| Summary: | Corrupted CustomShape crashes Xorg | ||
|---|---|---|---|
| Product: | pixman | Reporter: | Björn Michaelsen <bjoern.michaelsen> |
| Component: | pixman | Assignee: | Søren Sandmann Pedersen <soren.sandmann> |
| Status: | RESOLVED FIXED | QA Contact: | Søren Sandmann Pedersen <soren.sandmann> |
| Severity: | minor | ||
| Priority: | medium | CC: | siarhei.siamashka |
| Version: | git master | ||
| Hardware: | Other | ||
| OS: | All | ||
| See Also: | https://launchpad.net/bugs/1197921 | ||
| Whiteboard: | |||
| i915 platform: | i915 features: | ||
| Attachments: |
test document
proposed patch proposed patch proposed patch with test case test case proposed patch |
||
Observable with LO 3.5 trough 4.1 -> confirming. Feel free to close as NOTOURBUG, if we do not want to make such workarounds. Created attachment 86883 [details] [review] proposed patch Program received signal SIGSEGV, Segmentation fault. 0x00000033834488f6 in rasterize_edges_8 (image=<optimized out>, image=<optimized out>, image=<optimized out>, b=<optimized out>, t=<optimized out>, r=<optimized out>, l=<optimized out>) at pixman-edge.c:210 210 WRITE (image, ap + lxi, (gdb) bt #0 0x00007f895bdd38f6 in rasterize_edges_8 (image=<optimized out>, image=<optimized out>, image=<optimized out>, b=<optimized out>, t=<optimized out>, r=<optimized out>, l=<optimized out>) at pixman-edge.c:210 #1 pixman_rasterize_edges_no_accessors (b=<optimized out>, t=<optimized out>, r=<optimized out>, l=<optimized out>, image=<optimized out>) at pixman-edge.c:359 #2 pixman_rasterize_edges (image=0xffffffff, image@entry=0x1cc9bc0, l=0x7fff8dcfd410, r=0x7fff8dcfd440, t=1055852681, b=2147481463) at pixman-edge.c:382 #3 0x00007f895bdf109e in pixman_rasterize_trapezoid (image=image@entry=0x1cc9bc0, trap=trap@entry=0x1bf02a8, x_off=129, y_off=0) at pixman-trap.c:386 #4 0x00007f895aff6623 in uxa_trapezoids (op=<optimized out>, src=0x1cd7b10, dst=0x1cd5950, maskFormat=0x16a6eb8, xSrc=<optimized out>, ySrc=<optimized out>, ntrap=<optimized out>, traps=0x1bf02a8) at uxa-render.c:1816 #5 0x00000000005251bf in ProcRenderTrapezoids (client=0x1be9030) at render.c:759 #6 0x000000000043a137 in Dispatch () at dispatch.c:432 #7 0x00000000004286ca in main (argc=12, argv=0x7fff8dcfd788, envp=<optimized out>) at main.c:298 (gdb) fram 3 #3 0x00007f895bdf109e in pixman_rasterize_trapezoid (image=image@entry=0x1cc9bc0, trap=trap@entry=0x1bf02a8, x_off=129, y_off=0) at pixman-trap.c:386 386 pixman_rasterize_edges (image, &l, &r, t, b); (gdb) list 359 354 pixman_fixed_t y_off_fixed; 355 pixman_edge_t l, r; 356 pixman_fixed_t t, b; 357 358 return_if_fail (image->type == BITS); 359 360 _pixman_image_validate (image); 361 362 if (!pixman_trapezoid_valid (trap)) 363 return; ... 380 if (b >= t) 381 { 382 /* initialize edge walkers */ 383 pixman_line_fixed_edge_init (&l, bpp, t, &trap->left, x_off, y_off); 384 pixman_line_fixed_edge_init (&r, bpp, t, &trap->right, x_off, y_off); 385 386 pixman_rasterize_edges (image, &l, &r, t, b); 387 } 388 } (gdb) p *trap $8 = {top = 32768, bottom = -2147483648, left = {p1 = {x = -8454144, y = 32768}, p2 = {x = -8454144, y = -2147483648}}, right = {p1 = { x = -8388608, y = 32768}, p2 = {x = -8388608, y = -2147483648}}} from pixman.h 1029 /* whether 't' is a well defined not obviously empty trapezoid */ 1030 #define pixman_trapezoid_valid(t) \ 1031 ((t)->left.p1.y != (t)->left.p2.y && \ 1032 (t)->right.p1.y != (t)->right.p2.y && \ 1033 (int) ((t)->bottom - (t)->top) > 0) <--- haw haw 1034 An underflow . The proposed patch checks if bottom > 0 (assuming top/bottom are non-negative integer ) Created attachment 87290 [details] [review] proposed patch Additionally, been pushed for xserver http://lists.x.org/archives/xorg-devel/2013-October/037996.html Thanks for the patch. Do you mind sending it to pixman@lists.freedesktop.org for review? Also, if you have a test that demonstrates the issue, it would be valuable to add to the test suite in the pixman/test directory. Created attachment 87659 [details] [review] proposed patch with test case posted for review at http://lists.freedesktop.org/archives/pixman/2013-October/003087.html Thanks for the test case, that's much appreciated. Just a few comments: - We might as well extend the existing trap-crasher test instead of adding a new one that is a near duplicate. - The test should ideally be added in its own commit before the fix so that it's easy to verify that the fix actually fixes the test case - We need all patches to go through the mailing list, including this updated one. I have added you to the mailman whitelist, so it won't get stuck in moderation if you send it. Created attachment 87924 [details] [review] test case Created attachment 87925 [details] [review] proposed patch Fixed in commit 2f876cf86718d3dd9b3b04ae9552530edafe58a1 in pixman. |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.
Created attachment 83211 [details] test document Opening the attached file with LibreOffice with enabled anti-aliasing will crash the Intel Xorg driver (see launchpad bug for details). While a crashing driver is not our bug, it might still be worth a look to see if we are asking anything illegal from X or if we can workaround the driver bug easily.