Crashes with SVG image in mozilla-firefox

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Crashes with SVG image in mozilla-firefox

Mikolaj Kucharski-2
Hi,

When I open html with embedded SVG image I've got random crashes of
Firefox when I click with right button and try to navigate menu or when
I open main menu e.g. to check in help->about browser version. An
example page is here

        http://www.ba.infn.it/~zito/xml/embed.html


$ pkg_info | grep mozilla-firefox
mozilla-firefox-2.0.0.2p2 redesign of Mozilla's browser component

$ dmesg | head -n2
OpenBSD 4.1-current (GENERIC) #28: Tue Mar 13 19:42:45 MDT 2007
    [hidden email]:/usr/src/sys/arch/i386/compile/GENERIC

--
best regards
q#

Reply | Threaded
Open this post in threaded view
|

Re: Crashes with SVG image in mozilla-firefox

Kurt Miller-4
On Thursday 15 March 2007 4:07:48 pm Mikolaj Kucharski wrote:
> Hi,
>
> When I open html with embedded SVG image I've got random crashes of
> Firefox when I click with right button and try to navigate menu or when
> I open main menu e.g. to check in help->about browser version. An
> example page is here
>
> http://www.ba.infn.it/~zito/xml/embed.html
>

Thanks for the report. I reproduced w/the debug version
and have this backtrace info. Most likely suspect is
cairo.

(gdb) bt
#0  0x06bf63c8 in memcpy () from /usr/lib/libc.so.40.3
#1  0x0051e9cd in NoSwap () from /usr/X11R6/lib/libX11.so.9.0
#2  0x0051f9e7 in SendZImage () from /usr/X11R6/lib/libX11.so.9.0
#3  0x0051ff10 in XPutImage () from /usr/X11R6/lib/libX11.so.9.0
#4  0x05f337c3 in _draw_image_surface (surface=0x84532400, image=0x840cae00, dst_x=0, dst_y=0)
    at /usr/obj/ports/cairo-1.2.6/cairo-1.2.6/src/cairo-xlib-surface.c:1215
#5  0x05f33a06 in _cairo_xlib_surface_clone_similar (abstract_surface=0x84532600, src=0x840cae00, clone_out=0xcfbd0940)
    at /usr/obj/ports/cairo-1.2.6/cairo-1.2.6/src/cairo-xlib-surface.c:1326
#6  0x05f12fc0 in _cairo_surface_clone_similar (surface=0x84532600, src=0x840cae00, clone_out=0xcfbd0940)
    at /usr/obj/ports/cairo-1.2.6/cairo-1.2.6/src/cairo-surface.c:1017
#7  0x05f1990e in _cairo_pattern_acquire_surface_for_surface (pattern=0xcfbd07cc, dst=0x84532600, x=0, y=0, width=87, height=15,
    out=0xcfbd0940, attr=0xcfbd094c) at /usr/obj/ports/cairo-1.2.6/cairo-1.2.6/src/cairo-pattern.c:1142
#8  0x05f19bc4 in _cairo_pattern_acquire_surface (pattern=0xcfbd07cc, dst=0x84532600, x=0, y=0, width=87, height=15,
    surface_out=0xcfbd0940, attributes=0xcfbd094c) at /usr/obj/ports/cairo-1.2.6/cairo-1.2.6/src/cairo-pattern.c:1255
#9  0x05f19dfa in _cairo_pattern_acquire_surfaces (src=0xcfbd0bac, mask=0xcfbd0a8c, dst=0x84532600, src_x=0, src_y=95, mask_x=0,
    mask_y=0, width=87, height=15, src_out=0xcfbd0944, mask_out=0xcfbd0940, src_attributes=0xcfbd099c, mask_attributes=0xcfbd094c)
    at /usr/obj/ports/cairo-1.2.6/cairo-1.2.6/src/cairo-pattern.c:1363
#10 0x05f34283 in _cairo_xlib_surface_composite (op=CAIRO_OPERATOR_ADD, src_pattern=0xcfbd0bac, mask_pattern=0xcfbd0a8c,
    abstract_dst=0x84532600, src_x=0, src_y=95, mask_x=0, mask_y=0, dst_x=0, dst_y=0, width=87, height=15)
    at /usr/obj/ports/cairo-1.2.6/cairo-1.2.6/src/cairo-xlib-surface.c:1734
#11 0x05f131af in _cairo_surface_composite (op=CAIRO_OPERATOR_ADD, src=0xcfbd0bac, mask=0xcfbd0a8c, dst=0x84532600, src_x=0,
    src_y=95, mask_x=0, mask_y=0, dst_x=0, dst_y=0, width=87, height=15)
    at /usr/obj/ports/cairo-1.2.6/cairo-1.2.6/src/cairo-surface.c:1103
#12 0x05f109d8 in _cairo_scaled_font_show_glyphs (scaled_font=0x881a6400, op=CAIRO_OPERATOR_ADD, pattern=0xcfbd0bac,
    surface=0x84532600, source_x=0, source_y=95, dest_x=0, dest_y=0, width=87, height=15, glyphs=0x810a5400, num_glyphs=41)
    at /usr/obj/ports/cairo-1.2.6/cairo-1.2.6/src/cairo-scaled-font.c:997
---Type <return> to continue, or q <return> to quit---
#13 0x05f15c75 in _cairo_surface_old_show_glyphs_draw_func (closure=0xcfbd0dfc, op=CAIRO_OPERATOR_ADD, src=0xcfbd0bac,
    dst=0x84532600, dst_x=0, dst_y=95, extents=0xcfbd0e1c)
    at /usr/obj/ports/cairo-1.2.6/cairo-1.2.6/src/cairo-surface-fallback.c:890
#14 0x05f14960 in _create_composite_mask_pattern (mask_pattern=0xcfbd0cbc, clip=0x84532884,
    draw_func=0x5f15a9f <_cairo_surface_old_show_glyphs_draw_func>, draw_closure=0xcfbd0dfc, dst=0x81b3ce00, extents=0xcfbd0e1c)
    at /usr/obj/ports/cairo-1.2.6/cairo-1.2.6/src/cairo-surface-fallback.c:127
#15 0x05f14a08 in _clip_and_composite_with_mask (clip=0x84532884, op=CAIRO_OPERATOR_OVER, src=0xcfbd0edc,
    draw_func=0x5f15a9f <_cairo_surface_old_show_glyphs_draw_func>, draw_closure=0xcfbd0dfc, dst=0x81b3ce00, extents=0xcfbd0e1c)
    at /usr/obj/ports/cairo-1.2.6/cairo-1.2.6/src/cairo-surface-fallback.c:165
#16 0x05f14e65 in _clip_and_composite (clip=0x84532884, op=CAIRO_OPERATOR_OVER, src=0xcfbd0edc,
    draw_func=0x5f15a9f <_cairo_surface_old_show_glyphs_draw_func>, draw_closure=0xcfbd0dfc, dst=0x81b3ce00, extents=0xcfbd0e1c)
    at /usr/obj/ports/cairo-1.2.6/cairo-1.2.6/src/cairo-surface-fallback.c:379
#17 0x05f15da0 in _cairo_surface_fallback_show_glyphs (surface=0x81b3ce00, op=CAIRO_OPERATOR_OVER, source=0xcfbd0edc,
    glyphs=0x810a5400, num_glyphs=41, scaled_font=0x881a6400)
    at /usr/obj/ports/cairo-1.2.6/cairo-1.2.6/src/cairo-surface-fallback.c:941
#18 0x05f14326 in _cairo_surface_show_glyphs (surface=0x81b3ce00, op=CAIRO_OPERATOR_OVER, source=0xcfbd0f9c, glyphs=0x810a5400,
    num_glyphs=41, scaled_font=0x881a6400) at /usr/obj/ports/cairo-1.2.6/cairo-1.2.6/src/cairo-surface.c:1837
#19 0x05f06caa in _cairo_gstate_show_glyphs (gstate=0x84532800, glyphs=0x7d0fb800, num_glyphs=41)
    at /usr/obj/ports/cairo-1.2.6/cairo-1.2.6/src/cairo-gstate.c:1449
#20 0x05f0120e in cairo_show_text (cr=0x848fec40, utf8=0xcfbd125c "Mouse over the circle to change its size.")
    at /usr/obj/ports/cairo-1.2.6/cairo-1.2.6/src/cairo.c:2523
#21 0x080329a3 in ?? () from /usr/local/mozilla-firefox/components/libgklayout.so.19.0
....

Reply | Threaded
Open this post in threaded view
|

Re: Crashes with SVG image in mozilla-firefox

Eric Faurot
On 3/16/07, Kurt Miller <[hidden email]> wrote:

> On Thursday 15 March 2007 4:07:48 pm Mikolaj Kucharski wrote:
> > Hi,
> >
> > When I open html with embedded SVG image I've got random crashes of
> > Firefox when I click with right button and try to navigate menu or when
> > I open main menu e.g. to check in help->about browser version. An
> > example page is here
> >
> >       http://www.ba.infn.it/~zito/xml/embed.html
> >
>
> Thanks for the report. I reproduced w/the debug version
> and have this backtrace info. Most likely suspect is
> cairo.

I can not reproduce this. It works ok here with the following config:
$ pkg_info | grep mozilla-firefox
mozilla-firefox-2.0.0.1p1 redesign of Mozilla's browser component
$ dmesg | head -n2
OpenBSD 4.1-beta (GENERIC) #830: Tue Feb 13 09:34:36 MST 2007
    [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC

I'll update my system and try again this weekend.
Can you give more info about your X config?

Eric.

Reply | Threaded
Open this post in threaded view
|

Re: Crashes with SVG image in mozilla-firefox

Mikolaj Kucharski-2
On Fri, Mar 16, 2007 at 08:52:47PM +0100, Eric Faurot wrote:

> >Thanks for the report. I reproduced w/the debug version
> >and have this backtrace info. Most likely suspect is
> >cairo.
>
> I can not reproduce this. It works ok here with the following config:
> $ pkg_info | grep mozilla-firefox
> mozilla-firefox-2.0.0.1p1 redesign of Mozilla's browser component
> $ dmesg | head -n2
> OpenBSD 4.1-beta (GENERIC) #830: Tue Feb 13 09:34:36 MST 2007
>    [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC
>
> I'll update my system and try again this weekend.
> Can you give more info about your X config?

$ file /etc/X11/xorg.conf
/etc/X11/xorg.conf: cannot open (No such file or directory)

--
best regards
q#

Reply | Threaded
Open this post in threaded view
|

Re: Crashes with SVG image in mozilla-firefox

Eric Faurot
In reply to this post by Eric Faurot
On 3/16/07, Eric Faurot <[hidden email]> wrote:

> I can not reproduce this. It works ok here with the following config:
> $ pkg_info | grep mozilla-firefox
> mozilla-firefox-2.0.0.1p1 redesign of Mozilla's browser component
> $ dmesg | head -n2
> OpenBSD 4.1-beta (GENERIC) #830: Tue Feb 13 09:34:36 MST 2007
>     [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC

Ok I have reproduced it. It is indeed something wrong in cairo.
I'll be working on it.

Eric.

Reply | Threaded
Open this post in threaded view
|

Re: Crashes with SVG image in mozilla-firefox

Matthieu Herrb
In reply to this post by Kurt Miller-4
Kurt Miller wrote:

> On Thursday 15 March 2007 4:07:48 pm Mikolaj Kucharski wrote:
>> Hi,
>>
>> When I open html with embedded SVG image I've got random crashes of
>> Firefox when I click with right button and try to navigate menu or when
>> I open main menu e.g. to check in help->about browser version. An
>> example page is here
>>
>> http://www.ba.infn.it/~zito/xml/embed.html
>>
>
> Thanks for the report. I reproduced w/the debug version
> and have this backtrace info. Most likely suspect is
> cairo.

Yes, it seems that cairo is feeding an invalid XImage structure to
XPutImage.
I think there are 2 problems:
- Cairo should not call XPutImage() with invalid data
- XPutImage() should validate its input and return an error instead.
(You all heard of these vulnerabilies caused by invalid image
structures, I guess. This is one of them...)

Unfortunatly I've not managed to get a crash of firefox with this sample
image. I will try on other machines, with more standard configurations
(my desktop machine is an amd64, already running xenocara).

But if in the mean time someone could build his own libX11 with
debugging symbols (see /usr/XF4/README for instructions) and try to
print the XImage structure in gdb when it crashes, that would be
appreciated.
--
Matthieu Herrb

Reply | Threaded
Open this post in threaded view
|

Re: Crashes with SVG image in mozilla-firefox

Eric Faurot
On 3/17/07, Matthieu Herrb <[hidden email]> wrote:

> Yes, it seems that cairo is feeding an invalid XImage structure to
> XPutImage.

Right, I found it (patch attached). I tested it at depth 8, 16 and 24
with XRender on and off. I think it should go into 4.1

Eric.

cairo.diff (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Crashes with SVG image in mozilla-firefox

Kurt Miller-3
On Saturday 17 March 2007 9:41:27 am Eric Faurot wrote:
> On 3/17/07, Matthieu Herrb <[hidden email]> wrote:
>
> > Yes, it seems that cairo is feeding an invalid XImage structure to
> > XPutImage.
>
> Right, I found it (patch attached). I tested it at depth 8, 16 and 24
> with XRender on and off. I think it should go into 4.1

Execlent! Committed, thank you.

-Kurt