Bug 67484 - Corrupted CustomShape crashes Xorg
Corrupted CustomShape crashes Xorg
Status: RESOLVED FIXED
Product: pixman
Classification: Unclassified
Component: pixman
git master
Other All
: medium minor
Assigned To: Søren Sandmann Pedersen
Søren Sandmann Pedersen
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-29 15:09 UTC by Björn Michaelsen
Modified: 2013-11-18 12:36 UTC (History)
1 user (show)

See Also:


Attachments
test document (9.09 KB, application/vnd.oasis.opendocument.spreadsheet)
2013-07-29 15:09 UTC, Björn Michaelsen
Details
proposed patch (441 bytes, patch)
2013-09-30 23:32 UTC, Ritesh Khadgaray
Details | Splinter Review
proposed patch (661 bytes, patch)
2013-10-08 14:25 UTC, Ritesh Khadgaray
Details | Splinter Review
proposed patch with test case (1.86 KB, patch)
2013-10-15 09:31 UTC, Ritesh Khadgaray
Details | Splinter Review
test case (606 bytes, patch)
2013-10-21 13:10 UTC, Ritesh Khadgaray
Details | Splinter Review
proposed patch (709 bytes, patch)
2013-10-21 13:11 UTC, Ritesh Khadgaray
Details | Splinter Review

Note You need to log in before you can comment on or make changes to this bug.
Description Björn Michaelsen 2013-07-29 15:09:30 UTC
Created attachment 83211 [details]
test document

Opening the attached file with LibreOffice with enabled anti-aliasing will crash the Intel Xorg driver (see launchpad bug for details). While a crashing driver is not our bug, it might still be worth a look to see if we are asking anything illegal from X or if we can workaround the driver bug easily.
Comment 1 Björn Michaelsen 2013-07-29 15:12:01 UTC
Observable with LO 3.5 trough 4.1 -> confirming.

Feel free to close as NOTOURBUG, if we do not want to make such workarounds.
Comment 2 Ritesh Khadgaray 2013-09-30 23:32:12 UTC
Created attachment 86883 [details] [review]
proposed patch



Program received signal SIGSEGV, Segmentation fault.
0x00000033834488f6 in rasterize_edges_8 (image=<optimized out>,
    image=<optimized out>, image=<optimized out>, b=<optimized out>,
    t=<optimized out>, r=<optimized out>, l=<optimized out>)
    at pixman-edge.c:210
210 WRITE (image, ap + lxi,
(gdb) bt
#0 0x00007f895bdd38f6 in rasterize_edges_8 (image=<optimized out>, image=<optimized out>, image=<optimized out>, b=<optimized out>,
    t=<optimized out>, r=<optimized out>, l=<optimized out>) at pixman-edge.c:210
#1 pixman_rasterize_edges_no_accessors (b=<optimized out>, t=<optimized out>, r=<optimized out>, l=<optimized out>, image=<optimized out>)
    at pixman-edge.c:359
#2 pixman_rasterize_edges (image=0xffffffff, image@entry=0x1cc9bc0, l=0x7fff8dcfd410, r=0x7fff8dcfd440, t=1055852681, b=2147481463)
    at pixman-edge.c:382
#3 0x00007f895bdf109e in pixman_rasterize_trapezoid (image=image@entry=0x1cc9bc0, trap=trap@entry=0x1bf02a8, x_off=129, y_off=0)
    at pixman-trap.c:386
#4 0x00007f895aff6623 in uxa_trapezoids (op=<optimized out>, src=0x1cd7b10, dst=0x1cd5950, maskFormat=0x16a6eb8, xSrc=<optimized out>,
    ySrc=<optimized out>, ntrap=<optimized out>, traps=0x1bf02a8) at uxa-render.c:1816
#5 0x00000000005251bf in ProcRenderTrapezoids (client=0x1be9030) at render.c:759
#6 0x000000000043a137 in Dispatch () at dispatch.c:432
#7 0x00000000004286ca in main (argc=12, argv=0x7fff8dcfd788, envp=<optimized out>) at main.c:298
(gdb) fram 3
#3 0x00007f895bdf109e in pixman_rasterize_trapezoid (image=image@entry=0x1cc9bc0, trap=trap@entry=0x1bf02a8, x_off=129, y_off=0)
    at pixman-trap.c:386
386 pixman_rasterize_edges (image, &l, &r, t, b);
(gdb) list 359
354 pixman_fixed_t y_off_fixed;
355 pixman_edge_t l, r;
356 pixman_fixed_t t, b;
357
358 return_if_fail (image->type == BITS);
359
360 _pixman_image_validate (image);
361
362 if (!pixman_trapezoid_valid (trap))
363 return;
...
380 if (b >= t)
381 {
382 /* initialize edge walkers */
383 pixman_line_fixed_edge_init (&l, bpp, t, &trap->left, x_off, y_off);
384 pixman_line_fixed_edge_init (&r, bpp, t, &trap->right, x_off, y_off);
385
386 pixman_rasterize_edges (image, &l, &r, t, b);
387 }
388 }

(gdb) p *trap
$8 = {top = 32768, bottom = -2147483648, left = {p1 = {x = -8454144, y = 32768}, p2 = {x = -8454144, y = -2147483648}}, right = {p1 = {
      x = -8388608, y = 32768}, p2 = {x = -8388608, y = -2147483648}}}

from pixman.h

1029 /* whether 't' is a well defined not obviously empty trapezoid */
1030 #define pixman_trapezoid_valid(t) \
1031 ((t)->left.p1.y != (t)->left.p2.y && \
1032 (t)->right.p1.y != (t)->right.p2.y && \
1033 (int) ((t)->bottom - (t)->top) > 0) <--- haw haw
1034

An underflow . The proposed patch checks if bottom > 0 (assuming top/bottom are non-negative integer )
Comment 3 Ritesh Khadgaray 2013-10-08 14:25:03 UTC
Created attachment 87290 [details] [review]
proposed patch
Comment 4 Ritesh Khadgaray 2013-10-08 14:29:13 UTC
Additionally, been pushed for xserver 
http://lists.x.org/archives/xorg-devel/2013-October/037996.html
Comment 5 Søren Sandmann Pedersen 2013-10-11 16:06:06 UTC
Thanks for the patch. Do you mind sending it to pixman@lists.freedesktop.org for review?
Comment 6 Søren Sandmann Pedersen 2013-10-11 16:09:57 UTC
Also, if you have a test that demonstrates the issue, it would be valuable to add to the test suite in the pixman/test directory.
Comment 7 Ritesh Khadgaray 2013-10-15 09:31:08 UTC
Created attachment 87659 [details] [review]
proposed patch with test case

posted for review at http://lists.freedesktop.org/archives/pixman/2013-October/003087.html
Comment 8 Søren Sandmann Pedersen 2013-10-15 21:30:17 UTC
Thanks for the test case, that's much appreciated. Just a few comments:

- We might as well extend the existing trap-crasher test instead of adding a new one that is a near duplicate.

- The test should ideally be added in its own commit before the fix so that it's easy to verify that the fix actually fixes the test case 

- We need all patches to go through the mailing list, including this updated one. I have added you to the mailman whitelist, so it won't get stuck in moderation if you send it.
Comment 9 Ritesh Khadgaray 2013-10-21 13:10:53 UTC
Created attachment 87924 [details] [review]
test case
Comment 10 Ritesh Khadgaray 2013-10-21 13:11:16 UTC
Created attachment 87925 [details] [review]
proposed patch
Comment 11 Maarten Lankhorst 2013-11-18 12:36:07 UTC
Fixed in commit 2f876cf86718d3dd9b3b04ae9552530edafe58a1 in pixman.