[Bug 36855] New: SIGSEGV when opening email - Address out of bounds in RADEONUploadToScreenCS

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Wed May 4 14:10:33 PDT 2011 

https://bugs.freedesktop.org/show_bug.cgi?id=36855

           Summary: SIGSEGV when opening email - Address out of bounds in
                    RADEONUploadToScreenCS
           Product: xorg
           Version: 7.6
          Platform: x86 (IA32)
        OS/Version: Linux (All)
            Status: NEW
          Severity: major
          Priority: high
         Component: Driver/Radeon
        AssignedTo: xorg-driver-ati at lists.x.org
        ReportedBy: bryce at canonical.com
         QAContact: xorg-team at lists.x.org


Forwarding this bug from Ubuntu reporter Laurent Marchal:
http://bugs.launchpad.net/ubuntu/+source/xserver-xorg-video-ati/+bug/766440

[Problem]
Invalid address causes segfault in RADEONCopySwap() called from
RADEONUploadToScreenCS().  Reproducible crash opening an email attachment that
is a large image.  Only occurs when compositing is enabled.

[Original Description]
When I open an image with a big picture as attachment, Xorg segfault and
restart EVERY time I open the same email..

Program received signal SIGSEGV, Segmentation fault.
0x0003000e in ?? ()
(gdb) backtrace full
#5  0x080b201e in FatalError (f=0x81e9e74 "%s: VT_WAITACTIVE failed: %s\n") at
../../os/log.c:569
        args = 0xbf889464 "\341\236\036\b\335\025i\267\005"
        beenhere = 1
#6  0x08172326 in switch_to (vt=7, from=0x81e9ee1 "xf86CloseConsole") at
../../../../../hw/xfree86/os-support/linux/lnx_init.c:70
No locals.
#7  0x08172b3f in xf86CloseConsole () at
../../../../../hw/xfree86/os-support/linux/lnx_init.c:296
        vts = {v_active = 8, v_signal = 27476, v_state = 383}
        VT = {mode = 0 '\000', waitv = 0 '\000', relsig = 10, acqsig = 10,
frsig = 0}
#8  0x080b6155 in ddxSigGiveUp (signo=7) at
../../../../hw/xfree86/common/xf86Init.c:915
        i = <value optimized out>
#9  0x080b6236 in SigAbortDDX (signo=7) at
../../../../hw/xfree86/common/xf86Init.c:988
        i = <value optimized out>
#10 0x080b1ea8 in SigAbortServer (signo=7) at ../../os/log.c:412
No locals.
#11 0x080b2941 in FatalSignal (signo=7) at ../../os/log.c:541
        beenhere = 1
#12 0x080a7b61 in OsSigHandler (signo=7, sip=0xbf8895cc, unused=0xbf88964c) at
../../os/osinit.c:154
No locals.
#13 <signal handler called>
No symbol table info available.
#14 __memcpy_ssse3 () at ../sysdeps/i386/i686/multiarch/memcpy-ssse3.S:195
No locals.
#15 0xb7316853 in RADEONCopySwap (dst=0xaefd6000 <Address 0xaefd6000 out of
bounds>, 
    src=0xb67d8020 "\031\036\034\377\032\037\035\377\033 \037\377\033
\037\377\033 \037\377\033 \037\377\033 \036\377\033
\036\377\034\"\035\377\030\036\031\377\034\"\035\377\032\037\035\377\024\031\027\377\031\035\036\377\034
!\377\032\033\037\377\033\035\036\377\035\034\036\377\035\035\035\377\035\035\035\377
\036\035\377\036\034\033\377\034\035\031\377\037
\034\377\034\"\035\377\034\"\035\377\034!\037\377\032\037\035\377\031\036\035\377\031\036\035\377\034\036\036\377\036
 \377\035\" \377\036#!\377\034! \377\035\"!\377\032\037
\377\030\035\036\377\033! \377\034\"!\377\033\"\037\377\037&#\377\036%
\377\027\036\031\377\026\034\027\377\032
\033\377\032\037\035\377\030\033\031\377\037\037\037\377!\037\037\377"...,
size=12288, swap=0) at /usr/include/bits/string3.h:52
No locals.
#16 0xb73979f1 in RADEONUploadToScreenCS (pDst=0x89e2998, x=0, y=0, w=3072,
h=21, src=<value optimized out>, src_pitch=12288) at
../../src/radeon_exa_funcs.c:543
        pScreen = <value optimized out>
        pScrn = 0x84d77b8
        info = 0x84cc5d0
        driver_priv = 0x8a3c150
        scratch = <value optimized out>
        copy_dst = 0x8a188c8
        dst = <value optimized out>
        size = <value optimized out>
        datatype = 0
        dst_domain = 4
        dst_pitch_offset = <value optimized out>
        bpp = 144583064
        scratch_pitch = 12288
        copy_pitch = 12288
        ret = <value optimized out>
        flush = <value optimized out>
        r = 1
        i = <value optimized out>
        tiling_flags = 0
        pitch = 0
        __func__ = "RADEONUploadToScreenCS"


DistroRelease: Ubuntu 11.04
Package: xorg 1:7.6+4ubuntu3
ProcVersionSignature: Ubuntu 2.6.38-8.42-generic-pae 2.6.38.2
Uname: Linux 2.6.38-8-generic-pae i686
Architecture: i386
CompizPlugins:
[core,bailer,detection,composite,opengl,decor,mousepoll,vpswitch,regex,animation,snap,expo,move,compiztoolbox,place,grid,imgpng,gnomecompat,wall,ezoom,workarounds,staticswitcher,resize,fade,unitymtgrabhandles,scale,session,unityshell]
CompositorRunning: None
DRM.card0.LVDS.1:
status: connected
enabled: enabled
dpms: On
modes: 1440x900 1280x854 1280x800 1280x720 1152x768 1024x768 800x600 848x480
720x480 640x480
edid-base64:
AP///////wAGr0cRAAAAAAEQAQOAHhN4Cof1lFdPjCcnUFQAAAABAQEBAQEBAQEBAQEBAQEBHCqgElKEDDBAIDMAL70QAAAYAAAADwAAAAAAAAAAAAAAAAAgAAAA/gBBVU8KICAgICAgICAgAAAA/gBCMTQxUFcwMSBWMSAKANE=
DRM.card0.VGA.1:
status: disconnected
enabled: disabled
dpms: Off
modes:
edid-base64:
Date: Tue Apr 19 14:24:17 2011
DistUpgraded: Log time: 2011-04-18 08:53:20.924956
DistroCodename: natty
DistroVariant: ubuntu
DkmsStatus: virtualbox-ose, 4.0.4, 2.6.38-8-generic-pae, i686: installed
GraphicsCard:
ATI Technologies Inc M64-S [Mobility Radeon X2300] [1002:7188] (prog-if 00 [VGA
controller])
Subsystem: Hewlett-Packard Company 6910p [103c:30c1]
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Beta i386 (20100318)
MachineType: Hewlett-Packard HP Compaq 6910p
PccardctlStatus:
Socket 0:
no card
Socket 1:
3.3V 16-bit PC Card
Subdevice 0 (function 0) bound to driver "pata_pcmcia"
ProcEnviron:
LANGUAGE=en_US:en
PATH=(custom, user)
LANG=en_US.UTF-8
SHELL=/bin/zsh
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-2.6.38-8-generic-pae
root=UUID=ab190d60-22a0-4e2c-8662-496481d3fce8 ro vt.handoff=7
Renderer: Unknown
SourcePackage: xorg
UpgradeStatus: Upgraded to natty on 2011-04-18 (1 days ago)
version.compiz: compiz 1:0.9.4+bzr20110415-0ubuntu2
version.libdrm2: libdrm2 2.4.23-1ubuntu6
version.libgl1-mesa-dri: libgl1-mesa-dri 7.10.2-0ubuntu2
version.libgl1-mesa-dri-experimental: libgl1-mesa-dri-experimental N/A
version.libgl1-mesa-glx: libgl1-mesa-glx 7.10.2-0ubuntu2
version.xserver-xorg: xserver-xorg 1:7.6+4ubuntu3
version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:6.14.0-0ubuntu4
version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.14.0-4ubuntu7
version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau
1:0.0.16+git20110107+b795ca6e-0ubuntu7

-- 
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the xorg-driver-ati mailing list