Bug 27572 - Bad glyph data fed into Xrender extension can cause a crash of X11 server
Summary: Bad glyph data fed into Xrender extension can cause a crash of X11 server
Alias: None
Product: xorg
Classification: Unclassified
Component: Server/General (show other bugs)
Version: 7.5 (2009.10)
Hardware: x86 (IA32) Linux (All)
: medium normal
Assignee: Xorg Project Team
QA Contact: Xorg Project Team
Keywords: patch
Depends on:
Blocks: xserver-1.9
  Show dependency treegraph
Reported: 2010-04-10 00:22 UTC by Tel
Modified: 2010-06-11 11:34 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Patch to check NULL pointer and protect from crashing desktop. (522 bytes, patch)
2010-04-10 00:22 UTC, Tel
no flags Details | Splinter Review

Description Tel 2010-04-10 00:22:12 UTC
Created attachment 34860 [details] [review]
Patch to check NULL pointer and protect from crashing desktop.

Seems to be driver dependent... the (pScreen->CreatePixmap)() function can return NULL pointer under certain circumstances, generally because the driver finds something wrong with the input values (too large, etc) and the ProcRenderAddGlyphs() function does not check this return pointer. Thus, feeding certain glyph data can crash the X11 server and badly behaved applications are known to feed such data.

Worse yet, the maintainers of the badly behaved application (e.g. wine) will not fix their bugs when they see the X11 server crashes because after all, that must be an xorg problem (see wine bug #19986 to be told, "Still, an X11 crash is not a Wine bug"). Until I can get you guys to fix the crash at your end, the application maintainers will continue to ignore the problem.

You can look at Ubuntu Launchpad bug #408016 which has a demo program that will crash certain versions of Unbunu when run with Intel 945GM/GMS/GME graphics (a very common chip on low-end laptops). Since the exact data required to get this crash to happen depends on many driver-level details, I can't guarantee a crash on non-Ubuntu systems, and I know it does not crash on Nvidia hardware).

I've attached a patch in the hope that it may be useful. It is a very small patch, easy to check and the only question is whether to return BadAlloc or BadValue but I would say that BadValue is more likely to be a correct cause of the problem (in actual fact, there is no way to be 100% sure why the driver rejected this particular data, it may be a genuine BadAlloc).
Comment 1 Julien Cristau 2010-04-10 00:48:20 UTC
On Sat, Apr 10, 2010 at 00:22:12 -0700, bugzilla-daemon@freedesktop.org wrote:

> Patch to check NULL pointer and protect from crashing desktop.
can you send this patch to xorg-devel@lists.x.org for review?
See http://www.x.org/wiki/Development/Documentation/SubmittingPatches

Comment 2 Tel 2010-04-10 03:03:46 UTC
Patch from git-format-patch sent to devel list.

Patch is against X11R7.5 archive sha1sum:

d31e259b3ab975e2c1baea8f7310b57152ae3c62  xorg-server-1.7.1.tar.bz2
Comment 3 Chris Wilson 2010-05-11 11:57:19 UTC
Reassigning to core as this is not driver specific, and patch is en route.
Comment 4 Alan Coopersmith 2010-06-11 11:34:17 UTC
A modified version of the patch was applied to git master:

so marking this bug as fixed.   Thanks for bringing this to our attention.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.