Closed
Bug 441995
Opened 17 years ago
Closed 17 years ago
crash in cairo_surface_set_device_offset () from /usr/lib/libcairo.so.2
Categories
(Core :: Graphics, defect)
Tracking
()
RESOLVED
FIXED
mozilla1.9.1a1
People
(Reporter: david.maciejak, Assigned: MatsPalmgren_bugz)
References
(Depends on 1 open bug)
Details
(Keywords: fixed1.9.0.2, testcase, Whiteboard: [sg:critical?] null-pointer access only?)
Attachments
(3 files)
135.99 KB,
text/html
|
Details | |
2.24 KB,
text/plain
|
Details | |
1.26 KB,
patch
|
roc
:
review+
roc
:
superreview+
samuel.sidler+old
:
approval1.9.0.2+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Gecko/2008061015 Firefox/3.0
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Gecko/2008061015 Firefox/3.0
Crash when trying to display an overlong alert messagebox after a refresh.
Reproducible: Always
Steps to Reproduce:
1.open the file, the alert box is displayed
2.hit escape button to close the box
3.hit f5 to refresh the page
Actual Results:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7cdb6c0 (LWP 1444)]
0xb6d892cb in cairo_surface_set_device_offset () from /usr/lib/libcairo.so.2
Expected Results:
not crashed
seems to be something like Bug 439343, I will enclosed the poc in the report.
Don't know really the impact of that, if it can be worst than a crash.
#0 0xb6d4c2cb in cairo_surface_set_device_offset () from /usr/lib/libcairo.so.2
#1 0xb78db907 in gfxASurface::SetDeviceOffset () from /usr/lib/xulrunner-1.9/libxul.so
#2 0xb77e2652 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#3 0xb77e4f20 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#4 0xb68148d4 in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#5 0xb6bfb759 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#6 0xb6c0fd1d in ?? () from /usr/lib/libgobject-2.0.so.0
#7 0xb6c1164e in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#8 0xb6c11c59 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#9 0xb6933667 in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#10 0xb680edf6 in gtk_main_do_event () from /usr/lib/libgtk-x11-2.0.so.0
#11 0xb6657f33 in ?? () from /usr/lib/libgdk-x11-2.0.so.0
#12 0xb66585c8 in gdk_window_process_all_updates () from /usr/lib/libgdk-x11-2.0.so.0
#13 0xb66585eb in ?? () from /usr/lib/libgdk-x11-2.0.so.0
#14 0xb663e81b in ?? () from /usr/lib/libgdk-x11-2.0.so.0
#15 0xb6b76081 in ?? () from /usr/lib/libglib-2.0.so.0
#16 0xb6b77bf8 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#17 0xb6b7ae5e in ?? () from /usr/lib/libglib-2.0.so.0
#18 0xb6b7b3ac in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#19 0xb77e701c in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#20 0xb77fbdc4 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#21 0xb77fc20f in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#22 0xb78ab43a in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#23 0xb787aa83 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#24 0xb76767fd in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#25 0xb76735fd in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#26 0xb7652f3f in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#27 0xb7653225 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#28 0xb765479d in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#29 0xb7654e97 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#30 0xb764e217 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#31 0xb74b6792 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#32 0xb78b7781 in NS_InvokeByIndex_P () from /usr/lib/xulrunner-1.9/libxul.so
#33 0xb710b2bb in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#34 0xb711106d in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#35 0xb7be8176 in js_Invoke () from /usr/lib/xulrunner-1.9/libmozjs.so
#36 0xb7bdb0ef in ?? () from /usr/lib/xulrunner-1.9/libmozjs.so
#37 0xb7be7a31 in ?? () from /usr/lib/xulrunner-1.9/libmozjs.so
#38 0xb7bb3546 in JS_EvaluateUCScriptForPrincipals () from /usr/lib/xulrunner-1.9/libmozjs.so
#39 0xb74a230c in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#40 0xb73aaddf in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#41 0xb73ab663 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#42 0xb73ac58c in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#43 0xb73aa2a2 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#44 0xb7408da3 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#45 0xb7408420 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#46 0xb741c76c in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#47 0xb741dc6b in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#48 0xb741e6d8 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#49 0xb71e00b2 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#50 0xb71e2f63 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#51 0xb71e3ba2 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#52 0xb71e0cf5 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#53 0xb71e9eb8 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#54 0xb71eb51a in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#55 0xb71e9d66 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#56 0xb7633fb5 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#57 0xb7122951 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#58 0xb71285de in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#59 0xb7128711 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#60 0xb7896977 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#61 0xb78ab496 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#62 0xb787aa83 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#63 0xb77fbefe in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#64 0xb768b946 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#65 0xb70e0688 in XRE_main () from /usr/lib/xulrunner-1.9/libxul.so
#66 0x08049033 in ?? ()
#67 0xb7cb6450 in __libc_start_main () from /lib/tls/i686/cmov/libc.so.6
#68 0x08048cc1 in ?? ()
Reporter | ||
Comment 1•17 years ago
|
||
please take care it s an extract from a malicious sample
Updated•17 years ago
|
Component: General → GFX: Thebes
Product: Firefox → Core
QA Contact: general → thebes
Comment 2•17 years ago
|
||
I can confirm that this crashes Firefox 3, though my stack looks a bit different from David's. I'll attach mine momentarily.
Severity: normal → critical
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:critical?]
Comment 3•17 years ago
|
||
Assignee | ||
Updated•17 years ago
|
Assignee: nobody → mats.palmgren
Assignee | ||
Comment 4•17 years ago
|
||
It's a null-pointer access for me (on x86_64 Linux):
*INT__moz_cairo_surface_set_device_offset (surface=0x0, x_offset=0, y_offset=0) at gfx/cairo/cairo/src/cairo-surface.c:821
821 assert (! surface->is_snapshot);
(gdb) p surface
$1 = (cairo_surface_t *) 0x0
Whiteboard: [sg:critical?] → [sg:critical?] null-pointer access only?
Assignee | ||
Comment 5•17 years ago
|
||
I wasn't able to make a crashtest that doesn't require user action --
script execution stops while the alert is posted. Let me know if
you have ideas to make it work. Firefox 3.0 on Windows XP and MacOSX
10.5.3 does not crash for me, so I think this is a GTK-only.
Attachment #327184 -
Flags: superreview?(roc)
Attachment #327184 -
Flags: review?(roc)
Assignee | ||
Updated•17 years ago
|
Flags: wanted1.9.1?
Flags: wanted1.9.0.x?
Reporter | ||
Comment 6•17 years ago
|
||
I was not able to reproduce it on Windows xp sp3 too, neither on latest Firefox 2.x version.
Why does the crash happen? We successfully created the pixmap so why can't cairo create a surface object wrapped around it?
Assignee | ||
Comment 8•17 years ago
|
||
CheckSurfaceSize() does its job:
http://hg.mozilla.org/mozilla-central/index.cgi/file/378495e669f9/gfx/thebes/src/gfxXlibSurface.cpp#l67
Limit is 65535, size.width is 76261.
BTW, with the patch in bug 409006 we wouldn't have allowed this
crazy window size in the first place ;-)
Attachment #327184 -
Flags: superreview?(roc)
Attachment #327184 -
Flags: superreview+
Attachment #327184 -
Flags: review?(roc)
Attachment #327184 -
Flags: review+
Assignee | ||
Comment 9•17 years ago
|
||
Status: NEW → RESOLVED
Closed: 17 years ago
Flags: wanted1.9.1? → in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.1a1
Assignee | ||
Updated•17 years ago
|
Attachment #327184 -
Flags: approval1.9.0.1?
Updated•17 years ago
|
Attachment #327184 -
Flags: approval1.9.0.1? → approval1.9.0.2?
Reporter | ||
Comment 10•17 years ago
|
||
Hi,
will you intend to out a security advisory (MFSA) for this case ?
Thx, david
Comment 11•16 years ago
|
||
Can we get some tests for this patch before approving for 1.9.0.2?
Comment 12•16 years ago
|
||
(In reply to comment #11)
> Can we get some tests for this patch before approving for 1.9.0.2?
(And yes, I saw that making a testcase without user intervention isn't possible right now, but I want to confirm that there's no way to get a test before we take it in 1.9.0...)
Updated•16 years ago
|
Flags: wanted1.9.0.x? → wanted1.9.0.x+
Assignee | ||
Comment 13•16 years ago
|
||
I don't know how to automate tests involving alert()'s. I have a few
other crash (or XError) bugs that also needs tests (eg bug 409006).
Comment 14•16 years ago
|
||
Comment on attachment 327184 [details] [diff] [review]
Patch rev. 1
Alright, but it makes me sad. :( Is there a bug on file for making this testable?
Approved for 1.9.0.2. Please land in CVS. a=ss
Attachment #327184 -
Flags: approval1.9.0.2? → approval1.9.0.2+
Assignee | ||
Comment 15•16 years ago
|
||
Filed bug 448617 for a test mechanism for tests involving alert windows.
Landed in CVS trunk:
mozilla/widget/src/gtk2/nsWindow.cpp 1.274
Depends on: 448617
Keywords: fixed1.9.0.2,
testcase
Updated•16 years ago
|
Flags: wanted1.8.0.x-
Updated•16 years ago
|
Group: core-security
Comment 16•16 years ago
|
||
for future reference, this is CVE-2008-4064
You need to log in
before you can comment on or make changes to this bug.
Description
•