1.9.0.1?
Attachment #327184 - Flags: approval1.9.0.1? → approval1.9.0.2?
Hi,

will you intend to out a security advisory (MFSA) for this case ?

Thx, david
Can we get some tests for this patch before approving for 1.9.0.2?
(In reply to comment #11)
> Can we get some tests for this patch before approving for 1.9.0.2?

(And yes, I saw that making a testcase without user intervention isn't possible right now, but I want to confirm that there's no way to get a test before we take it in 1.9.0...)
Flags: wanted1.9.0.x? → wanted1.9.0.x+
I don't know how to automate tests involving alert()'s.  I have a few
other crash (or XError) bugs that also needs tests (eg bug 409006).
Comment on attachment 327184 [details] [diff] [review]
Patch rev. 1

Alright, but it makes me sad. :( Is there a bug on file for making this testable?

Approved for 1.9.0.2. Please land in CVS. a=ss
Attachment #327184 - Flags: approval1.9.0.2? → approval1.9.0.2+
Filed bug 448617 for a test mechanism for tests involving alert windows.

Landed in CVS trunk:
mozilla/widget/src/gtk2/nsWindow.cpp 	1.274
Depends on: 448617
Flags: wanted1.8.0.x-
Group: core-security
for future reference, this is CVE-2008-4064
You need to log in before you can comment on or make changes to this bug.