>Number: 42281
>Category: xsrc
>Synopsis: X-server crash when using ms-ttf package
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: xsrc-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Nov 07 20:45:00 +0000 2009
>Originator: Uwe Krüger
>Release: 5-STABLE snapshot 20091102 (after xorg 1.6 pullup)
>Organization:
>Environment:
NetBSD shuttle 5.0_STABLE NetBSD 5.0_STABLE (GENERIC) #0: Mon Nov 2 16:10:10 UTC 2009
builds@...:/home/builds/ab/netbsd-5/amd64/200911020000Z-obj/home/builds/ab/netbsd-5/src/sys/arch/amd64/compile/GENERIC amd64
>Description:
The X-Server crashes when trying to access Microsoft core fonts using "xfontsel".
Using gdb the crash can be isolated in the function pixman_region_intersect():
# gdb /usr/X11R7/bin/Xorg Xorg.core
...
(gdb) bt
#0 0x00007f7ffc2dc26a in _lwp_kill () from /usr/lib/libc.so.12
#1 0x00007f7ffc2dbb42 in abort () from /usr/lib/libc.so.12
#2 0x00007f7ffc29d440 in __assert13 () from /usr/lib/libc.so.12
#3 0x00007f7ffda42fa7 in pixman_region_intersect ()
from /usr/X11R7/lib/libpixman-1.so.1
#4 0x000000000050f4f7 in DamageRegionProcessPending ()
#5 0x000000000050f69a in DamageRegionAppend ()
#6 0x0000000000512886 in DamageSetup ()
#7 0x0000000000512c62 in DamageSetup ()
#8 0x000000000051315e in DamageSetup ()
#9 0x000000000044991f in doPolyText ()
#10 0x0000000000449dc4 in PolyText ()
#11 0x000000000044dd84 in ProcPolyText ()
#12 0x0000000000450076 in Dispatch ()
#13 0x000000000043afe5 in main ()
>How-To-Repeat:
- Install a recent netbsd-5 snapshot
- install the package fonts/ms-ttf and follow the instructions,
in particular add 'FontPath "/usr/pkg/lib/X11/fonts/TTF/"' to
your xorg.conf
- restart the X-server
- run "xfontsel &"
- select fndry->microsoft
- the X-server crashes
(the crash only occurs when using the "native" X-server and not with the "modular-xorg-server" package)
>Fix:
based of the version 0.16 of pixman (which is used by the modular-xorg-server-package) I've created the following patch that solves the problem:
--- /usr/xsrc/external/mit/pixman/dist/pixman/pixman-region.c.orig 2009-09-19 13:23:38.000000000 +0200
+++ /usr/xsrc/external/mit/pixman/dist/pixman/pixman-region.c 2009-11-07 21:17:39.000000000 +0100
@@ -63,7 +63,10 @@
#define PIXREGION_TOP(reg) PIXREGION_BOX (reg, (reg)->data->numRects)
#define PIXREGION_END(reg) PIXREGION_BOX (reg, (reg)->data->numRects - 1)
-#define GOOD(reg) assert (PREFIX (_selfcheck) (reg))
+#define GOOD_RECT(rect) ((rect)->x1 < (rect)->x2 && (rect)->y1 < (rect)->y2)
+#define BAD_RECT(rect) ((rect)->x1 > (rect)->x2 || (rect)->y1 > (rect)->y2)
+
+#define GOOD(reg)
static const box_type_t PREFIX (_empty_box_) = { 0, 0, 0, 0 };
static const region_data_type_t PREFIX (_empty_data_) = { 0, 0 };
@@ -344,12 +347,23 @@
region->extents.x2 = x + width;
region->extents.y2 = y + height;
+ if (!GOOD_RECT (®ion->extents))
+ {
+ PREFIX (_init) (region);
+ return;
+ }
+
region->data = NULL;
}
PIXMAN_EXPORT void
PREFIX (_init_with_extents) (region_type_t *region, box_type_t *extents)
{
+ if (!GOOD_RECT (extents))
+ {
+ PREFIX (_init) (region);
+ return;
+ }
region->extents = *extents;
region->data = NULL;
@@ -1292,14 +1306,16 @@
{
region_type_t region;
- if (!width || !height)
- return PREFIX (_copy) (dest, source);
-
region.extents.x1 = x;
region.extents.y1 = y;
region.extents.x2 = x + width;
region.extents.y2 = y + height;
+ if (!GOOD_RECT (®ion.extents))
+ {
+ return PREFIX (_copy) (dest, source);
+ }
+
region.data = NULL;
return PREFIX (_union) (dest, source, ®ion);
@@ -2236,8 +2252,7 @@
{
GOOD (region);
- assert (box->x1 <= box->x2);
- assert (box->y1 <= box->y2);
+ assert (GOOD_RECT (box));
region->extents = *box;
