← Back to team overview

registry team mailing list archive

  1. registry team
  2. Mailing list archive
  3. Message #19294

[Bug 280484] Re: gnome-panel crashed with SIGSEGV in g_cclosure_marshal_VOID__BOXED()

  Thread PreviousDate PreviousThread Next 
Launchpad has imported 9 comments from the remote bug at
https://bugzilla.mozilla.org/show_bug.cgi?id=487170.

If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.

------------------------------------------------------------------------
On 2009-04-07T05:01:29+00:00 Ciprian Enache wrote:

User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.8) Gecko/2009032712 Ubuntu/8.10 (intrepid) Firefox/3.0.8
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.8) Gecko/2009032712 Ubuntu/8.10 (intrepid) Firefox/3.0.8

Gnome panel disappears when visiting the link below:
http://blog.oup.com/2009/03/science-fiction/


Reproducible: Always

Steps to Reproduce:
1. Visit link: http://blog.oup.com/2009/03/science-fiction/
2. Enjoy the view (no panel, menus, taskbar)
3. Switch to another tab / application if you want your panel/ taskbar back.
Actual Results:  
Gnome Panel [menus & taskbar]disappeared.


This could be a security problem. Seems that Firefox allows application to switch to "full-screen" mode from JS, and GNOME menus and taskbars are going "off-screen" in the process.

Reply at: https://bugs.launchpad.net/firefox/+bug/280484/comments/6

------------------------------------------------------------------------
On 2009-04-07T05:06:19+00:00 Ciprian Enache wrote:

Created attachment 371385
screenshot.png

Screenshot of my Desktop with no Gnome panels, while visiting
http://blog.oup.com/2009/03/science-fiction/

Reply at: https://bugs.launchpad.net/firefox/+bug/280484/comments/7

------------------------------------------------------------------------
On 2009-04-07T05:38:52+00:00 Timeless-bemail wrote:

not our bug. http://bugzilla.gnome.org/show_bug.cgi?id=556132

Reply at: https://bugs.launchpad.net/firefox/+bug/280484/comments/8

------------------------------------------------------------------------
On 2009-04-07T05:49:58+00:00 Reed Loden wrote:

I can reproduce on Mozilla/5.0 (X11; U; Linux i686; en-US;
rv:1.9.2a1pre) Gecko/20090406 Minefield/3.6a1pre.

Reply at: https://bugs.launchpad.net/firefox/+bug/280484/comments/9

------------------------------------------------------------------------
On 2009-04-07T06:01:30+00:00 Vladimir Vukicevic wrote:

I can't access the gnome bug -- is this some X issue?

Reply at: https://bugs.launchpad.net/firefox/+bug/280484/comments/10

------------------------------------------------------------------------
On 2009-04-07T06:16:58+00:00 Reed Loden wrote:

(In reply to comment #4)
> I can't access the gnome bug -- is this some X issue?

I'm trying to get CC'd to the bug on bgo to see. Once I get cc'd, I will
CC you.

Reply at: https://bugs.launchpad.net/firefox/+bug/280484/comments/11

------------------------------------------------------------------------
On 2009-04-07T06:31:34+00:00 Mozilla-behdad wrote:

Embargo was requested on the GNOME bug yesterday, so I limited access to
it.  I debugged it tonight, it's a bug in pango.  I plan to push a fix
out to the public repository tomorrow.  The following is what I wrote in
response to the embargo report to me:

Thanks for the mail.  Let me note that this issue has already made it to
the upstream Pango bugzilla.  Pedro forwarded the crash stacktrace from
Ubuntu bug tracker before, but today he added a comment pointing out to
the test web page.  I have limited the bug to GNOME Hackers group for
now:

  http://bugzilla.gnome.org/show_bug.cgi?id=556132

Anyway, I debugged the issue.  It happens whenever a PangoLayout is used
to render text containing the Unicode character U+2028 LINE SEPERATOR,
the layout is set to be ellipsized, and has a width narrow enough to
ensure line wrapping.  It can be reproduced using the command:

$ pango-view --markup --text 'test 
' --width 1 --ellipsize end

The invalid memory access happens in function pango_layout_line_postprocess() whenever both wrapping and ellipsization happen.  However, ellipsization normally disables wrappnig.  The only exception was when a LINE SEPARATOR character was seen.  This particular behavior was introduced in pango version
1.21.4, in git commit 66240b30bc5a2b29b0d5f3bb5396f85ef557b077.

Here is the code involved:

=============================
static void
pango_layout_line_postprocess (PangoLayoutLine *line,
                               ParaBreakState  *state,
                               gboolean         wrapped)
{
  PangoLayoutRun *last_run = line->runs->data;
  gboolean ellipsized = FALSE;

  /* NB: the runs are in reverse order at this point, since we prepended them to the list
   */

  /* Reverse the runs
   */
  line->runs = g_slist_reverse (line->runs);

  DEBUG ("postprocessing", line, state);

  /* Ellipsize the line if necessary
   */
  if (G_UNLIKELY (state->line_width >= 0 &&
                  should_ellipsize_current_line (line->layout, state)))
    {
      ellipsized = _pango_layout_line_ellipsize (line, state->attrs, state->line_width);
    }

  /* Truncate the logical-final whitespace in the line if we broke the line at it
   */
  if (wrapped)
    zero_line_final_space (line, state, last_run);
=============================

The problem happens when in the _pango_layout_line_ellipsize() call line
is modified and now last_run is a dangling pointer.  In
zero_line_final_space() it is dereferenced and crashes.  Apparently at
the time of the crash run->glyphs is NULL.  There's no immediate reason
for this except that the memory is freed using gslice and perhaps
immediately allocated in the same call (line_ellipsize()) and trashed.

Anyway, while my analysis is not conclusive, I doubt that this can be
exploited easily.  I have attached the patch for the invalid access.  I
have that and other patches to improve the behavior in my local tree.  I
have not pushed them as per your request.  Please let me know when you
want to make this public.

Regards,
behdad

Reply at: https://bugs.launchpad.net/firefox/+bug/280484/comments/12

------------------------------------------------------------------------
On 2009-04-07T06:49:14+00:00 Reed Loden wrote:

I've made the launchpad bugs private for now... Can you CC me
(reed@xxxxxxxxxxxxx) on the bgo bug?

Reply at: https://bugs.launchpad.net/firefox/+bug/280484/comments/13

------------------------------------------------------------------------
On 2009-09-13T20:20:55+00:00 Dveditz wrote:

The GNOME bug in comment 6 is still hidden so I suppose our version
should still be embargoed? Is there a reason we can't just resolve our
copy? I don't think keeping this bug open is accomplishing anything.

Reply at: https://bugs.launchpad.net/firefox/+bug/280484/comments/18


** Changed in: firefox
   Importance: Unknown => High

-- 
gnome-panel crashed with SIGSEGV in g_cclosure_marshal_VOID__BOXED()
https://bugs.launchpad.net/bugs/280484
You received this bug notification because you are a member of Registry
Administrators, which is the registrant for Pango.
  Thread PreviousDate PreviousThread Next