Closed Bug 664930 Opened 13 years ago Closed 13 years ago

Crash [@ _cairo_bentley_ottmann_tessellate_rectangular]

Categories

(Core :: Graphics, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
Tracking Status
firefox5 - wontfix
firefox6 - wontfix
firefox7 + fixed
firefox8 + fixed
firefox9 + fixed
status1.9.2 --- unaffected

People

(Reporter: jruderman, Assigned: jrmuizel)

References

Details

(4 keywords, Whiteboard: [sg:critical][qa!])

Crash Data

Attachments

(4 files, 2 obsolete files)

Possibly a regression from the recent cairo update?
http://hg.mozilla.org/mozilla-central/pushloghtml?changeset=102be3d1f103
Attached file stack trace
Security-sensitive because it often crashes trying to access 0x1e7c2f8 rather than something near 0x0.
Jeff, this sounds like something that came in with your most recent cairo import.
Assignee: nobody → jmuizelaar
    pos->prev->next = edge;

pos->prev is bogus. Not sure why yet. It looks like this is caused by an overflow of some value.
Does this affect Aurora? if it's a regression from the changeset in comment 0 then it should be in Aurora, but we need to test
Jeff, any updates here? It's getting late for 6, but if we can get a safe fix for 6 soon we'd still consider it.
No updates so I don't think we can take this for 6 any more.
This shouldn't affect 6.
Jeff, any progress here? This has seemingly been sitting untouched for a while...
This patch fixes the issue. The issue also appears to be just a NULL deference and so wouldn't be exploitable.
Removing sg:critical severity then to trigger a re-triage, with the likely outcome being that we'll open this bug up.
Whiteboard: [sg:critical?]
See comment 2 for why I initially marked the bug as sg:critical ...
(In reply to comment #13)
> See comment 2 for why I initially marked the bug as sg:critical ...

Hmm... that's interesting. I didn't see how that could happen with the thing that I fixed. It might be worth waiting a bit before opening this up.
I took a closer look at this. The NULL dereference is not actually a NULL it's uninitialized stack memory so this is more severe than I originally thought. It's not clear if the unintialized value is controllable by content but we might as well assume that it is.
Whiteboard: [sg:critical]
Attachment #551582 - Flags: review? → review?(bjacob)
Comment on attachment 551582 [details] [diff] [review]
Handle the case where an edge lies at the left most coordinate and initialize the rest of the data

r=me with the following change:

>+    /* we need to initialize prev so that we can check
>+     * if this edge is the left most and make sure
>+     * we always insert to the right of it, even if
>+     * our x coordinate matches */
>+    sweep_line->head.prev = NULL;

Please initialize head.next = NULL too...

>-
>-    pos->prev->next = edge;
>-    edge->prev = pos->prev;
>-    edge->next = pos;
>-    pos->prev = edge;
>+    if (pos->prev) {
>+        pos->prev->next = edge;
>+        edge->prev = pos->prev;
>+        edge->next = pos;
>+        pos->prev = edge;
>+    } else {
>+        /* we have edge that shares an x coordinate with the left most sentinal.
>+         * instead of inserting before pos and ruining our sentinal we insert after pos. */
>+        pos->next->prev = edge;

So that if there ever is a weird case (zero-length list?) where there wouldn't be a pos->next here, at least we'd get a good null deref instead of an uninitialized pointer deref.
Attachment #551582 - Flags: review?(bjacob) → review+
Depends on: 678505
Attachment #552727 - Flags: approval-mozilla-aurora?
Landed on inbound.
http://hg.mozilla.org/mozilla-central/rev/1fc015db1f6f
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment on attachment 552727 [details] [diff] [review]
Handle the case where an edge lies at the left most coordinate and initialize the rest of the data v2

Aurora [7] window has closed. Moving approval request to Beta.
Attachment #552727 - Flags: approval-mozilla-aurora? → approval-mozilla-beta?
Comment on attachment 552727 [details] [diff] [review]
Handle the case where an edge lies at the left most coordinate and initialize the rest of the data v2

Approved for mozilla-beta
Attachment #552727 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
qa+ for verification with Firefox 7.
Whiteboard: [sg:critical] → [sg:critical][qa+]
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0) Gecko/20100101 Firefox/7.0 ID:20110922153450
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0a2) Gecko/20110926 Firefox/8.0a2 ID:20110926042011
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0a1) Gecko/20110926 Firefox/9.0a1 ID:20110926030901

Using the attached testcase I am unable to reproduce this crash. Marking verified.
Status: RESOLVED → VERIFIED
Whiteboard: [sg:critical][qa+] → [sg:critical][qa!]
Group: core-security
You need to log in before you can comment on or make changes to this bug.