New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 51709 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Aug 2010
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug-Security
M-6

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

Fatal assertion failure when getting gdk custom cursor on safari books

Reported by magnusmo...@gmail.com, Aug 10 2010

Issue description

Chrome Version (from the about:version page): 6.0.491.0 (55592)
Is this the most recent version: YES
OS + version: Ubuntu 10.04
CPU architecture (32-bit / 64-bit): 64 bit
Window manager: Compiz
URLs (if relevant): my.safaribooks.com
Behavior in Linux Firefox: OK
Behavior in Windows Chrome (if you have access to it): --

What steps will reproduce the problem?
1. login to my.safaribooks
2. click on link to a book
3. move the mouse around

What is the expected result?
I am able to move the mouse around and continue to use chrome

What happens instead?
fatal assertion failure and xmessage popping up with backtrace

Please provide any additional information below. Attach a screenshot
and backtrace if possible.

[25422:25422:4343527807:FATAL:chrome/app/chrome_dll_main.cc(250)] Gdk: gdk_cursor_new_from_pixbuf: assertion `0 <= x && x < gdk_pixbuf_get_width (pixbuf)' failed
Backtrace:
	StackTrace::StackTrace() [0x1ab3576]
	logging::LogMessage::~LogMessage() [0x1aca849]
	(anonymous namespace)::GLibLogHandler() [0xf7a3de]
	0x7fd7656e9fb9
	0x7fd7656ea3d3
	0x7fd7674cd98a
	WebCursor::GetCustomCursor() [0x24c1253]
	RenderWidgetHostViewGtk::ShowCurrentCursor() [0x1316e82]
	RenderWidgetHostViewGtk::UpdateCursor() [0x1315d2c]
	RenderWidgetHost::OnMsgSetCursor() [0x130f9d7]
	DispatchToMethod<>() [0x1312588]
	IPC::MessageWithTuple<>::Dispatch<>() [0x13115c3]
	RenderWidgetHost::OnMessageReceived() [0x130c695]
	RenderViewHost::OnMessageReceived() [0x12fe66d]
	BrowserRenderProcessHost::OnMessageReceived() [0x168f224]
	IPC::ChannelProxy::Context::OnDispatchMessage() [0x23ed26c]
	DispatchToMethod<>() [0x23efd96]
	RunnableMethod<>::Run() [0x23efad4]
	MessageLoop::RunTask() [0x1acd225]
	MessageLoop::DeferOrRunPendingTask() [0x1acd308]
	MessageLoop::DoWork() [0x1acd8fc]
	base::MessagePumpForUI::HandleDispatch() [0x1b2d0f1]
	(anonymous namespace)::WorkSourceDispatch() [0x1b2c5d3]
	0x7fd7656df8c2
	0x7fd7656e3748
	0x7fd7656e38fc
	base::MessagePumpForUI::RunWithDispatcher() [0x1b2cda6]
	base::MessagePumpForUI::Run() [0x1b2d53c]
	MessageLoop::RunInternal() [0x1acc9f0]
	MessageLoop::RunHandler() [0x1acc89c]
	MessageLoopForUI::Run() [0x1acdf70]
	(anonymous namespace)::RunUIMessageLoop() [0x102f36d]
	BrowserMain() [0x10312df]
	ChromeMain [0xf7bfdd]
	main [0xf7ced0]
	0x7fd7620b2c4d
	0xf7a089


I have a feeling it might be something to do with redrawing the mouse after  mousing over something


 

Comment 1 by est...@chromium.org, Aug 10 2010

Status: Started
here's a repro case. Problem is the hotspot should be clamped to the cursor size, but isn't currently.
cursor.html
144 bytes View Download

Comment 2 by est...@chromium.org, Aug 10 2010

Labels: -OS-Linux OS-All
(and the cursor I used)

behavior on various browsers for an out-of-bounds hotspot:

windows chrome - honor it
linux chrome - crash
windows safari - ignore the cursor completely
firefox - clamp

It seems like clamping is the best idea for chrome on all platforms, mainly to match firefox.
bar.png
168 bytes View Download
Labels: -Area-Undefined Area-UI Security Restrict-View-SecurityTeam SecSeverity-Low Mstone-5
Crash on linux will atleast be secseverity low. we were aware of an issue regarding cursor drawing outside bounds, but didn;t know it could crash on linux. If it is exploitable, need to raise severity. @scarybeasts, @cdn - mind taking a look.
@cdn, @cevans - it only crashed Debug with assert hit, but only shows error and no crash on release. @estade mentioned it to me, it is good to see if it has any security impact.
As of my most recent build (6.0.492.0 (55729)), the repro case no longer crashes chrome, but the cursor is blue rather than red

Comment 6 by est...@chromium.org, Aug 11 2010

Status: Fixed
yea, that seems to be a separate bug. Filed  issue 51816  for that

Comment 7 by bugdro...@gmail.com, Aug 12 2010

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=55669 

------------------------------------------------------------------------
r55669 | estade@chromium.org | 2010-08-10 21:17:09 -0700 (Tue, 10 Aug 2010) | 14 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/webkit/glue/webcursor.cc?r1=55669&r2=55668
   M http://src.chromium.org/viewvc/chrome/trunk/src/webkit/glue/webcursor.h?r1=55669&r2=55668
   M http://src.chromium.org/viewvc/chrome/trunk/src/webkit/glue/webcursor_unittest.cc?r1=55669&r2=55668

Clamp the hotspot on custom cursors to the custom cursor image's dimensions.

Current behavior:
windows chrome - respect the crazy hotspot
linux chrome - crash
mac chrome - fall back to normal cursor
firefox - clamp the hotspot to the custom cursor image bounds.

So this unifies the behavior of all 3 chrome platforms and matches firefox.

BUG= 51709 
TEST=see bug for reduction

Review URL: http://codereview.chromium.org/3168003
------------------------------------------------------------------------

Comment 8 by est...@chromium.org, Aug 31 2010

Labels: -Mstone-5 Mstone-6
Status: WillMerge
We might want to merge this to the M6 branch. Seems like a simple change.
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=58016 

------------------------------------------------------------------------
r58016 | thestig@chromium.org | 2010-08-31 10:41:49 -0700 (Tue, 31 Aug 2010) | 17 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/472/src/webkit/glue/webcursor.cc?r1=58016&r2=58015
   M http://src.chromium.org/viewvc/chrome/branches/472/src/webkit/glue/webcursor.h?r1=58016&r2=58015
   M http://src.chromium.org/viewvc/chrome/branches/472/src/webkit/glue/webcursor_unittest.cc?r1=58016&r2=58015

Merge 55669 - Clamp the hotspot on custom cursors to the custom cursor image's dimensions.

Current behavior:
windows chrome - respect the crazy hotspot
linux chrome - crash
mac chrome - fall back to normal cursor
firefox - clamp the hotspot to the custom cursor image bounds.

So this unifies the behavior of all 3 chrome platforms and matches firefox.

BUG= 51709 
TEST=see bug for reduction

Review URL: http://codereview.chromium.org/3168003

TBR=estade@chromium.org
Review URL: http://codereview.chromium.org/3244006
------------------------------------------------------------------------

Status: FixUnreleased
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -Restrict-View-SecurityNotify
Status: Fixed
Labels: Type-Security
Labels: SecImpacts-Stable
Batch update.
Project Member

Comment 17 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 18 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Area-UI -SecSeverity-Low -Mstone-6 -Type-Security -SecImpacts-Stable Security-Severity-Low Security-Impact-Stable M-6 Cr-UI Type-Bug-Security
Project Member

Comment 19 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member

Comment 20 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-Low Security_Severity-Low
Project Member

Comment 21 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 22 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 23 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Project Member

Comment 25 by sheriffbot@chromium.org, Jul 29

Labels: Pri-2

Sign in to add a comment