gnome-panel crashed with SIGSEGV in g_cclosure_marshal_VOID__BOXED()

User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.8) Gecko/2009032712 Ubuntu/8.10 (intrepid) Firefox/3.0.8
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.8) Gecko/2009032712 Ubuntu/8.10 (intrepid) Firefox/3.0.8

Gnome panel disappears when visiting the link below:
http://blog.oup.com/2009/03/science-fiction/

Reproducible: Always

Steps to Reproduce:
1. Visit link: http://blog.oup.com/2009/03/science-fiction/
2. Enjoy the view (no panel, menus, taskbar)
3. Switch to another tab / application if you want your panel/ taskbar back.
Actual Results:
Gnome Panel [menus & taskbar]disappeared.

This could be a security problem. Seems that Firefox allows application to switch to "full-screen" mode from JS, and GNOME menus and taskbars are going "off-screen" in the process.

Created attachment 371385
screenshot.png

Screenshot of my Desktop with no Gnome panels, while visiting http://blog.oup.com/2009/03/science-fiction/

not our bug. http://bugzilla.gnome.org/show_bug.cgi?id=556132

I can reproduce on Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a1pre) Gecko/20090406 Minefield/3.6a1pre.

I can't access the gnome bug -- is this some X issue?

(In reply to comment #4)
> I can't access the gnome bug -- is this some X issue?

I'm trying to get CC'd to the bug on bgo to see. Once I get cc'd, I will CC you.

Embargo was requested on the GNOME bug yesterday, so I limited access to it. I debugged it tonight, it's a bug in pango. I plan to push a fix out to the public repository tomorrow. The following is what I wrote in response to the embargo report to me:

Thanks for the mail. Let me note that this issue has already made it to the upstream Pango bugzilla. Pedro forwarded the crash stacktrace from Ubuntu bug tracker before, but today he added a comment pointing out to the test web page. I have limited the bug to GNOME Hackers group for now:

  http://bugzilla.gnome.org/show_bug.cgi?id=556132

Anyway, I debugged the issue. It happens whenever a PangoLayout is used to render text containing the Unicode character U+2028 LINE SEPERATOR, the layout is set to be ellipsized, and has a width narrow enough to ensure line wrapping. It can be reproduced using the command:

$ pango-view --markup --text 'test 
' --width 1 --ellipsize end

The invalid memory access happens in function pango_layout_line_postprocess() whenever both wrapping and ellipsization happen. However, ellipsization normally disables wrappnig. The only exception was when a LINE SEPARATOR character was seen. This particular behavior was introduced in pango version
1.21.4, in git commit 66240b30bc5a2b29b0d5f3bb5396f85ef557b077.

Here is the code involved:

=============================
static void
pango_layout_line_postprocess (PangoLayoutLine *line,
                               ParaBreakState *state,
                               gboolean wrapped)
{
  PangoLayoutRun *last_run = line->runs->data;
  gboolean ellipsized = FALSE;

  /* NB: the runs are in reverse order at this point, since we prepended them to the list
   */

  /* Reverse the runs
   */
  line->runs = g_slist_reverse (line->runs);

  DEBUG ("postprocessing", line, state);

  /* Ellipsize the line if necessary
   */
  if (G_UNLIKELY (state->line_width >= 0 &&
                  should_ellipsize_current_line (line->layout, state)))
    {
      ellipsized = _pango_layout_line_ellipsize (line, state->attrs, state->line_width);
    }

  /* Truncate the logical-final whitespace in the line if we broke the line at it
   */
  if (wrapped)
    zero_line_final_space (line, state, last_run);
=============================

The problem happens when in the _pango_layout_line_ellipsize() call line is modified and now last_run is a dangling pointer. In zero_line_final_space() it is dereferenced and crashes. Apparently at the time of the crash run->glyphs is NULL. There's no immediate reason for this except that the memory is freed using gslice and perhaps immediately allocated in the same call (line_ellipsize()) and trashed.

Anyway, while my analysis is not conclusive, I doubt that this can be exploited easily. I have attached the patch for the invalid access. I have that and other patches to improve the behavior in my local tree. I have not pushed them as per your request. Please let me know when you want to make this public.

Regards,
behdad

I've made the launchpad bugs private for now... Can you CC me (<email address hidden>) on the bgo bug?

The GNOME bug in comment 6 is still hidden so I suppose our version should still be embargoed? Is there a reason we can't just resolve our copy? I don't think keeping this bug open is accomplishing anything.