-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, Apr 10, 2008 at 12:44:49AM +0200, Sylvain HITIER wrote: > However this looks like a bug against libcairo2... > I suggest that other "integer-overflow vulnerabilities in malloc() calls" be > the cause of it. > > As you've just NMU'ed a security fix for this lib, I suggest you have a look > at my bug report: you're surely able to investigate deeper than I did!
I couldn't reproduce this using libcairo2 1.2.4-4.1+etch1 and iceweasel 2.0.0.13-0etch1. The SVG you referenced loads just fine, apart from the several seconds of CPU it chews up doing the render. FWIW, the integer overflow fix applied to libcairo was in the form of a series of overflow checks on memory allocations, which in general would return a null in the event of an overflow. The most likely regressions from the fix are division by zero errors (SIGFPE) or null pointer dereferences (SIGSEGV); both of these were noted when early versions of the fix were made by Ubuntu (and fixes for all known regressions are in the Debian release.) The stack trace you gave is consistent with a loss of connection to the X server, possibly in response to invalid X command protocol interactions. Whether X pixmap handling interactions can cause such a thing or not I don't know enough about X to say. Deferring to the iceweasel maintainers for the moment, unless we get some more data. - -- Devin \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFH/cDAU5XKDemr/NIRAs3XAKDJyGPZQhSB3C5SqEMeVWU278/WuwCfS/U6 j/RDg2Hj+sJihtyBcM9hheA= =HONR -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
