Bug#418016: Recent security update of libx11-6 (1.0.3-7) made opera segfault
On Fri, Apr 06, 2007 at 12:07:36PM +0200, Brice Goglin wrote:
> Yes, it has already been reported on the Debian/Gentoo/Opera/Xorg BTS. But I
> don't think anybody posted an interesting backtrace yet, so it's kind of
> hard to know what's going on.
FWIW, this is the bit of the patch to XCreateImage which causes the problem:
+ } else if (image_bytes_per_line < min_bytes_per_line) {
+ return 0;
Seems pretty clear to me that Opera has *a* bug, since the failure here is
caused by XCreateImage returning a null image due to bad arguments, and
Opera failing to check the return value before dereferencing it.
FWIW, if I change this 'return 0' to a 'sleep(20)' and attach to the
process, I get the following backtrace:
#0 0xf752f03b in nanosleep () from /lib/tls/libc.so.6
#1 0xf752ee8e in sleep () from /lib/tls/libc.so.6
#2 0xf76764ae in XCreateImage () from /usr/lib/libX11.so.6
#3 0x0865efee in ?? ()
#4 0x08a2f380 in ?? ()
#5 0x08a33f70 in ?? ()
#6 0x00000018 in ?? ()
#7 0x00000002 in ?? ()
#8 0x00000000 in ?? ()
could be useful to Opera if someone wants to pass this along. This is with
opera_9.10-20061214.6-shared-qt_en_i386.deb for Debian testing.
FWIW, the problematic invocation has an 'image_bytes_per_line' value of '3'
and a 'width' value of '1', but the bits-per-pixel for the display is 32
(i.e., 4 bytes), so the check fails. I guess Opera is wrongly assuming that
a bitdepth of 24 gives a bpp of 24, not 32?
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/
Reply to: