Bug 67484 - Corrupted CustomShape crashes Xorg
Summary: Corrupted CustomShape crashes Xorg
Status: RESOLVED FIXED
Alias: None
Product: pixman
Classification: Unclassified
Component: pixman (show other bugs)
Version: git master
Hardware: Other All
: medium minor
Assignee: Søren Sandmann Pedersen
QA Contact: Søren Sandmann Pedersen
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-07-29 15:09 UTC by Björn Michaelsen
Modified: 2013-11-18 12:36 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:


Attachments
test document (9.09 KB, application/vnd.oasis.opendocument.spreadsheet)
2013-07-29 15:09 UTC, Björn Michaelsen
Details
proposed patch (441 bytes, patch)
2013-09-30 23:32 UTC, Ritesh Khadgaray
Details | Splinter Review
proposed patch (661 bytes, patch)
2013-10-08 14:25 UTC, Ritesh Khadgaray
Details | Splinter Review
proposed patch with test case (1.86 KB, patch)
2013-10-15 09:31 UTC, Ritesh Khadgaray
Details | Splinter Review
test case (606 bytes, patch)
2013-10-21 13:10 UTC, Ritesh Khadgaray
Details | Splinter Review
proposed patch (709 bytes, patch)
2013-10-21 13:11 UTC, Ritesh Khadgaray
Details | Splinter Review

Note You need to log in before you can comment on or make changes to this bug.
Description Björn Michaelsen 2013-07-29 15:09:30 UTC
Created attachment 83211 [details]
test document

Opening the attached file with LibreOffice with enabled anti-aliasing will crash the Intel Xorg driver (see launchpad bug for details). While a crashing driver is not our bug, it might still be worth a look to see if we are asking anything illegal from X or if we can workaround the driver bug easily.
Comment 1 Björn Michaelsen 2013-07-29 15:12:01 UTC
Observable with LO 3.5 trough 4.1 -> confirming.

Feel free to close as NOTOURBUG, if we do not want to make such workarounds.
Comment 2 Ritesh Khadgaray 2013-09-30 23:32:12 UTC
Created attachment 86883 [details] [review]
proposed patch



Program received signal SIGSEGV, Segmentation fault.
0x00000033834488f6 in rasterize_edges_8 (image=<optimized out>,
    image=<optimized out>, image=<optimized out>, b=<optimized out>,
    t=<optimized out>, r=<optimized out>, l=<optimized out>)
    at pixman-edge.c:210
210 WRITE (image, ap + lxi,
(gdb) bt
#0 0x00007f895bdd38f6 in rasterize_edges_8 (image=<optimized out>, image=<optimized out>, image=<optimized out>, b=<optimized out>,
    t=<optimized out>, r=<optimized out>, l=<optimized out>) at pixman-edge.c:210
#1 pixman_rasterize_edges_no_accessors (b=<optimized out>, t=<optimized out>, r=<optimized out>, l=<optimized out>, image=<optimized out>)
    at pixman-edge.c:359
#2 pixman_rasterize_edges (image=0xffffffff, image@entry=0x1cc9bc0, l=0x7fff8dcfd410, r=0x7fff8dcfd440, t=1055852681, b=2147481463)
    at pixman-edge.c:382
#3 0x00007f895bdf109e in pixman_rasterize_trapezoid (image=image@entry=0x1cc9bc0, trap=trap@entry=0x1bf02a8, x_off=129, y_off=0)
    at pixman-trap.c:386
#4 0x00007f895aff6623 in uxa_trapezoids (op=<optimized out>, src=0x1cd7b10, dst=0x1cd5950, maskFormat=0x16a6eb8, xSrc=<optimized out>,
    ySrc=<optimized out>, ntrap=<optimized out>, traps=0x1bf02a8) at uxa-render.c:1816
#5 0x00000000005251bf in ProcRenderTrapezoids (client=0x1be9030) at render.c:759
#6 0x000000000043a137 in Dispatch () at dispatch.c:432
#7 0x00000000004286ca in main (argc=12, argv=0x7fff8dcfd788, envp=<optimized out>) at main.c:298
(gdb) fram 3
#3 0x00007f895bdf109e in pixman_rasterize_trapezoid (image=image@entry=0x1cc9bc0, trap=trap@entry=0x1bf02a8, x_off=129, y_off=0)
    at pixman-trap.c:386
386 pixman_rasterize_edges (image, &l, &r, t, b);
(gdb) list 359
354 pixman_fixed_t y_off_fixed;
355 pixman_edge_t l, r;
356 pixman_fixed_t t, b;
357
358 return_if_fail (image->type == BITS);
359
360 _pixman_image_validate (image);
361
362 if (!pixman_trapezoid_valid (trap))
363 return;
...
380 if (b >= t)
381 {
382 /* initialize edge walkers */
383 pixman_line_fixed_edge_init (&l, bpp, t, &trap->left, x_off, y_off);
384 pixman_line_fixed_edge_init (&r, bpp, t, &trap->right, x_off, y_off);
385
386 pixman_rasterize_edges (image, &l, &r, t, b);
387 }
388 }

(gdb) p *trap
$8 = {top = 32768, bottom = -2147483648, left = {p1 = {x = -8454144, y = 32768}, p2 = {x = -8454144, y = -2147483648}}, right = {p1 = {
      x = -8388608, y = 32768}, p2 = {x = -8388608, y = -2147483648}}}

from pixman.h

1029 /* whether 't' is a well defined not obviously empty trapezoid */
1030 #define pixman_trapezoid_valid(t) \
1031 ((t)->left.p1.y != (t)->left.p2.y && \
1032 (t)->right.p1.y != (t)->right.p2.y && \
1033 (int) ((t)->bottom - (t)->top) > 0) <--- haw haw
1034

An underflow . The proposed patch checks if bottom > 0 (assuming top/bottom are non-negative integer )
Comment 3 Ritesh Khadgaray 2013-10-08 14:25:03 UTC
Created attachment 87290 [details] [review]
proposed patch
Comment 4 Ritesh Khadgaray 2013-10-08 14:29:13 UTC
Additionally, been pushed for xserver 
http://lists.x.org/archives/xorg-devel/2013-October/037996.html
Comment 5 Søren Sandmann Pedersen 2013-10-11 16:06:06 UTC
Thanks for the patch. Do you mind sending it to pixman@lists.freedesktop.org for review?
Comment 6 Søren Sandmann Pedersen 2013-10-11 16:09:57 UTC
Also, if you have a test that demonstrates the issue, it would be valuable to add to the test suite in the pixman/test directory.
Comment 7 Ritesh Khadgaray 2013-10-15 09:31:08 UTC
Created attachment 87659 [details] [review]
proposed patch with test case

posted for review at http://lists.freedesktop.org/archives/pixman/2013-October/003087.html
Comment 8 Søren Sandmann Pedersen 2013-10-15 21:30:17 UTC
Thanks for the test case, that's much appreciated. Just a few comments:

- We might as well extend the existing trap-crasher test instead of adding a new one that is a near duplicate.

- The test should ideally be added in its own commit before the fix so that it's easy to verify that the fix actually fixes the test case 

- We need all patches to go through the mailing list, including this updated one. I have added you to the mailman whitelist, so it won't get stuck in moderation if you send it.
Comment 9 Ritesh Khadgaray 2013-10-21 13:10:53 UTC
Created attachment 87924 [details] [review]
test case
Comment 10 Ritesh Khadgaray 2013-10-21 13:11:16 UTC
Created attachment 87925 [details] [review]
proposed patch
Comment 11 Maarten Lankhorst 2013-11-18 12:36:07 UTC
Fixed in commit 2f876cf86718d3dd9b3b04ae9552530edafe58a1 in pixman.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.