Last Comment Bug 441995 - crash in cairo_surface_set_device_offset () from /usr/lib/libcairo.so.2
: crash in cairo_surface_set_device_offset () from /usr/lib/libcairo.so.2
Status: RESOLVED FIXED
: [sg:critical?] null-pointer access only?
: fixed1.9.0.2, testcase
Product: Core
Classification: Components
Component: Graphics
: unspecified
: x86 Linux
: -- critical (vote)
: mozilla1.9.1a1
Assigned To: Mats Palmgren [:mats]
: thebes
:
: 448617
:
  Show dependency treegraph
 
Reported: 2008-06-26 03:05 PDT by David Maciejak
Modified: 2008-11-16 02:54 PST (History)
12 users (show)
samuel.sidler+old: wanted1.9.0.x+
asac: wanted1.8.0.x-
matspal: in‑testsuite?
See Also:
Crash Signature:


Attachments
poc (135.99 KB, text/html)
2008-06-26 03:07 PDT, David Maciejak
no flags Details
bsterne's backtrace (2.24 KB, text/plain)
2008-06-26 15:18 PDT, Brandon Sterne (:bsterne)
no flags Details
Patch rev. 1 (1.26 KB, patch)
2008-06-27 15:02 PDT, Mats Palmgren [:mats]
roc: review+
roc: superreview+
samuel.sidler+old: approval1.9.0.2+
Details | Diff | Splinter Review

Summon comment box

Description David Maciejak 2008-06-26 03:05:52 PDT
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Gecko/2008061015 Firefox/3.0
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Gecko/2008061015 Firefox/3.0

Crash when trying to display an overlong alert messagebox after a refresh.

Reproducible: Always

Steps to Reproduce:
1.open the file, the alert box is displayed
2.hit escape button to close the box
3.hit f5 to refresh the page

Actual Results:  
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7cdb6c0 (LWP 1444)]
0xb6d892cb in cairo_surface_set_device_offset () from /usr/lib/libcairo.so.2

Expected Results:  
not crashed

seems to be something like Bug 439343, I will enclosed the poc in the report.
Don't know really the impact of that, if it can be worst than a crash.

#0  0xb6d4c2cb in cairo_surface_set_device_offset () from /usr/lib/libcairo.so.2
#1  0xb78db907 in gfxASurface::SetDeviceOffset () from /usr/lib/xulrunner-1.9/libxul.so
#2  0xb77e2652 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#3  0xb77e4f20 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#4  0xb68148d4 in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#5  0xb6bfb759 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#6  0xb6c0fd1d in ?? () from /usr/lib/libgobject-2.0.so.0
#7  0xb6c1164e in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#8  0xb6c11c59 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#9  0xb6933667 in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#10 0xb680edf6 in gtk_main_do_event () from /usr/lib/libgtk-x11-2.0.so.0
#11 0xb6657f33 in ?? () from /usr/lib/libgdk-x11-2.0.so.0
#12 0xb66585c8 in gdk_window_process_all_updates () from /usr/lib/libgdk-x11-2.0.so.0
#13 0xb66585eb in ?? () from /usr/lib/libgdk-x11-2.0.so.0
#14 0xb663e81b in ?? () from /usr/lib/libgdk-x11-2.0.so.0
#15 0xb6b76081 in ?? () from /usr/lib/libglib-2.0.so.0
#16 0xb6b77bf8 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#17 0xb6b7ae5e in ?? () from /usr/lib/libglib-2.0.so.0
#18 0xb6b7b3ac in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#19 0xb77e701c in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#20 0xb77fbdc4 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#21 0xb77fc20f in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#22 0xb78ab43a in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#23 0xb787aa83 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#24 0xb76767fd in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#25 0xb76735fd in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#26 0xb7652f3f in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#27 0xb7653225 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#28 0xb765479d in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#29 0xb7654e97 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#30 0xb764e217 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#31 0xb74b6792 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#32 0xb78b7781 in NS_InvokeByIndex_P () from /usr/lib/xulrunner-1.9/libxul.so
#33 0xb710b2bb in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#34 0xb711106d in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#35 0xb7be8176 in js_Invoke () from /usr/lib/xulrunner-1.9/libmozjs.so
#36 0xb7bdb0ef in ?? () from /usr/lib/xulrunner-1.9/libmozjs.so
#37 0xb7be7a31 in ?? () from /usr/lib/xulrunner-1.9/libmozjs.so
#38 0xb7bb3546 in JS_EvaluateUCScriptForPrincipals () from /usr/lib/xulrunner-1.9/libmozjs.so
#39 0xb74a230c in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#40 0xb73aaddf in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#41 0xb73ab663 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#42 0xb73ac58c in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#43 0xb73aa2a2 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#44 0xb7408da3 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#45 0xb7408420 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#46 0xb741c76c in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#47 0xb741dc6b in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#48 0xb741e6d8 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#49 0xb71e00b2 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#50 0xb71e2f63 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#51 0xb71e3ba2 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#52 0xb71e0cf5 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#53 0xb71e9eb8 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#54 0xb71eb51a in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#55 0xb71e9d66 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#56 0xb7633fb5 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#57 0xb7122951 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#58 0xb71285de in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#59 0xb7128711 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#60 0xb7896977 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#61 0xb78ab496 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#62 0xb787aa83 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#63 0xb77fbefe in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#64 0xb768b946 in ?? () from /usr/lib/xulrunner-1.9/libxul.so
#65 0xb70e0688 in XRE_main () from /usr/lib/xulrunner-1.9/libxul.so
#66 0x08049033 in ?? ()
#67 0xb7cb6450 in __libc_start_main () from /lib/tls/i686/cmov/libc.so.6
#68 0x08048cc1 in ?? ()
Comment 1 David Maciejak 2008-06-26 03:07:56 PDT
Created attachment 326874 [details]
poc

please take care it s an extract from a malicious sample
Comment 2 Brandon Sterne (:bsterne) 2008-06-26 15:17:45 PDT
I can confirm that this crashes Firefox 3, though my stack looks a bit different from David's.  I'll attach mine momentarily.
Comment 3 Brandon Sterne (:bsterne) 2008-06-26 15:18:45 PDT
Created attachment 327023 [details]
bsterne's backtrace
Comment 4 Mats Palmgren [:mats] 2008-06-27 14:56:07 PDT
It's a null-pointer access for me (on x86_64 Linux):

*INT__moz_cairo_surface_set_device_offset (surface=0x0, x_offset=0, y_offset=0) at gfx/cairo/cairo/src/cairo-surface.c:821
821         assert (! surface->is_snapshot);
(gdb) p surface
$1 = (cairo_surface_t *) 0x0
Comment 5 Mats Palmgren [:mats] 2008-06-27 15:02:38 PDT
Created attachment 327184 [details] [review]
Patch rev. 1

I wasn't able to make a crashtest that doesn't require user action --
script execution stops while the alert is posted.  Let me know if
you have ideas to make it work.  Firefox 3.0 on Windows XP and MacOSX
10.5.3 does not crash for me, so I think this is a GTK-only.
Comment 6 David Maciejak 2008-06-28 01:18:44 PDT
I was not able to reproduce it on Windows xp sp3 too, neither on latest Firefox 2.x version.
Comment 7 Robert O'Callahan (:roc) (Mozilla Corporation) 2008-06-28 01:49:41 PDT
Why does the crash happen? We successfully created the pixmap so why can't cairo create a surface object wrapped around it?
Comment 8 Mats Palmgren [:mats] 2008-06-28 02:45:53 PDT
CheckSurfaceSize() does its job:
http://hg.mozilla.org/mozilla-central/index.cgi/file/378495e669f9/gfx/thebes/src/gfxXlibSurface.cpp#l67
Limit is 65535, size.width is 76261.

BTW, with the patch in bug 409006 we wouldn't have allowed this
crazy window size in the first place ;-)
Comment 9 Mats Palmgren [:mats] 2008-06-28 17:00:08 PDT
http://hg.mozilla.org/mozilla-central/index.cgi/rev/c5dc9d84d476

-> FIXED
Comment 10 David Maciejak 2008-07-02 23:01:01 PDT
Hi,

will you intend to out a security advisory (MFSA) for this case ?

Thx, david
Comment 11 Samuel Sidler (old account; do not CC) 2008-07-20 11:44:18 PDT
Can we get some tests for this patch before approving for 1.9.0.2?
Comment 12 Samuel Sidler (old account; do not CC) 2008-07-21 00:12:53 PDT
(In reply to comment #11)
> Can we get some tests for this patch before approving for 1.9.0.2?

(And yes, I saw that making a testcase without user intervention isn't possible right now, but I want to confirm that there's no way to get a test before we take it in 1.9.0...)
Comment 13 Mats Palmgren [:mats] 2008-07-23 03:37:33 PDT
I don't know how to automate tests involving alert()'s.  I have a few
other crash (or XError) bugs that also needs tests (eg bug 409006).
Comment 14 Samuel Sidler (old account; do not CC) 2008-07-29 17:03:58 PDT
Comment on attachment 327184 [details] [review]
Patch rev. 1

Alright, but it makes me sad. :( Is there a bug on file for making this testable?

Approved for 1.9.0.2. Please land in CVS. a=ss
Comment 15 Mats Palmgren [:mats] 2008-07-30 19:21:35 PDT
Filed bug 448617 for a test mechanism for tests involving alert windows.

Landed in CVS trunk:
mozilla/widget/src/gtk2/nsWindow.cpp 	1.274
Comment 16 Marc Bejarano 2008-11-16 02:54:24 PST
for future reference, this is CVE-2008-4064

Note You need to log in before you can comment on or make changes to this bug.