Bug 655630 - Broken bounds checking on framebuffer updates
Summary: Broken bounds checking on framebuffer updates
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: gtk-vnc
Version: 14
Hardware: x86_64
OS: Unspecified
low
medium
Target Milestone: ---
Assignee: Daniel Berrangé
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:437be57ca39c5dbd55914faa772...
: 656068 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-11-22 02:23 UTC by Jonathan
Modified: 2010-12-02 19:08 UTC (History)
3 users (show)

Fixed In Version: gtk-vnc-0.4.2-3.fc14
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 658108 (view as bug list)
Environment:
Last Closed: 2010-12-02 19:08:41 UTC
Type: ---


Attachments (Terms of Use)
File: backtrace (14.47 KB, text/plain)
2010-11-22 02:23 UTC, Jonathan
no flags Details
output of 'vinagre --gtk-vnc-debug', vinagre crashed after resolution change (204.21 KB, text/plain)
2010-11-23 13:53 UTC, Jonathan
no flags Details
output of 'valgrind vinagre' (19.19 KB, text/plain)
2010-11-23 14:15 UTC, Jonathan
no flags Details

Description Jonathan 2010-11-22 02:23:09 UTC
abrt version: 1.1.13
architecture: x86_64
Attached file: backtrace
cmdline: vinagre
component: vinagre
crash_function: vnc_base_framebuffer_set_pixel_32x32
executable: /usr/bin/vinagre
kernel: 2.6.35.6-48.fc14.x86_64
package: vinagre-2.31.4-1.fc14
rating: 3
reason: Process /usr/bin/vinagre was killed by signal 11 (SIGSEGV)
release: Fedora release 14 (Laughlin)
time: 1290392191
uid: 500

How to reproduce
-----
1.server switched from 1920*1080 to 640*480. scaling was enabled.
2.
3.

Comment 1 Jonathan 2010-11-22 02:23:12 UTC
Created attachment 461903 [details]
File: backtrace

Comment 2 Daniel Berrangé 2010-11-22 21:07:03 UTC
Please try installing this update of GTK-VNC and let me know if it still crashes when the server switches size. This update includes a fix that checks for the server sending out-of-bounds updates, and disconnects from the server cleanly instead of crashing

https://admin.fedoraproject.org/updates/gtk-vnc-0.4.2-1.fc14

What VNC server are you connecting to though ? It could be that your server is buggy in sending VNC resizes.

Comment 3 Jonathan 2010-11-23 00:26:49 UTC
It still crashes. Bug number for the submitted backtrace: 656068

the crash didn't happen at the first resolution change. The first
changes just killed the connection. Fifth change killed the client. It seems
that it is sensitive to the changes to lower resolution, not to higher.

Server:
Installed Packages
gtk-vnc.x86_64 0.4.2-1.fc14
vino.x86_64 2.31.91-1.fc14

Client:
Installed Packages
gtk-vnc.x86_64   0.4.2-1.fc14                                      
vinagre.x86_64   2.31.4-1.fc14

Comment 4 Daniel Berrangé 2010-11-23 10:50:08 UTC
*** Bug 656068 has been marked as a duplicate of this bug. ***

Comment 5 Daniel Berrangé 2010-11-23 10:57:36 UTC
Can you capture me a trace with 'vinagre --gtk-vnc-debug' from time of initial connection to the VNC server, through the resizes, upto the point it crashes.

Then, do the same running

  'valgrind vinagre'

Comment 6 Jonathan 2010-11-23 13:53:40 UTC
Created attachment 462335 [details]
output of 'vinagre --gtk-vnc-debug', vinagre crashed after resolution change

Comment 7 Jonathan 2010-11-23 14:15:28 UTC
Created attachment 462340 [details]
output of 'valgrind vinagre'

output of several 'valgrind vinagre'. I was unable to provoke the crash by resolution changes through at lest 50 resolution changes during half an hour, running with valgrind.

Comment 8 Daniel Berrangé 2010-11-29 11:49:56 UTC
These are the three key log messages at the end

The VNC server does a resize to 800x600 pixels:

  (vinagre:21644): gvnc-DEBUG: vncconnection.c FramebufferUpdate type=-223 area (800x600) at location 0,0

And sends an initial framebuffer update for that new desktop

  (vinagre:21644): gvnc-DEBUG: vncconnection.c FramebufferUpdate type=16 area (800x600) at location 0,0

But then bizarrely sends an update for a region that it way outside the framebuffer at offset 1166

  (vinagre:21644): gvnc-DEBUG: vncconnection.c FramebufferUpdate type=16 area  (19x19) at location 1166,695

So there are 2 bugs here

 1. gtk-vnc is not doing a correct bounds check on framebuffer updates and thus scribbling over random memory when it gets that out of bounds update
 2. vino is sending illegal framebuffer updates for regions outside the current framebuffer

I'm re-assigning this bug to gtk-vnc for resolution of the client side problem, and will clone against vino too.

Comment 9 Fedora Update System 2010-11-29 14:15:21 UTC
gtk-vnc-0.4.2-2.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/gtk-vnc-0.4.2-2.fc14

Comment 10 Fedora Update System 2010-11-29 21:27:54 UTC
gtk-vnc-0.4.2-3.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update gtk-vnc'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/gtk-vnc-0.4.2-3.fc14

Comment 11 Jonathan 2010-11-29 22:04:34 UTC
Sorry for using this as a chat board...
I tried installing this update from the updates-testing repo and I am used to do this. I notice from Bodhi that it should be there, however, I am not able to find the package. Yum only lists gtk-vnc 0.4.2-1 even with option --enablerepo=updates-testing. I vaguely remember that there should be some way to ensure that yum reads a fresh mirror of the repo?

Comment 12 Fedora Update System 2010-12-02 19:08:20 UTC
gtk-vnc-0.4.2-3.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.