LibreOffice spreadsheet causes full Xorg crash with Anti-Aliasing enabled
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Pixman |
Fix Released
|
Low
|
|||
libreoffice (Ubuntu) |
High
|
Unassigned | |||
pixman (Ubuntu) |
Medium
|
Maarten Lankhorst | |||
Precise |
Medium
|
Jamie Strandboge | |||
Quantal |
Medium
|
Jamie Strandboge | |||
Raring |
Medium
|
Jamie Strandboge | |||
Saucy |
Medium
|
Jamie Strandboge | |||
xorg-server (Ubuntu) |
High
|
Unassigned | |||
Precise |
Undecided
|
Unassigned | |||
Quantal |
Undecided
|
Unassigned | |||
Raring |
Undecided
|
Unassigned | |||
Saucy |
Undecided
|
Unassigned |
Bug Description
[Impact]
* Opening spreadsheets in libreoffice crashes X .
[Test Case]
* Open the attached document ( plantage-
[Regression Potential]
* n/a
[Other Info]
* Patch is backport from upstream - http://
* Alternate test case, http://
Bryan Quigley (bryanquigley) wrote : | #1 |
Apport retracing service (apport) wrote : | #2 |
Changed in xorg-server (Ubuntu): | |
importance: | Undecided → Medium |
tags: | removed: need-amd64-retrace |
Bryan Quigley (bryanquigley) wrote : | #5 |
FYI: I reported this crashdump from my 12.04 install (even though it was generated on 13.10).
summary: |
- Excel spreadsheet causes full Xorg crash with Anti-Aliasing enabled + LibreOffice spreadsheet causes full Xorg crash with Anti-Aliasing + enabled |
description: | updated |
information type: | Private → Public |
Bryan Quigley (bryanquigley) wrote : | #6 |
This is the file (with confidential data removed) that will crash both LibreOffice and Xorg.
description: | updated |
Christopher M. Peñalver (penalvch) wrote : | #7 |
description: | updated |
tags: | added: i286 raring |
tags: |
added: i386 removed: i286 |
Changed in xorg-server (Ubuntu): | |
status: | New → Confirmed |
tags: | added: precise |
Created attachment 83211
test document
Opening the attached file with LibreOffice with enabled anti-aliasing will crash the Intel Xorg driver (see launchpad bug for details). While a crashing driver is not our bug, it might still be worth a look to see if we are asking anything illegal from X or if we can workaround the driver bug easily.
Observable with LO 3.5 trough 4.1 -> confirming.
Feel free to close as NOTOURBUG, if we do not want to make such workarounds.
Changed in df-libreoffice: | |
importance: | Unknown → Low |
status: | Unknown → Confirmed |
Also adding pixman itself -- its were the crash happens and it can be an internal bug just as well as API abuse by Xorg.
Launchpad Janitor (janitor) wrote : | #11 |
Status changed to 'Confirmed' because the bug affects multiple users.
Changed in libreoffice (Ubuntu): | |
status: | New → Confirmed |
Changed in pixman (Ubuntu): | |
status: | New → Confirmed |
information type: | Public → Public Security |
Changed in xorg-server (Ubuntu): | |
importance: | Medium → High |
status: | Confirmed → Triaged |
Created attachment 86883
proposed patch
Program received signal SIGSEGV, Segmentation fault.
0x00000033834488f6 in rasterize_edges_8 (image=<optimized out>,
image=
t=<optimized out>, r=<optimized out>, l=<optimized out>)
at pixman-edge.c:210
210 WRITE (image, ap + lxi,
(gdb) bt
#0 0x00007f895bdd38f6 in rasterize_edges_8 (image=<optimized out>, image=<optimized out>, image=<optimized out>, b=<optimized out>,
t=<optimized out>, r=<optimized out>, l=<optimized out>) at pixman-edge.c:210
#1 pixman_
at pixman-edge.c:359
#2 pixman_
at pixman-edge.c:382
#3 0x00007f895bdf109e in pixman_
at pixman-trap.c:386
#4 0x00007f895aff6623 in uxa_trapezoids (op=<optimized out>, src=0x1cd7b10, dst=0x1cd5950, maskFormat=
ySrc=<optimized out>, ntrap=<optimized out>, traps=0x1bf02a8) at uxa-render.c:1816
#5 0x00000000005251bf in ProcRenderTrape
#6 0x000000000043a137 in Dispatch () at dispatch.c:432
#7 0x00000000004286ca in main (argc=12, argv=0x7fff8dcf
(gdb) fram 3
#3 0x00007f895bdf109e in pixman_
at pixman-trap.c:386
386 pixman_
(gdb) list 359
354 pixman_fixed_t y_off_fixed;
355 pixman_edge_t l, r;
356 pixman_fixed_t t, b;
357
358 return_if_fail (image->type == BITS);
359
360 _pixman_
361
362 if (!pixman_
363 return;
...
380 if (b >= t)
381 {
382 /* initialize edge walkers */
383 pixman_
384 pixman_
385
386 pixman_
387 }
388 }
(gdb) p *trap
$8 = {top = 32768, bottom = -2147483648, left = {p1 = {x = -8454144, y = 32768}, p2 = {x = -8454144, y = -2147483648}}, right = {p1 = {
x = -8388608, y = 32768}, p2 = {x = -8388608, y = -2147483648}}}
from pixman.h
1029 /* whether 't' is a well defined not obviously empty trapezoid */
1030 #define pixman_
1031 ((t)->left.p1.y != (t)->left.p2.y && \
1032 (t)->right.p1.y != (t)->right.p2.y && \
1033 (int) ((t)->bottom - (t)->top) > 0) <--- haw haw
1034
An underflow . The proposed patch checks if bottom > 0 (assuming top/bottom are non-negative integer )
Maarten Lankhorst (mlankhorst) wrote : | #13 |
Patch sent upstream for review.. http://
Changed in xorg-server (Ubuntu): | |
assignee: | nobody → Maarten Lankhorst (mlankhorst) |
Created attachment 87290
proposed patch
Additionally, been pushed for xserver
http://
Thanks for the patch. Do you mind sending it to <email address hidden> for review?
Also, if you have a test that demonstrates the issue, it would be valuable to add to the test suite in the pixman/test directory.
Created attachment 87659
proposed patch with test case
posted for review at http://
Thanks for the test case, that's much appreciated. Just a few comments:
- We might as well extend the existing trap-crasher test instead of adding a new one that is a near duplicate.
- The test should ideally be added in its own commit before the fix so that it's easy to verify that the fix actually fixes the test case
- We need all patches to go through the mailing list, including this updated one. I have added you to the mailman whitelist, so it won't get stuck in moderation if you send it.
Norbert (nrbrtx) wrote : | #21 |
Reproduced this bug on Ubuntu 13.10 final i386, under Unity session, with Nvidia proprietary driver (304.88-0ubuntu8).
Ritesh Khadgaray (khadgaray) wrote : | #22 |
Hi @Norbert
Is this with the patch ?
Norbert (nrbrtx) wrote : | #23 |
Hello, Ritesh!
No, it is without patch. All packages installed from binary form (Ubuntu 13.10 i686 repos).
Created attachment 87924
test case
Created attachment 87925
proposed patch
Changed in pixman (Ubuntu): | |
status: | Confirmed → Triaged |
Changed in libreoffice (Ubuntu): | |
status: | Confirmed → Triaged |
Changed in pixman (Ubuntu): | |
importance: | Undecided → High |
Changed in libreoffice (Ubuntu): | |
importance: | Undecided → High |
The attachment "proposed patch for saucy" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.
[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]
tags: | added: patch |
Launchpad Janitor (janitor) wrote : | #26 |
This bug was fixed in the package xorg-server - 2:1.14.3-3ubuntu3
---------------
xorg-server (2:1.14.3-3ubuntu3) trusty; urgency=low
* pixman-
-- Maarten Lankhorst <email address hidden> Wed, 23 Oct 2013 12:11:27 +0200
Changed in xorg-server (Ubuntu): | |
status: | Triaged → Fix Released |
Since the affected package is "xorg-server (Ubuntu)", it isn't "libreoffice (Ubuntu)" or "pixman (Ubuntu)".
Changed in xorg-server (Ubuntu): | |
assignee: | Maarten Lankhorst (mlankhorst) → nobody |
Changed in pixman (Ubuntu): | |
status: | Triaged → Invalid |
Changed in libreoffice (Ubuntu): | |
status: | Triaged → Invalid |
affects: | df-libreoffice → pixman |
Maarten Lankhorst (mlankhorst) wrote : | #28 |
No, it really is a bug in pixman too. I just fixed the same comparison that happens in xorg-server, but pixman is still affected.
Changed in pixman (Ubuntu): | |
status: | Invalid → Confirmed |
Changed in pixman (Ubuntu): | |
status: | Confirmed → Triaged |
Sebastien Bacher (seb128) wrote : | #31 |
Maarten, could you review/sponsor the libpixman patch there?
Changed in pixman (Ubuntu): | |
assignee: | nobody → Maarten Lankhorst (mlankhorst) |
Norbert (nrbrtx) wrote : | #32 |
Ubuntu Precise 12.04.3 (amd64) with libreoffice-calc 1:3.5.7-0ubuntu4 is affected too. Xorg crashed.
|
#36 |
Fixed in commit 2f876cf86718d3d
Maarten Lankhorst (mlankhorst) wrote : | #34 |
Fix released in debian, will be synced to trusty automatically. Please propose a fix for saucy, I want to backport saucy's version to raring, quantal and precise later on. :)
Changed in pixman (Ubuntu): | |
status: | Triaged → Fix Committed |
Launchpad Janitor (janitor) wrote : | #35 |
This bug was fixed in the package pixman - 0.30.2-2
---------------
pixman (0.30.2-2) sid; urgency=low
* Cherry-pick upstream bigfixes for fixing a crash when rendering
invalid trapezoids. (LP: #1197921)
-- Maarten Lankhorst <email address hidden> Mon, 18 Nov 2013 15:08:56 +0100
Changed in pixman (Ubuntu): | |
status: | Fix Committed → Fix Released |
Changed in pixman: | |
status: | Confirmed → Fix Released |
Ritesh Khadgaray (khadgaray) wrote : | #37 |
Ritesh Khadgaray (khadgaray) wrote : | #38 |
Ritesh Khadgaray (khadgaray) wrote : | #39 |
no longer affects: | libreoffice (Ubuntu Precise) |
no longer affects: | libreoffice (Ubuntu Quantal) |
no longer affects: | libreoffice (Ubuntu Raring) |
no longer affects: | libreoffice (Ubuntu Saucy) |
Jamie Strandboge (jdstrand) wrote : | #41 |
Ritesh, thanks for your patches! A couple of notes:
- these are security patches, so you should use <release>-security instead of <release>-proposed
- I'm not sure if launchpad would autoclose a bug with 'lp: #1197921' in the changelog, but that is non-conventional. You should use 'LP: #1197921' instead
- there is no patch attribution or origin in DEP-3 comments in the patch in debian/patches
- because it is a security update, it should follow the changelog format as described in https:/
- there is an extra line of whitespace in debian/changelog
- the patch is missing the test case. Looks like the patch is 5e14da97f16e421
NAK in its current form, but I'll fix it up and push it out as a security update.
Jamie Strandboge (jdstrand) wrote : | #42 |
Ritesh: one more thing, you add a quilt patch but the series file was not updated.
Jamie Strandboge (jdstrand) wrote : | #43 |
Jamie Strandboge (jdstrand) wrote : | #44 |
Ritesh: oops, sorry, you did update the series file correctly (I was comparing it to the Debian update which didn't use the quilt patch system and got confused).
Changed in pixman (Ubuntu Precise): | |
status: | New → In Progress |
importance: | Undecided → Medium |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in pixman (Ubuntu Quantal): | |
status: | New → In Progress |
importance: | Undecided → Medium |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in pixman (Ubuntu Raring): | |
status: | New → In Progress |
importance: | Undecided → Medium |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in pixman (Ubuntu Saucy): | |
status: | New → In Progress |
importance: | Undecided → Medium |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Jamie Strandboge (jdstrand) wrote : | #45 |
FYI, the freedesktop.org bug is for pixman, not xorg. The xorg-server patch is in patchwork:
http://
but has not received comment from xorg yet. The CVE request CC'd xorg_security, but the message is in moderation.
Changed in pixman (Ubuntu Precise): | |
importance: | Medium → Low |
Changed in pixman (Ubuntu Quantal): | |
importance: | Medium → Low |
Changed in pixman (Ubuntu Raring): | |
importance: | Medium → Low |
Changed in pixman (Ubuntu Saucy): | |
importance: | Medium → Low |
Changed in pixman (Ubuntu): | |
importance: | High → Low |
Changed in pixman (Ubuntu Precise): | |
status: | In Progress → Fix Committed |
Changed in pixman (Ubuntu Quantal): | |
status: | In Progress → Fix Committed |
Changed in pixman (Ubuntu Raring): | |
status: | In Progress → Fix Committed |
Changed in pixman (Ubuntu Saucy): | |
status: | In Progress → Fix Committed |
Changed in pixman (Ubuntu Precise): | |
importance: | Low → Medium |
Changed in pixman (Ubuntu Quantal): | |
importance: | Low → Medium |
Changed in pixman (Ubuntu Raring): | |
importance: | Low → Medium |
Changed in pixman (Ubuntu Saucy): | |
importance: | Low → Medium |
Launchpad Janitor (janitor) wrote : | #46 |
This bug was fixed in the package pixman - 0.30.2-1ubuntu0.1
---------------
pixman (0.30.2-1ubuntu0.1) saucy-security; urgency=low
* SECURITY UPDATE: Fix underflow when bottom is close to MIN_INT
- debian/
- LP: #1197921
- CVE-YYYY-NNNN
-- Jamie Strandboge <email address hidden> Tue, 03 Dec 2013 12:07:19 -0600
Changed in pixman (Ubuntu Saucy): | |
status: | Fix Committed → Fix Released |
Launchpad Janitor (janitor) wrote : | #47 |
This bug was fixed in the package pixman - 0.28.2-0ubuntu1.1
---------------
pixman (0.28.2-0ubuntu1.1) raring-security; urgency=low
* SECURITY UPDATE: Fix underflow when bottom is close to MIN_INT
- debian/
- LP: #1197921
- CVE-YYYY-NNNN
-- Jamie Strandboge <email address hidden> Tue, 03 Dec 2013 12:09:34 -0600
Changed in pixman (Ubuntu Raring): | |
status: | Fix Committed → Fix Released |
Launchpad Janitor (janitor) wrote : | #48 |
This bug was fixed in the package pixman - 0.26.0-3ubuntu0.1
---------------
pixman (0.26.0-3ubuntu0.1) quantal-security; urgency=low
* SECURITY UPDATE: Fix underflow when bottom is close to MIN_INT
- debian/
- LP: #1197921
- CVE-YYYY-NNNN
-- Jamie Strandboge <email address hidden> Tue, 03 Dec 2013 12:11:32 -0600
Changed in pixman (Ubuntu Quantal): | |
status: | Fix Committed → Fix Released |
Launchpad Janitor (janitor) wrote : | #49 |
This bug was fixed in the package pixman - 0.24.4-1ubuntu0.1
---------------
pixman (0.24.4-1ubuntu0.1) precise-security; urgency=low
* SECURITY UPDATE: Fix underflow when bottom is close to MIN_INT
- debian/
- LP: #1197921
- CVE-YYYY-NNNN
-- Jamie Strandboge <email address hidden> Tue, 03 Dec 2013 12:16:20 -0600
Changed in pixman (Ubuntu Precise): | |
status: | Fix Committed → Fix Released |
Changed in pixman (Ubuntu): | |
importance: | Low → Medium |
Norbert (nrbrtx) wrote : | #50 |
Thank you, package 0.24.4-1ubuntu0.1 fixes this bug in Precise.
Jamie Strandboge (jdstrand) wrote : | #51 |
From oss-security:
Please use CVE-2013-6424 for the issue in xorg-server
Please use CVE-2013-6425 for the issue in pixman.
Hello Bryan, or anyone else affected,
Accepted xorg-server into saucy-proposed. The package will build now and be available at http://
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-
Further information regarding the verification process can be found at https:/
Changed in xorg-server (Ubuntu Saucy): | |
status: | New → Fix Committed |
tags: | added: verification-needed |
Timo Aaltonen (tjaalton) wrote : | #53 |
Bryan, verifying this upload is needed to unblock further updates for 12.04.4.. so please give the new version a go.
Bryan Quigley (bryanquigley) wrote : | #54 |
@Timo
Downgraded pixman for the test (so it would actually crash)
Upgraded only xserver-common and xserver-xorg-core
It still crashes Xorg if we don't have the pixman fix..
This is trivially reproducible in a VM (I'm using vagrant/
tags: |
added: verification-failed removed: verification-needed |
Maarten Lankhorst (mlankhorst) wrote : | #55 |
This appears to be incorrect. I just tried reproducing it. Upgrading xserver-xorg-core and restarting Xorg fixes it, did you restart Xorg?
tags: |
added: verification-needed removed: verification-failed |
Bryan Quigley (bryanquigley) wrote : | #56 |
@Maarten
Did you downgrade libpixman? Were you able to reproduce the crash first?
I rebooted the VM between tests.
Maarten Lankhorst (mlankhorst) wrote : | #57 |
Yes I was able to reproduce the crashing bug. Anyway because this issue was already fixed in libpixman I don't think it's really important to worry about it too much.
Norbert (nrbrtx) wrote : | #58 |
Ubuntu 14.04 is not affected.
tags: |
added: verification-done removed: verification-needed |
Launchpad Janitor (janitor) wrote : | #59 |
This bug was fixed in the package xorg-server - 2:1.14.
---------------
xorg-server (2:1.14.
* Copy package back to saucy-proposed from trusty.
- There's a MRE for xorg-server.
- Fixes mesa >= 10 support on saucy.
- Fix a timer bug in the sync code. (LP: #1238410)
* Changes in packaging:
- Fix gpu screen output hotplugging. (LP: #1259561)
- Do not render invalid trapezoids. (LP: #1197921) (CVE-2013-6424)
- Fix for CVE-2013-1056.
-- Maarten Lankhorst <email address hidden> Mon, 16 Dec 2013 13:27:58 +0100
Changed in xorg-server (Ubuntu Saucy): | |
status: | Fix Committed → Fix Released |
The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.
Launchpad Janitor (janitor) wrote : | #61 |
Status changed to 'Confirmed' because the bug affects multiple users.
Changed in xorg-server (Ubuntu Precise): | |
status: | New → Confirmed |
Changed in xorg-server (Ubuntu Quantal): | |
status: | New → Confirmed |
Changed in xorg-server (Ubuntu Raring): | |
status: | New → Confirmed |
Simon Tremblay (tremblaysimon) wrote : | #64 |
Do you know why the package libpixman 0.30.2-2 is only available in Trusty? (comment #35)
Is there an easy way to get that package for Saucy?
I've got that crash even if I'm updated to latest package for xorg-server 2:1.14.5-1ubuntu2 and libpixman 0.30.2-1 (note that is -1 not -2).
Changed in xorg-server (Ubuntu Raring): | |
status: | Confirmed → Won't Fix |
wizzor (visa-parviainen) wrote : | #65 |
@Norbert:
I can reproduce the crash using 14.04.
Changed in xorg-server (Ubuntu Quantal): | |
status: | Confirmed → Invalid |
Launchpad Janitor (janitor) wrote : | #66 |
This bug was fixed in the package xorg-server - 2:1.11.
---------------
xorg-server (2:1.11.
* SECURITY UPDATE: information leak and denial of service in
XkbSetGeometry
- debian/
xkb/xkb.c.
- CVE-2015-0255
* SECURITY UPDATE: denial of service via invalid trapezoid (LP: #1197921)
- debian/
in exa/exa_render.c, fix underflow in render/picture.h.
- CVE-2013-6424
* debian/
previous security update by allowing zero-height PutImage requests in
dix/dispatch.c.
-- Marc Deslauriers <email address hidden> Thu, 12 Feb 2015 08:57:17 -0500
Changed in xorg-server (Ubuntu Precise): | |
status: | Confirmed → Fix Released |
StacktraceTop: region32_ fini (region= region@ entry=0x7f73ec5 3af98) at ../../pixman/ pixman- region. c:416 image@entry= 0x7f73ec53af90) at ../../pixman/ pixman- image.c: 146 image@entry= 0x7f73ec53af90) at ../../pixman/ pixman- image.c: 211 entry=0x7f73ec3 93410, image=image@ entry=0x7f73ec5 3af90) at ../../fb/ fbpict. c:346 pezoid (pPicture= 0x7f73ec393410, trap=0x7f73ec2b 0920, x_off=-145, y_off=0) at ../../fb/ fbtrap. c:63
pixman_
_pixman_image_fini (image=
pixman_image_unref (image=
free_pixman_pict (pict=pict@
fbRasterizeTra