Kurt Miller wrote:
On Thursday 15 March 2007 4:07:48 pm Mikolaj Kucharski wrote:
Hi,
When I open html with embedded SVG image I've got random crashes of
Firefox when I click with right button and try to navigate menu or when
I open main menu e.g. to check in help->about browser version. An
example page is here
http://www.ba.infn.it/~zito/xml/embed.html
Thanks for the report. I reproduced w/the debug version
and have this backtrace info. Most likely suspect is
cairo.
Yes, it seems that cairo is feeding an invalid XImage structure to
XPutImage.
I think there are 2 problems:
- Cairo should not call XPutImage() with invalid data
- XPutImage() should validate its input and return an error instead.
(You all heard of these vulnerabilies caused by invalid image
structures, I guess. This is one of them...)
Unfortunatly I've not managed to get a crash of firefox with this sample
image. I will try on other machines, with more standard configurations
(my desktop machine is an amd64, already running xenocara).
But if in the mean time someone could build his own libX11 with
debugging symbols (see /usr/XF4/README for instructions) and try to
print the XImage structure in gdb when it crashes, that would be
appreciated.
--
Matthieu Herrb
