Ubuntu

LibreOffice spreadsheet causes full Xorg crash with Anti-Aliasing enabled

Reported by Bryan Quigley on 2013-07-04
302
This bug affects 8 people
Affects Status Importance Assigned to Milestone
Pixman
Fix Released
Low
libreoffice (Ubuntu)
High
Unassigned
pixman (Ubuntu)
Medium
Maarten Lankhorst
Precise
Medium
Jamie Strandboge
Quantal
Medium
Jamie Strandboge
Raring
Medium
Jamie Strandboge
Saucy
Medium
Jamie Strandboge
xorg-server (Ubuntu)
High
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
Raring
Undecided
Unassigned
Saucy
Undecided
Unassigned

Bug Description

[Impact]

 * Opening spreadsheets in libreoffice crashes X .

[Test Case]

 * Open the attached document ( plantage-mai-only-empty.ods )

[Regression Potential]

 * n/a

[Other Info]

 * Patch is backport from upstream - http://cgit.freedesktop.org/pixman/commit/?id=5e14da97f16e421d084a9e735be21b1025150f0c .
 * Alternate test case, http://cgit.freedesktop.org/pixman/commit/?id=2f876cf86718d3dd9b3b04ae9552530edafe58a1

Bryan Quigley (bryanquigley) wrote :

StacktraceTop:
 pixman_region32_fini (region=region@entry=0x7f73ec53af98) at ../../pixman/pixman-region.c:416
 _pixman_image_fini (image=image@entry=0x7f73ec53af90) at ../../pixman/pixman-image.c:146
 pixman_image_unref (image=image@entry=0x7f73ec53af90) at ../../pixman/pixman-image.c:211
 free_pixman_pict (pict=pict@entry=0x7f73ec393410, image=image@entry=0x7f73ec53af90) at ../../fb/fbpict.c:346
 fbRasterizeTrapezoid (pPicture=0x7f73ec393410, trap=0x7f73ec2b0920, x_off=-145, y_off=0) at ../../fb/fbtrap.c:63

Changed in xorg-server (Ubuntu):
importance: Undecided → Medium
tags: removed: need-amd64-retrace
Bryan Quigley (bryanquigley) wrote :

FYI: I reported this crashdump from my 12.04 install (even though it was generated on 13.10).

summary: - Excel spreadsheet causes full Xorg crash with Anti-Aliasing enabled
+ LibreOffice spreadsheet causes full Xorg crash with Anti-Aliasing
+ enabled
description: updated
information type: Private → Public
Bryan Quigley (bryanquigley) wrote :

This is the file (with confidential data removed) that will crash both LibreOffice and Xorg.

description: updated
description: updated
tags: added: i286 raring
tags: added: i386
removed: i286
Changed in xorg-server (Ubuntu):
status: New → Confirmed
tags: added: precise

Created attachment 83211
test document

Opening the attached file with LibreOffice with enabled anti-aliasing will crash the Intel Xorg driver (see launchpad bug for details). While a crashing driver is not our bug, it might still be worth a look to see if we are asking anything illegal from X or if we can workaround the driver bug easily.

Observable with LO 3.5 trough 4.1 -> confirming.

Feel free to close as NOTOURBUG, if we do not want to make such workarounds.

Changed in df-libreoffice:
importance: Unknown → Low
status: Unknown → Confirmed

Also adding pixman itself -- its were the crash happens and it can be an internal bug just as well as API abuse by Xorg.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libreoffice (Ubuntu):
status: New → Confirmed
Changed in pixman (Ubuntu):
status: New → Confirmed
information type: Public → Public Security
Timo Aaltonen (tjaalton) on 2013-09-26
Changed in xorg-server (Ubuntu):
importance: Medium → High
status: Confirmed → Triaged

Created attachment 86883
proposed patch

Program received signal SIGSEGV, Segmentation fault.
0x00000033834488f6 in rasterize_edges_8 (image=<optimized out>,
    image=<optimized out>, image=<optimized out>, b=<optimized out>,
    t=<optimized out>, r=<optimized out>, l=<optimized out>)
    at pixman-edge.c:210
210 WRITE (image, ap + lxi,
(gdb) bt
#0 0x00007f895bdd38f6 in rasterize_edges_8 (image=<optimized out>, image=<optimized out>, image=<optimized out>, b=<optimized out>,
    t=<optimized out>, r=<optimized out>, l=<optimized out>) at pixman-edge.c:210
#1 pixman_rasterize_edges_no_accessors (b=<optimized out>, t=<optimized out>, r=<optimized out>, l=<optimized out>, image=<optimized out>)
    at pixman-edge.c:359
#2 pixman_rasterize_edges (image=0xffffffff, image@entry=0x1cc9bc0, l=0x7fff8dcfd410, r=0x7fff8dcfd440, t=1055852681, b=2147481463)
    at pixman-edge.c:382
#3 0x00007f895bdf109e in pixman_rasterize_trapezoid (image=image@entry=0x1cc9bc0, trap=trap@entry=0x1bf02a8, x_off=129, y_off=0)
    at pixman-trap.c:386
#4 0x00007f895aff6623 in uxa_trapezoids (op=<optimized out>, src=0x1cd7b10, dst=0x1cd5950, maskFormat=0x16a6eb8, xSrc=<optimized out>,
    ySrc=<optimized out>, ntrap=<optimized out>, traps=0x1bf02a8) at uxa-render.c:1816
#5 0x00000000005251bf in ProcRenderTrapezoids (client=0x1be9030) at render.c:759
#6 0x000000000043a137 in Dispatch () at dispatch.c:432
#7 0x00000000004286ca in main (argc=12, argv=0x7fff8dcfd788, envp=<optimized out>) at main.c:298
(gdb) fram 3
#3 0x00007f895bdf109e in pixman_rasterize_trapezoid (image=image@entry=0x1cc9bc0, trap=trap@entry=0x1bf02a8, x_off=129, y_off=0)
    at pixman-trap.c:386
386 pixman_rasterize_edges (image, &l, &r, t, b);
(gdb) list 359
354 pixman_fixed_t y_off_fixed;
355 pixman_edge_t l, r;
356 pixman_fixed_t t, b;
357
358 return_if_fail (image->type == BITS);
359
360 _pixman_image_validate (image);
361
362 if (!pixman_trapezoid_valid (trap))
363 return;
...
380 if (b >= t)
381 {
382 /* initialize edge walkers */
383 pixman_line_fixed_edge_init (&l, bpp, t, &trap->left, x_off, y_off);
384 pixman_line_fixed_edge_init (&r, bpp, t, &trap->right, x_off, y_off);
385
386 pixman_rasterize_edges (image, &l, &r, t, b);
387 }
388 }

(gdb) p *trap
$8 = {top = 32768, bottom = -2147483648, left = {p1 = {x = -8454144, y = 32768}, p2 = {x = -8454144, y = -2147483648}}, right = {p1 = {
      x = -8388608, y = 32768}, p2 = {x = -8388608, y = -2147483648}}}

from pixman.h

1029 /* whether 't' is a well defined not obviously empty trapezoid */
1030 #define pixman_trapezoid_valid(t) \
1031 ((t)->left.p1.y != (t)->left.p2.y && \
1032 (t)->right.p1.y != (t)->right.p2.y && \
1033 (int) ((t)->bottom - (t)->top) > 0) <--- haw haw
1034

An underflow . The proposed patch checks if bottom > 0 (assuming top/bottom are non-negative integer )

Maarten Lankhorst (mlankhorst) wrote :
Changed in xorg-server (Ubuntu):
assignee: nobody → Maarten Lankhorst (mlankhorst)

Created attachment 87290
proposed patch

Thanks for the patch. Do you mind sending it to <email address hidden> for review?

Also, if you have a test that demonstrates the issue, it would be valuable to add to the test suite in the pixman/test directory.

Created attachment 87659
proposed patch with test case

posted for review at http://lists.freedesktop.org/archives/pixman/2013-October/003087.html

Thanks for the test case, that's much appreciated. Just a few comments:

- We might as well extend the existing trap-crasher test instead of adding a new one that is a near duplicate.

- The test should ideally be added in its own commit before the fix so that it's easy to verify that the fix actually fixes the test case

- We need all patches to go through the mailing list, including this updated one. I have added you to the mailman whitelist, so it won't get stuck in moderation if you send it.

Norbert (nrbrtx) wrote :

Reproduced this bug on Ubuntu 13.10 final i386, under Unity session, with Nvidia proprietary driver (304.88-0ubuntu8).

Ritesh Khadgaray (khadgaray) wrote :

Hi @Norbert

  Is this with the patch ?

Norbert (nrbrtx) wrote :

Hello, Ritesh!

No, it is without patch. All packages installed from binary form (Ubuntu 13.10 i686 repos).

Created attachment 87924
test case

Created attachment 87925
proposed patch

Changed in pixman (Ubuntu):
status: Confirmed → Triaged
Changed in libreoffice (Ubuntu):
status: Confirmed → Triaged
Changed in pixman (Ubuntu):
importance: Undecided → High
Changed in libreoffice (Ubuntu):
importance: Undecided → High

The attachment "proposed patch for saucy" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xorg-server - 2:1.14.3-3ubuntu3

---------------
xorg-server (2:1.14.3-3ubuntu3) trusty; urgency=low

  * pixman-validate.patch: Do not render invalid trapezoids. (LP: #1197921)
 -- Maarten Lankhorst <email address hidden> Wed, 23 Oct 2013 12:11:27 +0200

Changed in xorg-server (Ubuntu):
status: Triaged → Fix Released

Since the affected package is "xorg-server (Ubuntu)", it isn't "libreoffice (Ubuntu)" or "pixman (Ubuntu)".

Changed in xorg-server (Ubuntu):
assignee: Maarten Lankhorst (mlankhorst) → nobody
Changed in pixman (Ubuntu):
status: Triaged → Invalid
Changed in libreoffice (Ubuntu):
status: Triaged → Invalid
affects: df-libreoffice → pixman
Maarten Lankhorst (mlankhorst) wrote :

No, it really is a bug in pixman too. I just fixed the same comparison that happens in xorg-server, but pixman is still affected.

Changed in pixman (Ubuntu):
status: Invalid → Confirmed
Changed in pixman (Ubuntu):
status: Confirmed → Triaged
Sebastien Bacher (seb128) wrote :

Maarten, could you review/sponsor the libpixman patch there?

Changed in pixman (Ubuntu):
assignee: nobody → Maarten Lankhorst (mlankhorst)
Norbert (nrbrtx) wrote :

Ubuntu Precise 12.04.3 (amd64) with libreoffice-calc 1:3.5.7-0ubuntu4 is affected too. Xorg crashed.

Fixed in commit 2f876cf86718d3dd9b3b04ae9552530edafe58a1 in pixman.

Maarten Lankhorst (mlankhorst) wrote :

Fix released in debian, will be synced to trusty automatically. Please propose a fix for saucy, I want to backport saucy's version to raring, quantal and precise later on. :)

Changed in pixman (Ubuntu):
status: Triaged → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pixman - 0.30.2-2

---------------
pixman (0.30.2-2) sid; urgency=low

  * Cherry-pick upstream bigfixes for fixing a crash when rendering
    invalid trapezoids. (LP: #1197921)

 -- Maarten Lankhorst <email address hidden> Mon, 18 Nov 2013 15:08:56 +0100

Changed in pixman (Ubuntu):
status: Fix Committed → Fix Released
Changed in pixman:
status: Confirmed → Fix Released
Ritesh Khadgaray (khadgaray) wrote :
Ritesh Khadgaray (khadgaray) wrote :
Ritesh Khadgaray (khadgaray) wrote :
Ritesh Khadgaray (khadgaray) wrote :
description: updated
no longer affects: libreoffice (Ubuntu Precise)
no longer affects: libreoffice (Ubuntu Quantal)
no longer affects: libreoffice (Ubuntu Raring)
no longer affects: libreoffice (Ubuntu Saucy)
Jamie Strandboge (jdstrand) wrote :

Ritesh, thanks for your patches! A couple of notes:
- these are security patches, so you should use <release>-security instead of <release>-proposed
- I'm not sure if launchpad would autoclose a bug with 'lp: #1197921' in the changelog, but that is non-conventional. You should use 'LP: #1197921' instead
- there is no patch attribution or origin in DEP-3 comments in the patch in debian/patches
- because it is a security update, it should follow the changelog format as described in https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging. This doesn't yet have a CVE assignment, so use CVE-YYYY-NNNN as a placeholder
- there is an extra line of whitespace in debian/changelog
- the patch is missing the test case. Looks like the patch is 5e14da97f16e421d084a9e735be21b1025150f0c and the test case 2f876cf86718d3dd9b3b04ae9552530edafe58a1

NAK in its current form, but I'll fix it up and push it out as a security update.

Jamie Strandboge (jdstrand) wrote :

Ritesh: one more thing, you add a quilt patch but the series file was not updated.

Jamie Strandboge (jdstrand) wrote :

Ritesh: oops, sorry, you did update the series file correctly (I was comparing it to the Debian update which didn't use the quilt patch system and got confused).

Changed in pixman (Ubuntu Precise):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in pixman (Ubuntu Quantal):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in pixman (Ubuntu Raring):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in pixman (Ubuntu Saucy):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
Jamie Strandboge (jdstrand) wrote :

FYI, the freedesktop.org bug is for pixman, not xorg. The xorg-server patch is in patchwork:
http://patchwork.freedesktop.org/patch/14769/

but has not received comment from xorg yet. The CVE request CC'd xorg_security, but the message is in moderation.

Changed in pixman (Ubuntu Precise):
importance: Medium → Low
Changed in pixman (Ubuntu Quantal):
importance: Medium → Low
Changed in pixman (Ubuntu Raring):
importance: Medium → Low
Changed in pixman (Ubuntu Saucy):
importance: Medium → Low
Changed in pixman (Ubuntu):
importance: High → Low
Changed in pixman (Ubuntu Precise):
status: In Progress → Fix Committed
Changed in pixman (Ubuntu Quantal):
status: In Progress → Fix Committed
Changed in pixman (Ubuntu Raring):
status: In Progress → Fix Committed
Changed in pixman (Ubuntu Saucy):
status: In Progress → Fix Committed
Changed in pixman (Ubuntu Precise):
importance: Low → Medium
Changed in pixman (Ubuntu Quantal):
importance: Low → Medium
Changed in pixman (Ubuntu Raring):
importance: Low → Medium
Changed in pixman (Ubuntu Saucy):
importance: Low → Medium
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pixman - 0.30.2-1ubuntu0.1

---------------
pixman (0.30.2-1ubuntu0.1) saucy-security; urgency=low

  * SECURITY UPDATE: Fix underflow when bottom is close to MIN_INT
    - debian/patches/security-lp1197921.patch: verify (t)->bottom > (t)->top)
    - LP: #1197921
    - CVE-YYYY-NNNN
 -- Jamie Strandboge <email address hidden> Tue, 03 Dec 2013 12:07:19 -0600

Changed in pixman (Ubuntu Saucy):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pixman - 0.28.2-0ubuntu1.1

---------------
pixman (0.28.2-0ubuntu1.1) raring-security; urgency=low

  * SECURITY UPDATE: Fix underflow when bottom is close to MIN_INT
    - debian/patches/security-lp1197921.patch: verify (t)->bottom > (t)->top)
    - LP: #1197921
    - CVE-YYYY-NNNN
 -- Jamie Strandboge <email address hidden> Tue, 03 Dec 2013 12:09:34 -0600

Changed in pixman (Ubuntu Raring):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pixman - 0.26.0-3ubuntu0.1

---------------
pixman (0.26.0-3ubuntu0.1) quantal-security; urgency=low

  * SECURITY UPDATE: Fix underflow when bottom is close to MIN_INT
    - debian/patches/security-lp1197921.patch: verify (t)->bottom > (t)->top)
    - LP: #1197921
    - CVE-YYYY-NNNN
 -- Jamie Strandboge <email address hidden> Tue, 03 Dec 2013 12:11:32 -0600

Changed in pixman (Ubuntu Quantal):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pixman - 0.24.4-1ubuntu0.1

---------------
pixman (0.24.4-1ubuntu0.1) precise-security; urgency=low

  * SECURITY UPDATE: Fix underflow when bottom is close to MIN_INT
    - debian/patches/security-lp1197921.patch: verify (t)->bottom > (t)->top)
    - LP: #1197921
    - CVE-YYYY-NNNN
 -- Jamie Strandboge <email address hidden> Tue, 03 Dec 2013 12:16:20 -0600

Changed in pixman (Ubuntu Precise):
status: Fix Committed → Fix Released
Changed in pixman (Ubuntu):
importance: Low → Medium
Norbert (nrbrtx) wrote :

Thank you, package 0.24.4-1ubuntu0.1 fixes this bug in Precise.

Jamie Strandboge (jdstrand) wrote :

From oss-security:
Please use CVE-2013-6424 for the issue in xorg-server

Please use CVE-2013-6425 for the issue in pixman.

Hello Bryan, or anyone else affected,

Accepted xorg-server into saucy-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/xorg-server/2:1.14.5-1ubuntu2~saucy1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in xorg-server (Ubuntu Saucy):
status: New → Fix Committed
tags: added: verification-needed
Timo Aaltonen (tjaalton) wrote :

Bryan, verifying this upload is needed to unblock further updates for 12.04.4.. so please give the new version a go.

Bryan Quigley (bryanquigley) wrote :

@Timo
Downgraded pixman for the test (so it would actually crash)
Upgraded only xserver-common and xserver-xorg-core
It still crashes Xorg if we don't have the pixman fix..

This is trivially reproducible in a VM (I'm using vagrant/virtualbox).

tags: added: verification-failed
removed: verification-needed
Maarten Lankhorst (mlankhorst) wrote :

This appears to be incorrect. I just tried reproducing it. Upgrading xserver-xorg-core and restarting Xorg fixes it, did you restart Xorg?

tags: added: verification-needed
removed: verification-failed
Bryan Quigley (bryanquigley) wrote :

@Maarten
Did you downgrade libpixman? Were you able to reproduce the crash first?
I rebooted the VM between tests.

Maarten Lankhorst (mlankhorst) wrote :

Yes I was able to reproduce the crashing bug. Anyway because this issue was already fixed in libpixman I don't think it's really important to worry about it too much.

Norbert (nrbrtx) wrote :

Ubuntu 14.04 is not affected.

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xorg-server - 2:1.14.5-1ubuntu2~saucy1

---------------
xorg-server (2:1.14.5-1ubuntu2~saucy1) saucy-proposed; urgency=low

  * Copy package back to saucy-proposed from trusty.
    - There's a MRE for xorg-server.
    - Fixes mesa >= 10 support on saucy.
    - Fix a timer bug in the sync code. (LP: #1238410)
  * Changes in packaging:
    - Fix gpu screen output hotplugging. (LP: #1259561)
    - Do not render invalid trapezoids. (LP: #1197921) (CVE-2013-6424)
    - Fix for CVE-2013-1056.
 -- Maarten Lankhorst <email address hidden> Mon, 16 Dec 2013 13:27:58 +0100

Changed in xorg-server (Ubuntu Saucy):
status: Fix Committed → Fix Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in xorg-server (Ubuntu Precise):
status: New → Confirmed
Changed in xorg-server (Ubuntu Quantal):
status: New → Confirmed
Changed in xorg-server (Ubuntu Raring):
status: New → Confirmed
Simon Tremblay (tremblaysimon) wrote :

Do you know why the package libpixman 0.30.2-2 is only available in Trusty? (comment #35)

Is there an easy way to get that package for Saucy?

I've got that crash even if I'm updated to latest package for xorg-server 2:1.14.5-1ubuntu2 and libpixman 0.30.2-1 (note that is -1 not -2).

Changed in xorg-server (Ubuntu Raring):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.