[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#418016: Recent security update of libx11-6 (1.0.3-7) made opera segfault

On Fri, Apr 06, 2007 at 12:07:36PM +0200, Brice Goglin wrote:

> Yes, it has already been reported on the Debian/Gentoo/Opera/Xorg BTS. But I
> don't think anybody posted an interesting backtrace yet, so it's kind of
> hard to know what's going on.

FWIW, this is the bit of the patch to XCreateImage which causes the problem:

+      } else if (image_bytes_per_line < min_bytes_per_line) {
+          return 0;

Seems pretty clear to me that Opera has *a* bug, since the failure here is
caused by XCreateImage returning a null image due to bad arguments, and
Opera failing to check the return value before dereferencing it.

FWIW, if I change this 'return 0' to a 'sleep(20)' and attach to the
process, I get the following backtrace:

#0  0xf752f03b in nanosleep () from /lib/tls/libc.so.6
#1  0xf752ee8e in sleep () from /lib/tls/libc.so.6
#2  0xf76764ae in XCreateImage () from /usr/lib/libX11.so.6
#3  0x0865efee in ?? ()
#4  0x08a2f380 in ?? ()
#5  0x08a33f70 in ?? ()
#6  0x00000018 in ?? ()
#7  0x00000002 in ?? ()
#8  0x00000000 in ?? ()

could be useful to Opera if someone wants to pass this along.  This is with
opera_9.10-20061214.6-shared-qt_en_i386.deb for Debian testing.

FWIW, the problematic invocation has an 'image_bytes_per_line' value of '3'
and a 'width' value of '1', but the bits-per-pixel for the display is 32
(i.e., 4 bytes), so the check fails.  I guess Opera is wrongly assuming that
a bitdepth of 24 gives a bpp of 24, not 32?

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Reply to: