Ubuntu

gnome-panel crashed with SIGSEGV in g_cclosure_marshal_VOID__BOXED()

Reported by aleneguou on 2008-10-09
280
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Mozilla Firefox
Invalid
High
Pango
New
Unknown
pango1.0 (Ubuntu)
Medium
Ubuntu Desktop Bugs
Intrepid
Medium
Unassigned

Bug Description

Binary package hint: gnome-panel

Not sure why this happened

ProblemType: Crash
Architecture: i386
DistroRelease: Ubuntu 8.10
ExecutablePath: /usr/bin/gnome-panel
Package: gnome-panel 1:2.24.0-0ubuntu1
ProcAttrCurrent: unconfined
ProcCmdline: gnome-panel
ProcEnviron:
 LANGUAGE=en_US:en
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11:/usr/games
 LANG=en_US
 SHELL=/bin/bash
Signal: 11
SourcePackage: gnome-panel
StacktraceTop:
 ?? () from /usr/lib/libpango-1.0.so.0
 ?? () from /usr/lib/libpango-1.0.so.0
 ?? () from /usr/lib/libgtk-x11-2.0.so.0
 g_cclosure_marshal_VOID__BOXED ()
 ?? () from /usr/lib/libgobject-2.0.so.0
Title: gnome-panel crashed with SIGSEGV in g_cclosure_marshal_VOID__BOXED()
Uname: Linux 2.6.27-6-generic i686
UserGroups: adm admin audio cdrom dialout dip fax floppy fuse lpadmin plugdev powerdev sambashare saned scanner tape video

aleneguou (alexandergould) wrote :

StacktraceTop:pango_layout_check_lines (layout=0x8c5cc10)
pango_layout_get_extents_internal (layout=0x8c5cc10, ink_rect=0x0, logical_rect=0xbf8c4e8c,
gtk_label_size_request (widget=0x8f1b298, requisition=0x8f1b2b4)
IA__g_cclosure_marshal_VOID__BOXED (closure=0x88a2b70, return_value=0x0, n_param_values=2,
g_type_class_meta_marshal (closure=0x88a2b70, return_value=0x0, n_param_values=2,

Changed in gnome-panel:
importance: Undecided → Medium
Pedro Villavicencio (pedro) wrote :

looks like a pango crash, re assigning, thanks for reporting.

Pedro Villavicencio (pedro) wrote :

Thanks for your bug report. This bug has been reported to the developers of the software. You can track it and make comments here: http://bugzilla.gnome.org/show_bug.cgi?id=556132

Changed in pango1.0:
assignee: nobody → desktop-bugs
status: New → Triaged
Changed in pango:
status: Unknown → New

User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.8) Gecko/2009032712 Ubuntu/8.10 (intrepid) Firefox/3.0.8
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.8) Gecko/2009032712 Ubuntu/8.10 (intrepid) Firefox/3.0.8

Gnome panel disappears when visiting the link below:
http://blog.oup.com/2009/03/science-fiction/

Reproducible: Always

Steps to Reproduce:
1. Visit link: http://blog.oup.com/2009/03/science-fiction/
2. Enjoy the view (no panel, menus, taskbar)
3. Switch to another tab / application if you want your panel/ taskbar back.
Actual Results:
Gnome Panel [menus & taskbar]disappeared.

This could be a security problem. Seems that Firefox allows application to switch to "full-screen" mode from JS, and GNOME menus and taskbars are going "off-screen" in the process.

Created attachment 371385
screenshot.png

Screenshot of my Desktop with no Gnome panels, while visiting http://blog.oup.com/2009/03/science-fiction/

Reed Loden (reed) on 2009-04-07
visibility: public → private

I can reproduce on Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a1pre) Gecko/20090406 Minefield/3.6a1pre.

I can't access the gnome bug -- is this some X issue?

(In reply to comment #4)
> I can't access the gnome bug -- is this some X issue?

I'm trying to get CC'd to the bug on bgo to see. Once I get cc'd, I will CC you.

Embargo was requested on the GNOME bug yesterday, so I limited access to it. I debugged it tonight, it's a bug in pango. I plan to push a fix out to the public repository tomorrow. The following is what I wrote in response to the embargo report to me:

Thanks for the mail. Let me note that this issue has already made it to the upstream Pango bugzilla. Pedro forwarded the crash stacktrace from Ubuntu bug tracker before, but today he added a comment pointing out to the test web page. I have limited the bug to GNOME Hackers group for now:

  http://bugzilla.gnome.org/show_bug.cgi?id=556132

Anyway, I debugged the issue. It happens whenever a PangoLayout is used to render text containing the Unicode character U+2028 LINE SEPERATOR, the layout is set to be ellipsized, and has a width narrow enough to ensure line wrapping. It can be reproduced using the command:

$ pango-view --markup --text 'test 
' --width 1 --ellipsize end

The invalid memory access happens in function pango_layout_line_postprocess() whenever both wrapping and ellipsization happen. However, ellipsization normally disables wrappnig. The only exception was when a LINE SEPARATOR character was seen. This particular behavior was introduced in pango version
1.21.4, in git commit 66240b30bc5a2b29b0d5f3bb5396f85ef557b077.

Here is the code involved:

=============================
static void
pango_layout_line_postprocess (PangoLayoutLine *line,
                               ParaBreakState *state,
                               gboolean wrapped)
{
  PangoLayoutRun *last_run = line->runs->data;
  gboolean ellipsized = FALSE;

  /* NB: the runs are in reverse order at this point, since we prepended them to the list
   */

  /* Reverse the runs
   */
  line->runs = g_slist_reverse (line->runs);

  DEBUG ("postprocessing", line, state);

  /* Ellipsize the line if necessary
   */
  if (G_UNLIKELY (state->line_width >= 0 &&
                  should_ellipsize_current_line (line->layout, state)))
    {
      ellipsized = _pango_layout_line_ellipsize (line, state->attrs, state->line_width);
    }

  /* Truncate the logical-final whitespace in the line if we broke the line at it
   */
  if (wrapped)
    zero_line_final_space (line, state, last_run);
=============================

The problem happens when in the _pango_layout_line_ellipsize() call line is modified and now last_run is a dangling pointer. In zero_line_final_space() it is dereferenced and crashes. Apparently at the time of the crash run->glyphs is NULL. There's no immediate reason for this except that the memory is freed using gslice and perhaps immediately allocated in the same call (line_ellipsize()) and trashed.

Anyway, while my analysis is not conclusive, I doubt that this can be exploited easily. I have attached the patch for the invalid access. I have that and other patches to improve the behavior in my local tree. I have not pushed them as per your request. Please let me know when you want to make this public.

Regards,
behdad

I've made the launchpad bugs private for now... Can you CC me (<email address hidden>) on the bgo bug?

visibility: private → public
Pedro Villavicencio (pedro) wrote :
Changed in pango1.0 (Ubuntu):
milestone: none → ubuntu-9.04
Julian Lam (julian-lam) on 2009-04-07
Changed in pango1.0 (Ubuntu):
status: Triaged → Fix Committed
Sebastien Bacher (seb128) wrote :

pango1.0 (1.24.0-3) unstable; urgency=low

  * debian/patches/14_gnome-panel-crash.patch:
    + Fix a crash in gnome-panel that happend because of invalid
      memory accesses in pango. Patch from upstream GIT.

Changed in pango1.0 (Ubuntu):
status: Fix Committed → Fix Released
Changed in pango1.0 (Ubuntu Intrepid):
assignee: nobody → Ubuntu Desktop Bugs (desktop-bugs)
importance: Undecided → Medium
status: New → Confirmed
assignee: Ubuntu Desktop Bugs (desktop-bugs) → nobody
status: Confirmed → New
importance: Medium → Undecided
assignee: nobody → Ubuntu Desktop Bugs (desktop-bugs)
importance: Undecided → Medium
status: New → Confirmed

The GNOME bug in comment 6 is still hidden so I suppose our version should still be embargoed? Is there a reason we can't just resolve our copy? I don't think keeping this bug open is accomplishing anything.

Alex Valavanis (valavanisalex) wrote :

Intrepid Ibex reached end-of-life on 30 April 2010 so I am closing the report. The bug has been fixed in newer releases of Ubuntu.

Changed in pango1.0 (Ubuntu Intrepid):
assignee: Ubuntu Desktop Bugs (desktop-bugs) → nobody
status: Confirmed → Invalid
Changed in firefox:
status: Unknown → Invalid
Changed in firefox:
importance: Unknown → High
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.