Re: Crashes with SVG image in mozilla-firefox
On Saturday 17 March 2007 9:41:27 am Eric Faurot wrote: > On 3/17/07, Matthieu Herrb <[EMAIL PROTECTED]> wrote: > > > Yes, it seems that cairo is feeding an invalid XImage structure to > > XPutImage. > > Right, I found it (patch attached). I tested it at depth 8, 16 and 24 > with XRender on and off. I think it should go into 4.1 Execlent! Committed, thank you. -Kurt
Re: Crashes with SVG image in mozilla-firefox
On 3/17/07, Matthieu Herrb <[EMAIL PROTECTED]> wrote: Yes, it seems that cairo is feeding an invalid XImage structure to XPutImage. Right, I found it (patch attached). I tested it at depth 8, 16 and 24 with XRender on and off. I think it should go into 4.1 Eric. cairo.diff Description: Binary data
Re: Crashes with SVG image in mozilla-firefox
Kurt Miller wrote: On Thursday 15 March 2007 4:07:48 pm Mikolaj Kucharski wrote: Hi, When I open html with embedded SVG image I've got random crashes of Firefox when I click with right button and try to navigate menu or when I open main menu e.g. to check in help->about browser version. An example page is here http://www.ba.infn.it/~zito/xml/embed.html Thanks for the report. I reproduced w/the debug version and have this backtrace info. Most likely suspect is cairo. Yes, it seems that cairo is feeding an invalid XImage structure to XPutImage. I think there are 2 problems: - Cairo should not call XPutImage() with invalid data - XPutImage() should validate its input and return an error instead. (You all heard of these vulnerabilies caused by invalid image structures, I guess. This is one of them...) Unfortunatly I've not managed to get a crash of firefox with this sample image. I will try on other machines, with more standard configurations (my desktop machine is an amd64, already running xenocara). But if in the mean time someone could build his own libX11 with debugging symbols (see /usr/XF4/README for instructions) and try to print the XImage structure in gdb when it crashes, that would be appreciated. -- Matthieu Herrb
Re: Crashes with SVG image in mozilla-firefox
On 3/16/07, Eric Faurot <[EMAIL PROTECTED]> wrote: I can not reproduce this. It works ok here with the following config: $ pkg_info | grep mozilla-firefox mozilla-firefox-2.0.0.1p1 redesign of Mozilla's browser component $ dmesg | head -n2 OpenBSD 4.1-beta (GENERIC) #830: Tue Feb 13 09:34:36 MST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC Ok I have reproduced it. It is indeed something wrong in cairo. I'll be working on it. Eric.
Re: Crashes with SVG image in mozilla-firefox
On Fri, Mar 16, 2007 at 08:52:47PM +0100, Eric Faurot wrote: > >Thanks for the report. I reproduced w/the debug version > >and have this backtrace info. Most likely suspect is > >cairo. > > I can not reproduce this. It works ok here with the following config: > $ pkg_info | grep mozilla-firefox > mozilla-firefox-2.0.0.1p1 redesign of Mozilla's browser component > $ dmesg | head -n2 > OpenBSD 4.1-beta (GENERIC) #830: Tue Feb 13 09:34:36 MST 2007 >[EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC > > I'll update my system and try again this weekend. > Can you give more info about your X config? $ file /etc/X11/xorg.conf /etc/X11/xorg.conf: cannot open (No such file or directory) -- best regards q#
Re: Crashes with SVG image in mozilla-firefox
On 3/16/07, Kurt Miller <[EMAIL PROTECTED]> wrote: On Thursday 15 March 2007 4:07:48 pm Mikolaj Kucharski wrote: > Hi, > > When I open html with embedded SVG image I've got random crashes of > Firefox when I click with right button and try to navigate menu or when > I open main menu e.g. to check in help->about browser version. An > example page is here > > http://www.ba.infn.it/~zito/xml/embed.html > Thanks for the report. I reproduced w/the debug version and have this backtrace info. Most likely suspect is cairo. I can not reproduce this. It works ok here with the following config: $ pkg_info | grep mozilla-firefox mozilla-firefox-2.0.0.1p1 redesign of Mozilla's browser component $ dmesg | head -n2 OpenBSD 4.1-beta (GENERIC) #830: Tue Feb 13 09:34:36 MST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC I'll update my system and try again this weekend. Can you give more info about your X config? Eric.
Re: Crashes with SVG image in mozilla-firefox
On Thursday 15 March 2007 4:07:48 pm Mikolaj Kucharski wrote: > Hi, > > When I open html with embedded SVG image I've got random crashes of > Firefox when I click with right button and try to navigate menu or when > I open main menu e.g. to check in help->about browser version. An > example page is here > > http://www.ba.infn.it/~zito/xml/embed.html > Thanks for the report. I reproduced w/the debug version and have this backtrace info. Most likely suspect is cairo. (gdb) bt #0 0x06bf63c8 in memcpy () from /usr/lib/libc.so.40.3 #1 0x0051e9cd in NoSwap () from /usr/X11R6/lib/libX11.so.9.0 #2 0x0051f9e7 in SendZImage () from /usr/X11R6/lib/libX11.so.9.0 #3 0x0051ff10 in XPutImage () from /usr/X11R6/lib/libX11.so.9.0 #4 0x05f337c3 in _draw_image_surface (surface=0x84532400, image=0x840cae00, dst_x=0, dst_y=0) at /usr/obj/ports/cairo-1.2.6/cairo-1.2.6/src/cairo-xlib-surface.c:1215 #5 0x05f33a06 in _cairo_xlib_surface_clone_similar (abstract_surface=0x84532600, src=0x840cae00, clone_out=0xcfbd0940) at /usr/obj/ports/cairo-1.2.6/cairo-1.2.6/src/cairo-xlib-surface.c:1326 #6 0x05f12fc0 in _cairo_surface_clone_similar (surface=0x84532600, src=0x840cae00, clone_out=0xcfbd0940) at /usr/obj/ports/cairo-1.2.6/cairo-1.2.6/src/cairo-surface.c:1017 #7 0x05f1990e in _cairo_pattern_acquire_surface_for_surface (pattern=0xcfbd07cc, dst=0x84532600, x=0, y=0, width=87, height=15, out=0xcfbd0940, attr=0xcfbd094c) at /usr/obj/ports/cairo-1.2.6/cairo-1.2.6/src/cairo-pattern.c:1142 #8 0x05f19bc4 in _cairo_pattern_acquire_surface (pattern=0xcfbd07cc, dst=0x84532600, x=0, y=0, width=87, height=15, surface_out=0xcfbd0940, attributes=0xcfbd094c) at /usr/obj/ports/cairo-1.2.6/cairo-1.2.6/src/cairo-pattern.c:1255 #9 0x05f19dfa in _cairo_pattern_acquire_surfaces (src=0xcfbd0bac, mask=0xcfbd0a8c, dst=0x84532600, src_x=0, src_y=95, mask_x=0, mask_y=0, width=87, height=15, src_out=0xcfbd0944, mask_out=0xcfbd0940, src_attributes=0xcfbd099c, mask_attributes=0xcfbd094c) at /usr/obj/ports/cairo-1.2.6/cairo-1.2.6/src/cairo-pattern.c:1363 #10 0x05f34283 in _cairo_xlib_surface_composite (op=CAIRO_OPERATOR_ADD, src_pattern=0xcfbd0bac, mask_pattern=0xcfbd0a8c, abstract_dst=0x84532600, src_x=0, src_y=95, mask_x=0, mask_y=0, dst_x=0, dst_y=0, width=87, height=15) at /usr/obj/ports/cairo-1.2.6/cairo-1.2.6/src/cairo-xlib-surface.c:1734 #11 0x05f131af in _cairo_surface_composite (op=CAIRO_OPERATOR_ADD, src=0xcfbd0bac, mask=0xcfbd0a8c, dst=0x84532600, src_x=0, src_y=95, mask_x=0, mask_y=0, dst_x=0, dst_y=0, width=87, height=15) at /usr/obj/ports/cairo-1.2.6/cairo-1.2.6/src/cairo-surface.c:1103 #12 0x05f109d8 in _cairo_scaled_font_show_glyphs (scaled_font=0x881a6400, op=CAIRO_OPERATOR_ADD, pattern=0xcfbd0bac, surface=0x84532600, source_x=0, source_y=95, dest_x=0, dest_y=0, width=87, height=15, glyphs=0x810a5400, num_glyphs=41) at /usr/obj/ports/cairo-1.2.6/cairo-1.2.6/src/cairo-scaled-font.c:997 ---Type to continue, or q to quit--- #13 0x05f15c75 in _cairo_surface_old_show_glyphs_draw_func (closure=0xcfbd0dfc, op=CAIRO_OPERATOR_ADD, src=0xcfbd0bac, dst=0x84532600, dst_x=0, dst_y=95, extents=0xcfbd0e1c) at /usr/obj/ports/cairo-1.2.6/cairo-1.2.6/src/cairo-surface-fallback.c:890 #14 0x05f14960 in _create_composite_mask_pattern (mask_pattern=0xcfbd0cbc, clip=0x84532884, draw_func=0x5f15a9f <_cairo_surface_old_show_glyphs_draw_func>, draw_closure=0xcfbd0dfc, dst=0x81b3ce00, extents=0xcfbd0e1c) at /usr/obj/ports/cairo-1.2.6/cairo-1.2.6/src/cairo-surface-fallback.c:127 #15 0x05f14a08 in _clip_and_composite_with_mask (clip=0x84532884, op=CAIRO_OPERATOR_OVER, src=0xcfbd0edc, draw_func=0x5f15a9f <_cairo_surface_old_show_glyphs_draw_func>, draw_closure=0xcfbd0dfc, dst=0x81b3ce00, extents=0xcfbd0e1c) at /usr/obj/ports/cairo-1.2.6/cairo-1.2.6/src/cairo-surface-fallback.c:165 #16 0x05f14e65 in _clip_and_composite (clip=0x84532884, op=CAIRO_OPERATOR_OVER, src=0xcfbd0edc, draw_func=0x5f15a9f <_cairo_surface_old_show_glyphs_draw_func>, draw_closure=0xcfbd0dfc, dst=0x81b3ce00, extents=0xcfbd0e1c) at /usr/obj/ports/cairo-1.2.6/cairo-1.2.6/src/cairo-surface-fallback.c:379 #17 0x05f15da0 in _cairo_surface_fallback_show_glyphs (surface=0x81b3ce00, op=CAIRO_OPERATOR_OVER, source=0xcfbd0edc, glyphs=0x810a5400, num_glyphs=41, scaled_font=0x881a6400) at /usr/obj/ports/cairo-1.2.6/cairo-1.2.6/src/cairo-surface-fallback.c:941 #18 0x05f14326 in _cairo_surface_show_glyphs (surface=0x81b3ce00, op=CAIRO_OPERATOR_OVER, source=0xcfbd0f9c, glyphs=0x810a5400, num_glyphs=41, scaled_font=0x881a6400) at /usr/obj/ports/cairo-1.2.6/cairo-1.2.6/src/cairo-surface.c:1837 #19 0x05f06caa in _cairo_gstate_show_glyphs (gstate=0x84532800, glyphs=0x7d0fb800, num_glyphs=41) at /usr/obj/ports/cairo-1.2.6/cairo-1.2.6/src/cairo-gstate.c:1449 #20 0x05f0120e in cairo_show_text (cr=0x848fec40, utf8=0xcfbd125c "Mouse over the circle to change its size.") at /usr/ob
Crashes with SVG image in mozilla-firefox
Hi, When I open html with embedded SVG image I've got random crashes of Firefox when I click with right button and try to navigate menu or when I open main menu e.g. to check in help->about browser version. An example page is here http://www.ba.infn.it/~zito/xml/embed.html $ pkg_info | grep mozilla-firefox mozilla-firefox-2.0.0.2p2 redesign of Mozilla's browser component $ dmesg | head -n2 OpenBSD 4.1-current (GENERIC) #28: Tue Mar 13 19:42:45 MDT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC -- best regards q#
