Bug 658108

Summary:	Sends out of bounds framebuffer updates after desktop resize
Product:	[Fedora] Fedora	Reporter:	Daniel Berrangé <berrange>
Component:	vino	Assignee:	Søren Sandmann Pedersen <sandmann>
Status:	CLOSED WONTFIX	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	low
Version:	14	CC:	berrange, bnocera, emailjonathananderson-fedora, kem, mclasen, sandmann
Target Milestone:	---
Target Release:	---
Hardware:	x86_64
OS:	Unspecified
Whiteboard:	abrt_hash:437be57ca39c5dbd55914faa772e1581c24fd01c
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:	655630	Environment:
Last Closed:	2012-08-16 20:31:12 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Daniel Berrangé 2010-11-29 11:50:44 UTC

+++ This bug was initially created as a clone of Bug #655630 +++

abrt version: 1.1.13
architecture: x86_64
Attached file: backtrace
cmdline: vinagre
component: vinagre
crash_function: vnc_base_framebuffer_set_pixel_32x32
executable: /usr/bin/vinagre
kernel: 2.6.35.6-48.fc14.x86_64
package: vinagre-2.31.4-1.fc14
rating: 3
reason: Process /usr/bin/vinagre was killed by signal 11 (SIGSEGV)
release: Fedora release 14 (Laughlin)
time: 1290392191
uid: 500

How to reproduce
-----
1.server switched from 1920*1080 to 640*480. scaling was enabled.
2.
3.

--- Additional comment from emailjonathananderson-fedora on 2010-11-21 21:23:12 EST ---

Created attachment 461903 [details]
File: backtrace

--- Additional comment from berrange on 2010-11-22 16:07:03 EST ---

Please try installing this update of GTK-VNC and let me know if it still crashes when the server switches size. This update includes a fix that checks for the server sending out-of-bounds updates, and disconnects from the server cleanly instead of crashing

https://admin.fedoraproject.org/updates/gtk-vnc-0.4.2-1.fc14

What VNC server are you connecting to though ? It could be that your server is buggy in sending VNC resizes.

--- Additional comment from emailjonathananderson-fedora on 2010-11-22 19:26:49 EST ---

It still crashes. Bug number for the submitted backtrace: 656068

the crash didn't happen at the first resolution change. The first
changes just killed the connection. Fifth change killed the client. It seems
that it is sensitive to the changes to lower resolution, not to higher.

Server:
Installed Packages
gtk-vnc.x86_64 0.4.2-1.fc14
vino.x86_64 2.31.91-1.fc14

Client:
Installed Packages
gtk-vnc.x86_64   0.4.2-1.fc14                                      
vinagre.x86_64   2.31.4-1.fc14

--- Additional comment from berrange on 2010-11-23 05:50:08 EST ---

*** Bug 656068 has been marked as a duplicate of this bug. ***

--- Additional comment from berrange on 2010-11-23 05:57:36 EST ---

Can you capture me a trace with 'vinagre --gtk-vnc-debug' from time of initial connection to the VNC server, through the resizes, upto the point it crashes.

Then, do the same running

  'valgrind vinagre'

--- Additional comment from emailjonathananderson-fedora on 2010-11-23 08:53:40 EST ---

Created attachment 462335 [details]
output of 'vinagre --gtk-vnc-debug', vinagre crashed after resolution change

--- Additional comment from emailjonathananderson-fedora on 2010-11-23 09:15:28 EST ---

Created attachment 462340 [details]
output of 'valgrind vinagre'

output of several 'valgrind vinagre'. I was unable to provoke the crash by resolution changes through at lest 50 resolution changes during half an hour, running with valgrind.

--- Additional comment from berrange on 2010-11-29 06:49:56 EST ---

These are the three key log messages at the end

The VNC server does a resize to 800x600 pixels:

  (vinagre:21644): gvnc-DEBUG: vncconnection.c FramebufferUpdate type=-223 area (800x600) at location 0,0

And sends an initial framebuffer update for that new desktop

  (vinagre:21644): gvnc-DEBUG: vncconnection.c FramebufferUpdate type=16 area (800x600) at location 0,0

But then bizarrely sends an update for a region that it way outside the framebuffer at offset 1166

  (vinagre:21644): gvnc-DEBUG: vncconnection.c FramebufferUpdate type=16 area  (19x19) at location 1166,695

So there are 2 bugs here

 1. gtk-vnc is not doing a correct bounds check on framebuffer updates and thus scribbling over random memory when it gets that out of bounds update
 2. vino is sending illegal framebuffer updates for regions outside the current framebuffer

I'm re-assigning this bug to gtk-vnc for resolution of the client side problem, and will clone against vino too.

Comment 1 Fedora End Of Life 2012-08-16 20:31:14 UTC

This message is a notice that Fedora 14 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 14. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained.  At this time, all open bugs with a Fedora 'version'
of '14' have been closed as WONTFIX.

(Please note: Our normal process is to give advanced warning of this 
occurring, but we forgot to do that. A thousand apologies.)

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen 
this bug and simply change the 'version' to a later Fedora version.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we were unable to fix it before Fedora 14 reached end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" (top right of this page) and open it against that 
version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping