Closed Bug 664930 Opened 13 years ago Closed 13 years ago

Crash [@ _cairo_bentley_ottmann_tessellate_rectangular]

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
firefox5 - wontfix
firefox6 - wontfix
firefox7 + fixed
firefox8 + fixed
firefox9 + fixed
status1.9.2 --- unaffected

People

(Reporter: jruderman, Assigned: jrmuizel)

References

Details

(4 keywords, Whiteboard: [sg:critical][qa!])

Crash Data

Attachments

(4 files, 2 obsolete files)

testcase (crashes Firefox when loaded)
75 bytes, text/html
Details
stack trace
10.18 KB, text/plain
Details
Standalone cairo test case that reproduces the problem
645 bytes, text/x-csrc
Details
Handle the case where an edge lies at the left most coordinate and initialize the rest of the data v2
2.18 KB, patch
christian
: approval-mozilla-beta+
Details | Diff | Splinter Review
Possibly a regression from the recent cairo update? http://hg.mozilla.org/mozilla-central/pushloghtml?changeset=102be3d1f103
Attached file stack trace
Security-sensitive because it often crashes trying to access 0x1e7c2f8 rather than something near 0x0.
Jeff, this sounds like something that came in with your most recent cairo import.
Assignee: nobody → jmuizelaar
status-firefox5: --- → wontfix
status-firefox6: --- → affected
status-firefox7: --- → affected
tracking-firefox5: --- → -
tracking-firefox6: --- → +
tracking-firefox7: --- → +
pos->prev->next = edge; pos->prev is bogus. Not sure why yet. It looks like this is caused by an overflow of some value.
Does this affect Aurora? if it's a regression from the changeset in comment 0 then it should be in Aurora, but we need to test
Jeff, any updates here? It's getting late for 6, but if we can get a safe fix for 6 soon we'd still consider it.
No updates so I don't think we can take this for 6 any more.
status-firefox6: affectedwontfix
tracking-firefox6: +-
This shouldn't affect 6.
Jeff, any progress here? This has seemingly been sitting untouched for a while...
status-firefox5: unaffectedwontfix
status-firefox6: unaffectedwontfix
Keywords: regression, regressionwindow-wanted
This patch fixes the issue. The issue also appears to be just a NULL deference and so wouldn't be exploitable.
Removing sg:critical severity then to trigger a re-triage, with the likely outcome being that we'll open this bug up.
Whiteboard: [sg:critical?]
See comment 2 for why I initially marked the bug as sg:critical ...
(In reply to comment #13) > See comment 2 for why I initially marked the bug as sg:critical ... Hmm... that's interesting. I didn't see how that could happen with the thing that I fixed. It might be worth waiting a bit before opening this up.
I took a closer look at this. The NULL dereference is not actually a NULL it's uninitialized stack memory so this is more severe than I originally thought. It's not clear if the unintialized value is controllable by content but we might as well assume that it is.
Whiteboard: [sg:critical]
Attachment #551582 - Flags: review? → review?(bjacob)
Comment on attachment 551582 [details] [diff] [review] Handle the case where an edge lies at the left most coordinate and initialize the rest of the data r=me with the following change: >+ /* we need to initialize prev so that we can check >+ * if this edge is the left most and make sure >+ * we always insert to the right of it, even if >+ * our x coordinate matches */ >+ sweep_line->head.prev = NULL; Please initialize head.next = NULL too... >- >- pos->prev->next = edge; >- edge->prev = pos->prev; >- edge->next = pos; >- pos->prev = edge; >+ if (pos->prev) { >+ pos->prev->next = edge; >+ edge->prev = pos->prev; >+ edge->next = pos; >+ pos->prev = edge; >+ } else { >+ /* we have edge that shares an x coordinate with the left most sentinal. >+ * instead of inserting before pos and ruining our sentinal we insert after pos. */ >+ pos->next->prev = edge; So that if there ever is a weird case (zero-length list?) where there wouldn't be a pos->next here, at least we'd get a good null deref instead of an uninitialized pointer deref.
Attachment #551582 - Flags: review?(bjacob) → review+
Depends on: 678505
Attachment #552727 - Flags: approval-mozilla-aurora?
Landed on inbound.
http://hg.mozilla.org/mozilla-central/rev/1fc015db1f6f
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment on attachment 552727 [details] [diff] [review] Handle the case where an edge lies at the left most coordinate and initialize the rest of the data v2 Aurora [7] window has closed. Moving approval request to Beta.
Attachment #552727 - Flags: approval-mozilla-aurora? → approval-mozilla-beta?
Comment on attachment 552727 [details] [diff] [review] Handle the case where an edge lies at the left most coordinate and initialize the rest of the data v2 Approved for mozilla-beta
Attachment #552727 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
qa+ for verification with Firefox 7.
Whiteboard: [sg:critical] → [sg:critical][qa+]
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0) Gecko/20100101 Firefox/7.0 ID:20110922153450 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0a2) Gecko/20110926 Firefox/8.0a2 ID:20110926042011 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0a1) Gecko/20110926 Firefox/9.0a1 ID:20110926030901 Using the attached testcase I am unable to reproduce this crash. Marking verified.
Status: RESOLVED → VERIFIED
Keywords: verified-aurora, verified-beta
Whiteboard: [sg:critical][qa+] → [sg:critical][qa!]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: