Bug 27572

Summary: Bad glyph data fed into Xrender extension can cause a crash of X11 server
Product: xorg Reporter: Tel <lists>
Component: Server/GeneralAssignee: Xorg Project Team <xorg-team>
Status: RESOLVED FIXED QA Contact: Xorg Project Team <xorg-team>
Severity: normal    
Priority: medium Keywords: patch
Version: 7.5 (2009.10)   
Hardware: x86 (IA32)   
OS: Linux (All)   
See Also: http://bugs.winehq.org/show_bug.cgi?id=19986
https://launchpad.net/bugs/408016
Whiteboard:
i915 platform: i915 features:
Bug Depends on:    
Bug Blocks: 27592    
Attachments:
Description Flags
Patch to check NULL pointer and protect from crashing desktop. none

Description Tel 2010-04-10 00:22:12 UTC
Created attachment 34860 [details] [review]
Patch to check NULL pointer and protect from crashing desktop.

Seems to be driver dependent... the (pScreen->CreatePixmap)() function can return NULL pointer under certain circumstances, generally because the driver finds something wrong with the input values (too large, etc) and the ProcRenderAddGlyphs() function does not check this return pointer. Thus, feeding certain glyph data can crash the X11 server and badly behaved applications are known to feed such data.

Worse yet, the maintainers of the badly behaved application (e.g. wine) will not fix their bugs when they see the X11 server crashes because after all, that must be an xorg problem (see wine bug #19986 to be told, "Still, an X11 crash is not a Wine bug"). Until I can get you guys to fix the crash at your end, the application maintainers will continue to ignore the problem.

You can look at Ubuntu Launchpad bug #408016 which has a demo program that will crash certain versions of Unbunu when run with Intel 945GM/GMS/GME graphics (a very common chip on low-end laptops). Since the exact data required to get this crash to happen depends on many driver-level details, I can't guarantee a crash on non-Ubuntu systems, and I know it does not crash on Nvidia hardware).

I've attached a patch in the hope that it may be useful. It is a very small patch, easy to check and the only question is whether to return BadAlloc or BadValue but I would say that BadValue is more likely to be a correct cause of the problem (in actual fact, there is no way to be 100% sure why the driver rejected this particular data, it may be a genuine BadAlloc).
Comment 1 Julien Cristau 2010-04-10 00:48:20 UTC
On Sat, Apr 10, 2010 at 00:22:12 -0700, bugzilla-daemon@freedesktop.org wrote:

> Patch to check NULL pointer and protect from crashing desktop.
> 
can you send this patch to xorg-devel@lists.x.org for review?
See http://www.x.org/wiki/Development/Documentation/SubmittingPatches

Thanks!
Comment 2 Tel 2010-04-10 03:03:46 UTC
Patch from git-format-patch sent to devel list.

Patch is against X11R7.5 archive sha1sum:

d31e259b3ab975e2c1baea8f7310b57152ae3c62  xorg-server-1.7.1.tar.bz2
Comment 3 Chris Wilson 2010-05-11 11:57:19 UTC
Reassigning to core as this is not driver specific, and patch is en route.
Comment 4 Alan Coopersmith 2010-06-11 11:34:17 UTC
A modified version of the patch was applied to git master:
http://cgit.freedesktop.org/xorg/xserver/commit/?id=87ea5760f86eb60840e6e2c10012915952df5377

so marking this bug as fixed.   Thanks for bringing this to our attention.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.