LibreOffice spreadsheet causes full Xorg crash with Anti-Aliasing enabled
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Pixman |
Fix Released
|
Low
|
|||
| libreoffice (Ubuntu) |
High
|
Unassigned | |||
| pixman (Ubuntu) |
Medium
|
Maarten Lankhorst | |||
| Precise |
Medium
|
Jamie Strandboge | |||
| Quantal |
Medium
|
Jamie Strandboge | |||
| Raring |
Medium
|
Jamie Strandboge | |||
| Saucy |
Medium
|
Jamie Strandboge | |||
| xorg-server (Ubuntu) |
High
|
Unassigned | |||
| Precise |
Undecided
|
Unassigned | |||
| Quantal |
Undecided
|
Unassigned | |||
| Raring |
Undecided
|
Unassigned | |||
| Saucy |
Undecided
|
Unassigned | |||
Bug Description
[Impact]
* Opening spreadsheets in libreoffice crashes X .
[Test Case]
* Open the attached document ( plantage-
[Regression Potential]
* n/a
[Other Info]
* Patch is backport from upstream - http://
* Alternate test case, http://
| Bryan Quigley (bryanquigley) wrote : | #1 |
| Apport retracing service (apport) wrote : | #2 |
| Bryan Quigley (bryanquigley) wrote : | #5 |
FYI: I reported this crashdump from my 12.04 install (even though it was generated on 13.10).
| information type: | Private → Public |
| Bryan Quigley (bryanquigley) wrote : | #6 |
This is the file (with confidential data removed) that will crash both LibreOffice and Xorg.
| description: | updated |
| Christopher M. Penalver (penalvch) wrote : | #7 |
Created attachment 83211
test document
Opening the attached file with LibreOffice with enabled anti-aliasing will crash the Intel Xorg driver (see launchpad bug for details). While a crashing driver is not our bug, it might still be worth a look to see if we are asking anything illegal from X or if we can workaround the driver bug easily.
Observable with LO 3.5 trough 4.1 -> confirming.
Feel free to close as NOTOURBUG, if we do not want to make such workarounds.
| Changed in df-libreoffice: | |
| importance: | Unknown → Low |
| status: | Unknown → Confirmed |
Also adding pixman itself -- its were the crash happens and it can be an internal bug just as well as API abuse by Xorg.
| Launchpad Janitor (janitor) wrote : | #11 |
Status changed to 'Confirmed' because the bug affects multiple users.
| information type: | Public → Public Security |
| Changed in xorg-server (Ubuntu): | |
| importance: | Medium → High |
| status: | Confirmed → Triaged |
Created attachment 86883
proposed patch
Program received signal SIGSEGV, Segmentation fault.
0x00000033834488f6 in rasterize_edges_8 (image=<optimized out>,
image=
t=<optimized out>, r=<optimized out>, l=<optimized out>)
at pixman-edge.c:210
210 WRITE (image, ap + lxi,
(gdb) bt
#0 0x00007f895bdd38f6 in rasterize_edges_8 (image=<optimized out>, image=<optimized out>, image=<optimized out>, b=<optimized out>,
t=<optimized out>, r=<optimized out>, l=<optimized out>) at pixman-edge.c:210
#1 pixman_
at pixman-edge.c:359
#2 pixman_
at pixman-edge.c:382
#3 0x00007f895bdf109e in pixman_
at pixman-trap.c:386
#4 0x00007f895aff6623 in uxa_trapezoids (op=<optimized out>, src=0x1cd7b10, dst=0x1cd5950, maskFormat=
ySrc=<optimized out>, ntrap=<optimized out>, traps=0x1bf02a8) at uxa-render.c:1816
#5 0x00000000005251bf in ProcRenderTrape
#6 0x000000000043a137 in Dispatch () at dispatch.c:432
#7 0x00000000004286ca in main (argc=12, argv=0x7fff8dcf
(gdb) fram 3
#3 0x00007f895bdf109e in pixman_
at pixman-trap.c:386
386 pixman_
(gdb) list 359
354 pixman_fixed_t y_off_fixed;
355 pixman_edge_t l, r;
356 pixman_fixed_t t, b;
357
358 return_if_fail (image->type == BITS);
359
360 _pixman_
361
362 if (!pixman_
363 return;
...
380 if (b >= t)
381 {
382 /* initialize edge walkers */
383 pixman_
384 pixman_
385
386 pixman_
387 }
388 }
(gdb) p *trap
$8 = {top = 32768, bottom = -2147483648, left = {p1 = {x = -8454144, y = 32768}, p2 = {x = -8454144, y = -2147483648}}, right = {p1 = {
x = -8388608, y = 32768}, p2 = {x = -8388608, y = -2147483648}}}
from pixman.h
1029 /* whether 't' is a well defined not obviously empty trapezoid */
1030 #define pixman_
1031 ((t)->left.p1.y != (t)->left.p2.y && \
1032 (t)->right.p1.y != (t)->right.p2.y && \
1033 (int) ((t)->bottom - (t)->top) > 0) <--- haw haw
1034
An underflow . The proposed patch checks if bottom > 0 (assuming top/bottom are non-negative integer )
| Maarten Lankhorst (mlankhorst) wrote : | #13 |
Patch sent upstream for review.. http://
Created attachment 87290
proposed patch
Additionally, been pushed for xserver
http://
Thanks for the patch. Do you mind sending it to <email address hidden> for review?
Also, if you have a test that demonstrates the issue, it would be valuable to add to the test suite in the pixman/test directory.
Created attachment 87659
proposed patch with test case
posted for review at http://
Thanks for the test case, that's much appreciated. Just a few comments:
- We might as well extend the existing trap-crasher test instead of adding a new one that is a near duplicate.
- The test should ideally be added in its own commit before the fix so that it's easy to verify that the fix actually fixes the test case
- We need all patches to go through the mailing list, including this updated one. I have added you to the mailman whitelist, so it won't get stuck in moderation if you send it.
| Norbert (nrbrtx) wrote : | #21 |
Reproduced this bug on Ubuntu 13.10 final i386, under Unity session, with Nvidia proprietary driver (304.88-0ubuntu8).
| Ritesh Khadgaray (khadgaray) wrote : | #22 |
Hi @Norbert
Is this with the patch ?
| Norbert (nrbrtx) wrote : | #23 |
Hello, Ritesh!
No, it is without patch. All packages installed from binary form (Ubuntu 13.10 i686 repos).
Created attachment 87924
test case
Created attachment 87925
proposed patch
| Changed in pixman (Ubuntu): | |
| status: | Confirmed → Triaged |
| Changed in libreoffice (Ubuntu): | |
| status: | Confirmed → Triaged |
| Changed in pixman (Ubuntu): | |
| importance: | Undecided → High |
| Changed in libreoffice (Ubuntu): | |
| importance: | Undecided → High |
The attachment "proposed patch for saucy" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.
[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]
| Launchpad Janitor (janitor) wrote : | #26 |
This bug was fixed in the package xorg-server - 2:1.14.3-3ubuntu3
---------------
xorg-server (2:1.14.3-3ubuntu3) trusty; urgency=low
* pixman-
-- Maarten Lankhorst <email address hidden> Wed, 23 Oct 2013 12:11:27 +0200
Since the affected package is "xorg-server (Ubuntu)", it isn't "libreoffice (Ubuntu)" or "pixman (Ubuntu)".
| affects: | df-libreoffice → pixman |
| Maarten Lankhorst (mlankhorst) wrote : | #28 |
No, it really is a bug in pixman too. I just fixed the same comparison that happens in xorg-server, but pixman is still affected.
| Changed in pixman (Ubuntu): | |
| status: | Confirmed → Triaged |
| Sebastien Bacher (seb128) wrote : | #31 |
Maarten, could you review/sponsor the libpixman patch there?
| Norbert (nrbrtx) wrote : | #32 |
Ubuntu Precise 12.04.3 (amd64) with libreoffice-calc 1:3.5.7-0ubuntu4 is affected too. Xorg crashed.
|
|
#36 |
Fixed in commit 2f876cf86718d3d
| Maarten Lankhorst (mlankhorst) wrote : | #34 |
Fix released in debian, will be synced to trusty automatically. Please propose a fix for saucy, I want to backport saucy's version to raring, quantal and precise later on. :)
| Launchpad Janitor (janitor) wrote : | #35 |
This bug was fixed in the package pixman - 0.30.2-2
---------------
pixman (0.30.2-2) sid; urgency=low
* Cherry-pick upstream bigfixes for fixing a crash when rendering
invalid trapezoids. (LP: #1197921)
-- Maarten Lankhorst <email address hidden> Mon, 18 Nov 2013 15:08:56 +0100
| Changed in pixman: | |
| status: | Confirmed → Fix Released |
| Ritesh Khadgaray (khadgaray) wrote : | #37 |
| Ritesh Khadgaray (khadgaray) wrote : | #38 |
| Ritesh Khadgaray (khadgaray) wrote : | #39 |
| Ritesh Khadgaray (khadgaray) wrote : | #40 |
| no longer affects: | libreoffice (Ubuntu Precise) |
| no longer affects: | libreoffice (Ubuntu Quantal) |
| no longer affects: | libreoffice (Ubuntu Raring) |
| no longer affects: | libreoffice (Ubuntu Saucy) |
| Jamie Strandboge (jdstrand) wrote : | #41 |
Ritesh, thanks for your patches! A couple of notes:
- these are security patches, so you should use <release>-security instead of <release>-proposed
- I'm not sure if launchpad would autoclose a bug with 'lp: #1197921' in the changelog, but that is non-conventional. You should use 'LP: #1197921' instead
- there is no patch attribution or origin in DEP-3 comments in the patch in debian/patches
- because it is a security update, it should follow the changelog format as described in https:/
- there is an extra line of whitespace in debian/changelog
- the patch is missing the test case. Looks like the patch is 5e14da97f16e421
NAK in its current form, but I'll fix it up and push it out as a security update.
| Jamie Strandboge (jdstrand) wrote : | #42 |
Ritesh: one more thing, you add a quilt patch but the series file was not updated.
| Jamie Strandboge (jdstrand) wrote : | #43 |
| Jamie Strandboge (jdstrand) wrote : | #44 |
Ritesh: oops, sorry, you did update the series file correctly (I was comparing it to the Debian update which didn't use the quilt patch system and got confused).
| Changed in pixman (Ubuntu Precise): | |
| status: | New → In Progress |
| importance: | Undecided → Medium |
| assignee: | nobody → Jamie Strandboge (jdstrand) |
| Changed in pixman (Ubuntu Quantal): | |
| status: | New → In Progress |
| importance: | Undecided → Medium |
| assignee: | nobody → Jamie Strandboge (jdstrand) |
| Changed in pixman (Ubuntu Raring): | |
| status: | New → In Progress |
| importance: | Undecided → Medium |
| assignee: | nobody → Jamie Strandboge (jdstrand) |
| Changed in pixman (Ubuntu Saucy): | |
| status: | New → In Progress |
| importance: | Undecided → Medium |
| assignee: | nobody → Jamie Strandboge (jdstrand) |
| Jamie Strandboge (jdstrand) wrote : | #45 |
FYI, the freedesktop.org bug is for pixman, not xorg. The xorg-server patch is in patchwork:
http://
but has not received comment from xorg yet. The CVE request CC'd xorg_security, but the message is in moderation.
| Changed in pixman (Ubuntu Precise): | |
| status: | In Progress → Fix Committed |
| Changed in pixman (Ubuntu Quantal): | |
| status: | In Progress → Fix Committed |
| Changed in pixman (Ubuntu Raring): | |
| status: | In Progress → Fix Committed |
| Changed in pixman (Ubuntu Saucy): | |
| status: | In Progress → Fix Committed |
| Changed in pixman (Ubuntu Precise): | |
| importance: | Low → Medium |
| Changed in pixman (Ubuntu Quantal): | |
| importance: | Low → Medium |
| Changed in pixman (Ubuntu Raring): | |
| importance: | Low → Medium |
| Changed in pixman (Ubuntu Saucy): | |
| importance: | Low → Medium |
| Launchpad Janitor (janitor) wrote : | #46 |
This bug was fixed in the package pixman - 0.30.2-1ubuntu0.1
---------------
pixman (0.30.2-1ubuntu0.1) saucy-security; urgency=low
* SECURITY UPDATE: Fix underflow when bottom is close to MIN_INT
- debian/
- LP: #1197921
- CVE-YYYY-NNNN
-- Jamie Strandboge <email address hidden> Tue, 03 Dec 2013 12:07:19 -0600
| Launchpad Janitor (janitor) wrote : | #47 |
This bug was fixed in the package pixman - 0.28.2-0ubuntu1.1
---------------
pixman (0.28.2-0ubuntu1.1) raring-security; urgency=low
* SECURITY UPDATE: Fix underflow when bottom is close to MIN_INT
- debian/
- LP: #1197921
- CVE-YYYY-NNNN
-- Jamie Strandboge <email address hidden> Tue, 03 Dec 2013 12:09:34 -0600
| Launchpad Janitor (janitor) wrote : | #48 |
This bug was fixed in the package pixman - 0.26.0-3ubuntu0.1
---------------
pixman (0.26.0-3ubuntu0.1) quantal-security; urgency=low
* SECURITY UPDATE: Fix underflow when bottom is close to MIN_INT
- debian/
- LP: #1197921
- CVE-YYYY-NNNN
-- Jamie Strandboge <email address hidden> Tue, 03 Dec 2013 12:11:32 -0600
| Launchpad Janitor (janitor) wrote : | #49 |
This bug was fixed in the package pixman - 0.24.4-1ubuntu0.1
---------------
pixman (0.24.4-1ubuntu0.1) precise-security; urgency=low
* SECURITY UPDATE: Fix underflow when bottom is close to MIN_INT
- debian/
- LP: #1197921
- CVE-YYYY-NNNN
-- Jamie Strandboge <email address hidden> Tue, 03 Dec 2013 12:16:20 -0600
| Changed in pixman (Ubuntu): | |
| importance: | Low → Medium |
| Norbert (nrbrtx) wrote : | #50 |
Thank you, package 0.24.4-1ubuntu0.1 fixes this bug in Precise.
| Jamie Strandboge (jdstrand) wrote : | #51 |
From oss-security:
Please use CVE-2013-6424 for the issue in xorg-server
Please use CVE-2013-6425 for the issue in pixman.
Hello Bryan, or anyone else affected,
Accepted xorg-server into saucy-proposed. The package will build now and be available at http://
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-
Further information regarding the verification process can be found at https:/
| Timo Aaltonen (tjaalton) wrote : | #53 |
Bryan, verifying this upload is needed to unblock further updates for 12.04.4.. so please give the new version a go.
| Bryan Quigley (bryanquigley) wrote : | #54 |
@Timo
Downgraded pixman for the test (so it would actually crash)
Upgraded only xserver-common and xserver-xorg-core
It still crashes Xorg if we don't have the pixman fix..
This is trivially reproducible in a VM (I'm using vagrant/
| Maarten Lankhorst (mlankhorst) wrote : | #55 |
This appears to be incorrect. I just tried reproducing it. Upgrading xserver-xorg-core and restarting Xorg fixes it, did you restart Xorg?
| Bryan Quigley (bryanquigley) wrote : | #56 |
@Maarten
Did you downgrade libpixman? Were you able to reproduce the crash first?
I rebooted the VM between tests.
| Maarten Lankhorst (mlankhorst) wrote : | #57 |
Yes I was able to reproduce the crashing bug. Anyway because this issue was already fixed in libpixman I don't think it's really important to worry about it too much.
| Norbert (nrbrtx) wrote : | #58 |
Ubuntu 14.04 is not affected.
| tags: |
added: verification-done removed: verification-needed |
| Launchpad Janitor (janitor) wrote : | #59 |
This bug was fixed in the package xorg-server - 2:1.14.
---------------
xorg-server (2:1.14.
* Copy package back to saucy-proposed from trusty.
- There's a MRE for xorg-server.
- Fixes mesa >= 10 support on saucy.
- Fix a timer bug in the sync code. (LP: #1238410)
* Changes in packaging:
- Fix gpu screen output hotplugging. (LP: #1259561)
- Do not render invalid trapezoids. (LP: #1197921) (CVE-2013-6424)
- Fix for CVE-2013-1056.
-- Maarten Lankhorst <email address hidden> Mon, 16 Dec 2013 13:27:58 +0100
The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.
| Launchpad Janitor (janitor) wrote : | #61 |
Status changed to 'Confirmed' because the bug affects multiple users.
| Simon Tremblay (tremblaysimon) wrote : | #64 |
Do you know why the package libpixman 0.30.2-2 is only available in Trusty? (comment #35)
Is there an easy way to get that package for Saucy?
I've got that crash even if I'm updated to latest package for xorg-server 2:1.14.5-1ubuntu2 and libpixman 0.30.2-1 (note that is -1 not -2).
StacktraceTop:
pixman_
_pixman_image_fini (image=
pixman_image_unref (image=
free_pixman_pict (pict=pict@
fbRasterizeTra