Bug 43244 – italc 3.0 segfault in CopyRectangle()

Bug 43244 - italc 3.0 segfault in CopyRectangle()


Summary:	italc 3.0 segfault in CopyRectangle()

Status:	CLOSED FIXED

Product:	UCS@school
Classification:	Unclassified
Component:	iTALC
Version:	UCS@school 4.1 R2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS@school 4.1 R2 v10
Assigned To:	Florian Best
QA Contact:	Sönke Schwardt-Krummrich

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2016-12-22 15:23 CET by Florian Best
Modified:	2017-03-21 12:35 CET (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	7: Crash: Bug causes crash or data loss
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.240
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2016112421000151
Bug group (optional):	External feedback
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Florian Best

2016-12-22 15:23:21 CET

Core was generated by `/usr/bin/python2.7 /usr/sbin/univention-management-console-module -m computerro'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007fa674b76f6b in raise () from /lib/x86_64-linux-gnu/libpthread.so.0
#0  0x00007fa674b76f6b in raise () from /lib/x86_64-linux-gnu/libpthread.so.0
#1  <signal handler called>
#2  0x00007fa67405e577 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#3  0x00007fa64ea1d017 in CopyRectangle (client=0x2e31470, buffer=0x2e56ce8 "#w", x=<optimized out>, y=16384, w=276163808, h=1946543431) at /var/build/temp/tmp.4cEG8hN4Vz/pbuilder/italc-2.0.25/ica/x11/libvncclient/rfbproto.c:177
#4  0x00007fa64e9eecba in DecompressJpegRect32 (client=0x2e31470, x=0, y=895, w=1920, h=<optimized out>) at /var/build/temp/tmp.4cEG8hN4Vz/pbuilder/italc-2.0.25/ica/x11/libvncclient/tight.c:578
#5  0x00007fa64e9ef7e8 in HandleTight32 (client=0x2e31470, rx=0, ry=895, rw=1920, rh=34) at /var/build/temp/tmp.4cEG8hN4Vz/pbuilder/italc-2.0.25/ica/x11/libvncclient/tight.c:124
#6  0x00007fa64ea25c62 in HandleCoRRE32 (rh=<optimized out>, rw=<optimized out>, ry=59792, rx=59776, client=0x2e31470) at /var/build/temp/tmp.4cEG8hN4Vz/pbuilder/italc-2.0.25/ica/x11/libvncclient/corre.c:56
#7  HandleRFBServerMessage (client=0x2e31470) at /var/build/temp/tmp.4cEG8hN4Vz/pbuilder/italc-2.0.25/ica/x11/libvncclient/rfbproto.c:2056
#8  0x00007fa64ea043e6 in ItalcVncConnection::doConnection (this=0x7fa64821e930) at /var/build/temp/tmp.4cEG8hN4Vz/pbuilder/italc-2.0.25/lib/src/ItalcVncConnection.cpp:634
#9  0x00007fa64ea04628 in ItalcVncConnection::run (this=0x7fa64821e930) at /var/build/temp/tmp.4cEG8hN4Vz/pbuilder/italc-2.0.25/lib/src/ItalcVncConnection.cpp:517
#10 0x00007fa6718dfd0b in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#11 0x00007fa674b6eb50 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#12 0x00007fa67401830d in clone () from /lib/x86_64-linux-gnu/libc.so.6
#13 0x0000000000000000 in ?? ()

upload_Nf0ISd.gz in Ticket #2016112421000151 contains the coredump "core-univention-mana-25617-1482313053".

Comment 1 Florian Best

2016-12-22 15:56:56 CET

Core was generated by `/usr/bin/python2.7 /usr/sbin/univention-management-console-module -m computerro'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007fa674b76f6b in raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42
42      ../nptl/sysdeps/unix/sysv/linux/pt-raise.c: Datei oder Verzeichnis nicht gefunden.
#0  0x00007fa674b76f6b in raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42
#1  <signal handler called>
#2  __memcpy_ssse3 () at ../sysdeps/x86_64/multiarch/memcpy-ssse3.S:1090
#3  0x00007fa64ea1d017 in CopyRectangle (client=0x2e31470, buffer=0x2e56ce8 "#w", x=<optimized out>, y=16384, w=276163808, h=1946543431) at /var/build/temp/tmp.4cEG8hN4Vz/pbuilder/italc-2.0.25/ica/x11/libvncclient/rfbproto.c:177
#4  0x00007fa64e9eecba in DecompressJpegRect32 (client=0x2e31470, x=0, y=895, w=1920, h=<optimized out>) at /var/build/temp/tmp.4cEG8hN4Vz/pbuilder/italc-2.0.25/ica/x11/libvncclient/tight.c:578
#5  0x00007fa64e9ef7e8 in HandleTight32 (client=0x2e31470, rx=0, ry=895, rw=1920, rh=34) at /var/build/temp/tmp.4cEG8hN4Vz/pbuilder/italc-2.0.25/ica/x11/libvncclient/tight.c:124
#6  0x00007fa64ea25c62 in HandleCoRRE32 (rh=<optimized out>, rw=<optimized out>, ry=59792, rx=59776, client=0x2e31470) at /var/build/temp/tmp.4cEG8hN4Vz/pbuilder/italc-2.0.25/ica/x11/libvncclient/corre.c:56
#7  HandleRFBServerMessage (client=0x2e31470) at /var/build/temp/tmp.4cEG8hN4Vz/pbuilder/italc-2.0.25/ica/x11/libvncclient/rfbproto.c:2056
#8  0x00007fa64ea043e6 in ItalcVncConnection::doConnection (this=0x7fa64821e930) at /var/build/temp/tmp.4cEG8hN4Vz/pbuilder/italc-2.0.25/lib/src/ItalcVncConnection.cpp:634
#9  0x00007fa64ea04628 in ItalcVncConnection::run (this=0x7fa64821e930) at /var/build/temp/tmp.4cEG8hN4Vz/pbuilder/italc-2.0.25/lib/src/ItalcVncConnection.cpp:517
#10 0x00007fa6718dfd0b in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#11 0x00007fa674b6eb50 in start_thread (arg=<optimized out>) at pthread_create.c:304
#12 0x00007fa67401830d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#13 0x0000000000000000 in ?? ()

Comment 2 Florian Best

2017-01-02 13:29:37 CET

It looks like the following commit will fix it:
https://github.com/LibVNC/libvncserver/commit/5418e8007c248bf9668d22a8c1fa9528149b69f2

This commit has been backported into the italc2 branch.
https://github.com/iTALC/italc/issues/74
https://github.com/LibVNC/libvncserver/issues/147

italc (2:2.0.25-17):
r75547 | Bug #43244: prevent segfault in libvncserver CopyRectangle()

italc.yaml:
r75548 | YAML Bug #43244

Comment 3 Sönke Schwardt-Krummrich

2017-03-17 14:52:47 CET

OK: code change
OK: functional test
OK: advisory

Comment 4 Sönke Schwardt-Krummrich

2017-03-21 12:35:57 CET

UCS@school 4.1 R2 v10 has been released.

http://docs.software-univention.de/changelog-ucsschool-4.1R2v10-de.html

If this error occurs again, please clone this bug.