LibreOffice spreadsheet causes full Xorg crash with Anti-Aliasing enabled

StacktraceTop:
 pixman_region32_fini (region=region@entry=0x7f73ec53af98) at ../../pixman/pixman-region.c:416
 _pixman_image_fini (image=image@entry=0x7f73ec53af90) at ../../pixman/pixman-image.c:146
 pixman_image_unref (image=image@entry=0x7f73ec53af90) at ../../pixman/pixman-image.c:211
 free_pixman_pict (pict=pict@entry=0x7f73ec393410, image=image@entry=0x7f73ec53af90) at ../../fb/fbpict.c:346
 fbRasterizeTrapezoid (pPicture=0x7f73ec393410, trap=0x7f73ec2b0920, x_off=-145, y_off=0) at ../../fb/fbtrap.c:63

FYI: I reported this crashdump from my 12.04 install (even though it was generated on 13.10).

This is the file (with confidential data removed) that will crash both LibreOffice and Xorg.

Confirmed via https://bugs.launchpad.net/ubuntu/+source/xorg-server/+bug/1205187 .

Also adding pixman itself -- its were the crash happens and it can be an internal bug just as well as API abuse by Xorg.

Status changed to 'Confirmed' because the bug affects multiple users.

Patch sent upstream for review.. http://lists.x.org/archives/xorg-devel/2013-October/037996.html

Reproduced this bug on Ubuntu 13.10 final i386, under Unity session, with Nvidia proprietary driver (304.88-0ubuntu8).

Hi @Norbert

  Is this with the patch ?

Hello, Ritesh!

No, it is without patch. All packages installed from binary form (Ubuntu 13.10 i686 repos).

The attachment "proposed patch for saucy" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

This bug was fixed in the package xorg-server - 2:1.14.3-3ubuntu3

---------------
xorg-server (2:1.14.3-3ubuntu3) trusty; urgency=low

  * pixman-validate.patch: Do not render invalid trapezoids. (LP: #1197921)
 -- Maarten Lankhorst <email address hidden> Wed, 23 Oct 2013 12:11:27 +0200

Since the affected package is "xorg-server (Ubuntu)", it isn't "libreoffice (Ubuntu)" or "pixman (Ubuntu)".

No, it really is a bug in pixman too. I just fixed the same comparison that happens in xorg-server, but pixman is still affected.

Maarten, could you review/sponsor the libpixman patch there?

Ubuntu Precise 12.04.3 (amd64) with libreoffice-calc 1:3.5.7-0ubuntu4 is affected too. Xorg crashed.

Fix released in debian, will be synced to trusty automatically. Please propose a fix for saucy, I want to backport saucy's version to raring, quantal and precise later on. :)

This bug was fixed in the package pixman - 0.30.2-2

---------------
pixman (0.30.2-2) sid; urgency=low

  * Cherry-pick upstream bigfixes for fixing a crash when rendering
    invalid trapezoids. (LP: #1197921)

 -- Maarten Lankhorst <email address hidden> Mon, 18 Nov 2013 15:08:56 +0100

Ritesh, thanks for your patches! A couple of notes:
- these are security patches, so you should use <release>-security instead of <release>-proposed
- I'm not sure if launchpad would autoclose a bug with 'lp: #1197921' in the changelog, but that is non-conventional. You should use 'LP: #1197921' instead
- there is no patch attribution or origin in DEP-3 comments in the patch in debian/patches
- because it is a security update, it should follow the changelog format as described in https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging. This doesn't yet have a CVE assignment, so use CVE-YYYY-NNNN as a placeholder
- there is an extra line of whitespace in debian/changelog
- the patch is missing the test case. Looks like the patch is 5e14da97f16e421d084a9e735be21b1025150f0c and the test case 2f876cf86718d3dd9b3b04ae9552530edafe58a1

NAK in its current form, but I'll fix it up and push it out as a security update.

Ritesh: one more thing, you add a quilt patch but the series file was not updated.

CVE request: http://www.openwall.com/lists/oss-security/2013/12/03/8

Ritesh: oops, sorry, you did update the series file correctly (I was comparing it to the Debian update which didn't use the quilt patch system and got confused).

FYI, the freedesktop.org bug is for pixman, not xorg. The xorg-server patch is in patchwork:
http://patchwork.freedesktop.org/patch/14769/

but has not received comment from xorg yet. The CVE request CC'd xorg_security, but the message is in moderation.

This bug was fixed in the package pixman - 0.30.2-1ubuntu0.1

---------------
pixman (0.30.2-1ubuntu0.1) saucy-security; urgency=low

  * SECURITY UPDATE: Fix underflow when bottom is close to MIN_INT
    - debian/patches/security-lp1197921.patch: verify (t)->bottom > (t)->top)
    - LP: #1197921
    - CVE-YYYY-NNNN
 -- Jamie Strandboge <email address hidden> Tue, 03 Dec 2013 12:07:19 -0600

This bug was fixed in the package pixman - 0.28.2-0ubuntu1.1

---------------
pixman (0.28.2-0ubuntu1.1) raring-security; urgency=low

  * SECURITY UPDATE: Fix underflow when bottom is close to MIN_INT
    - debian/patches/security-lp1197921.patch: verify (t)->bottom > (t)->top)
    - LP: #1197921
    - CVE-YYYY-NNNN
 -- Jamie Strandboge <email address hidden> Tue, 03 Dec 2013 12:09:34 -0600

This bug was fixed in the package pixman - 0.26.0-3ubuntu0.1

---------------
pixman (0.26.0-3ubuntu0.1) quantal-security; urgency=low

  * SECURITY UPDATE: Fix underflow when bottom is close to MIN_INT
    - debian/patches/security-lp1197921.patch: verify (t)->bottom > (t)->top)
    - LP: #1197921
    - CVE-YYYY-NNNN
 -- Jamie Strandboge <email address hidden> Tue, 03 Dec 2013 12:11:32 -0600

This bug was fixed in the package pixman - 0.24.4-1ubuntu0.1

---------------
pixman (0.24.4-1ubuntu0.1) precise-security; urgency=low

  * SECURITY UPDATE: Fix underflow when bottom is close to MIN_INT
    - debian/patches/security-lp1197921.patch: verify (t)->bottom > (t)->top)
    - LP: #1197921
    - CVE-YYYY-NNNN
 -- Jamie Strandboge <email address hidden> Tue, 03 Dec 2013 12:16:20 -0600

Thank you, package 0.24.4-1ubuntu0.1 fixes this bug in Precise.

From oss-security:
Please use CVE-2013-6424 for the issue in xorg-server

Please use CVE-2013-6425 for the issue in pixman.

Hello Bryan, or anyone else affected,

Accepted xorg-server into saucy-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/xorg-server/2:1.14.5-1ubuntu2~saucy1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Bryan, verifying this upload is needed to unblock further updates for 12.04.4.. so please give the new version a go.

@Timo
Downgraded pixman for the test (so it would actually crash)
Upgraded only xserver-common and xserver-xorg-core
It still crashes Xorg if we don't have the pixman fix..

This is trivially reproducible in a VM (I'm using vagrant/virtualbox).

This appears to be incorrect. I just tried reproducing it. Upgrading xserver-xorg-core and restarting Xorg fixes it, did you restart Xorg?

@Maarten
Did you downgrade libpixman? Were you able to reproduce the crash first?
I rebooted the VM between tests.

Yes I was able to reproduce the crashing bug. Anyway because this issue was already fixed in libpixman I don't think it's really important to worry about it too much.

Ubuntu 14.04 is not affected.

This bug was fixed in the package xorg-server - 2:1.14.5-1ubuntu2~saucy1

---------------
xorg-server (2:1.14.5-1ubuntu2~saucy1) saucy-proposed; urgency=low

  * Copy package back to saucy-proposed from trusty.
    - There's a MRE for xorg-server.
    - Fixes mesa >= 10 support on saucy.
    - Fix a timer bug in the sync code. (LP: #1238410)
  * Changes in packaging:
    - Fix gpu screen output hotplugging. (LP: #1259561)
    - Do not render invalid trapezoids. (LP: #1197921) (CVE-2013-6424)
    - Fix for CVE-2013-1056.
 -- Maarten Lankhorst <email address hidden> Mon, 16 Dec 2013 13:27:58 +0100

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Status changed to 'Confirmed' because the bug affects multiple users.

Do you know why the package libpixman 0.30.2-2 is only available in Trusty? (comment #35)

Is there an easy way to get that package for Saucy?

I've got that crash even if I'm updated to latest package for xorg-server 2:1.14.5-1ubuntu2 and libpixman 0.30.2-1 (note that is -1 not -2).

@Norbert:
I can reproduce the crash using 14.04.

This bug was fixed in the package xorg-server - 2:1.11.4-0ubuntu10.17

---------------
xorg-server (2:1.11.4-0ubuntu10.17) precise-security; urgency=medium

  * SECURITY UPDATE: information leak and denial of service in
    XkbSetGeometry
    - debian/patches/CVE-2015-0255.patch: properly check lengths in
      xkb/xkb.c.
    - CVE-2015-0255
  * SECURITY UPDATE: denial of service via invalid trapezoid (LP: #1197921)
    - debian/patches/CVE-2013-6424.patch: don't render invalid trapezoids
      in exa/exa_render.c, fix underflow in render/picture.h.
    - CVE-2013-6424
  * debian/patches/CVE-2014-8xxx/0038-CVE-2014-8092-*: fix regression in
    previous security update by allowing zero-height PutImage requests in
    dix/dispatch.c.
 -- Marc Deslauriers <email address hidden> Thu, 12 Feb 2015 08:57:17 -0500