My favorites | Sign in
Project Home Downloads Wiki Issues
New issue   Search
for
  Advanced search   Search tips
Issue 51709: Fatal assertion failure when getting gdk custom cursor on safari books
2 people starred this issue and may be notified of changes. Back to list
 
Reported by magnusmo...@gmail.com, Aug 10, 2010 
Chrome Version (from the about:version page): 6.0.491.0 (55592)
Is this the most recent version: YES
OS + version: Ubuntu 10.04
CPU architecture (32-bit / 64-bit): 64 bit
Window manager: Compiz
URLs (if relevant): my.safaribooks.com
Behavior in Linux Firefox: OK
Behavior in Windows Chrome (if you have access to it): --

What steps will reproduce the problem?
1. login to my.safaribooks
2. click on link to a book
3. move the mouse around

What is the expected result?
I am able to move the mouse around and continue to use chrome

What happens instead?
fatal assertion failure and xmessage popping up with backtrace

Please provide any additional information below. Attach a screenshot
and backtrace if possible.

[25422:25422:4343527807:FATAL:chrome/app/chrome_dll_main.cc(250)] Gdk: gdk_cursor_new_from_pixbuf: assertion `0 <= x && x < gdk_pixbuf_get_width (pixbuf)' failed
Backtrace:
	StackTrace::StackTrace() [0x1ab3576]
	logging::LogMessage::~LogMessage() [0x1aca849]
	(anonymous namespace)::GLibLogHandler() [0xf7a3de]
	0x7fd7656e9fb9
	0x7fd7656ea3d3
	0x7fd7674cd98a
	WebCursor::GetCustomCursor() [0x24c1253]
	RenderWidgetHostViewGtk::ShowCurrentCursor() [0x1316e82]
	RenderWidgetHostViewGtk::UpdateCursor() [0x1315d2c]
	RenderWidgetHost::OnMsgSetCursor() [0x130f9d7]
	DispatchToMethod<>() [0x1312588]
	IPC::MessageWithTuple<>::Dispatch<>() [0x13115c3]
	RenderWidgetHost::OnMessageReceived() [0x130c695]
	RenderViewHost::OnMessageReceived() [0x12fe66d]
	BrowserRenderProcessHost::OnMessageReceived() [0x168f224]
	IPC::ChannelProxy::Context::OnDispatchMessage() [0x23ed26c]
	DispatchToMethod<>() [0x23efd96]
	RunnableMethod<>::Run() [0x23efad4]
	MessageLoop::RunTask() [0x1acd225]
	MessageLoop::DeferOrRunPendingTask() [0x1acd308]
	MessageLoop::DoWork() [0x1acd8fc]
	base::MessagePumpForUI::HandleDispatch() [0x1b2d0f1]
	(anonymous namespace)::WorkSourceDispatch() [0x1b2c5d3]
	0x7fd7656df8c2
	0x7fd7656e3748
	0x7fd7656e38fc
	base::MessagePumpForUI::RunWithDispatcher() [0x1b2cda6]
	base::MessagePumpForUI::Run() [0x1b2d53c]
	MessageLoop::RunInternal() [0x1acc9f0]
	MessageLoop::RunHandler() [0x1acc89c]
	MessageLoopForUI::Run() [0x1acdf70]
	(anonymous namespace)::RunUIMessageLoop() [0x102f36d]
	BrowserMain() [0x10312df]
	ChromeMain [0xf7bfdd]
	main [0xf7ced0]
	0x7fd7620b2c4d
	0xf7a089


I have a feeling it might be something to do with redrawing the mouse after  mousing over something
Comment 1 by est...@chromium.org, Aug 10, 2010 
here's a repro case. Problem is the hotspot should be clamped to the cursor size, but isn't currently.
cursor.html
144 bytes   View   Download
Status: Started
Owner: est...@chromium.org
Comment 2 by est...@chromium.org, Aug 10, 2010 
(and the cursor I used)

behavior on various browsers for an out-of-bounds hotspot:

windows chrome - honor it
linux chrome - crash
windows safari - ignore the cursor completely
firefox - clamp

It seems like clamping is the best idea for chrome on all platforms, mainly to match firefox.
bar.png
168 bytes   View   Download
Labels: -OS-Linux OS-All
Comment 3 by infe...@chromium.org, Aug 10, 2010 
Crash on linux will atleast be secseverity low. we were aware of an issue regarding cursor drawing outside bounds, but didn;t know it could crash on linux. If it is exploitable, need to raise severity. @scarybeasts, @cdn - mind taking a look.
Cc: c...@chromium.org cev...@chromium.org
Labels: -Area-Undefined Area-UI Security Restrict-View-SecurityTeam SecSeverity-Low Mstone-5
Comment 4 by infe...@chromium.org, Aug 10, 2010 
@cdn, @cevans - it only crashed Debug with assert hit, but only shows error and no crash on release. @estade mentioned it to me, it is good to see if it has any security impact.
Comment 5 by magnusmo...@gmail.com, Aug 11, 2010 
As of my most recent build (6.0.492.0 (55729)), the repro case no longer crashes chrome, but the cursor is blue rather than red
Comment 6 by est...@chromium.org, Aug 11, 2010 
yea, that seems to be a separate bug. Filed  issue 51816  for that
Status: Fixed
Comment 7 by bugdroid1@gmail.com, Aug 11, 2010 
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=55669 

------------------------------------------------------------------------
r55669 | estade@chromium.org | 2010-08-10 21:17:09 -0700 (Tue, 10 Aug 2010) | 14 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/webkit/glue/webcursor.cc?r1=55669&r2=55668
   M http://src.chromium.org/viewvc/chrome/trunk/src/webkit/glue/webcursor.h?r1=55669&r2=55668
   M http://src.chromium.org/viewvc/chrome/trunk/src/webkit/glue/webcursor_unittest.cc?r1=55669&r2=55668

Clamp the hotspot on custom cursors to the custom cursor image's dimensions.

Current behavior:
windows chrome - respect the crazy hotspot
linux chrome - crash
mac chrome - fall back to normal cursor
firefox - clamp the hotspot to the custom cursor image bounds.

So this unifies the behavior of all 3 chrome platforms and matches firefox.

BUG=51709
TEST=see bug for reduction

Review URL: http://codereview.chromium.org/3168003
------------------------------------------------------------------------
Comment 8 by est...@chromium.org, Aug 30, 2010 
(No comment was entered for this change.)
Cc: thes...@chromium.org
Comment 9 by scarybea...@gmail.com, Aug 30, 2010 
We might want to merge this to the M6 branch. Seems like a simple change.
Status: WillMerge
Labels: -Mstone-5 Mstone-6
Comment 10 by bugdroid1@gmail.com, Aug 31, 2010 
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=58016 

------------------------------------------------------------------------
r58016 | thestig@chromium.org | 2010-08-31 10:41:49 -0700 (Tue, 31 Aug 2010) | 17 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/472/src/webkit/glue/webcursor.cc?r1=58016&r2=58015
   M http://src.chromium.org/viewvc/chrome/branches/472/src/webkit/glue/webcursor.h?r1=58016&r2=58015
   M http://src.chromium.org/viewvc/chrome/branches/472/src/webkit/glue/webcursor_unittest.cc?r1=58016&r2=58015

Merge 55669 - Clamp the hotspot on custom cursors to the custom cursor image's dimensions.

Current behavior:
windows chrome - respect the crazy hotspot
linux chrome - crash
mac chrome - fall back to normal cursor
firefox - clamp the hotspot to the custom cursor image bounds.

So this unifies the behavior of all 3 chrome platforms and matches firefox.

BUG=51709
TEST=see bug for reduction

Review URL: http://codereview.chromium.org/3168003

TBR=estade@chromium.org
Review URL: http://codereview.chromium.org/3244006
------------------------------------------------------------------------
Comment 11 by scarybea...@gmail.com, Sep 7, 2010 
(No comment was entered for this change.)
Status: FixUnreleased
Comment 12 by infe...@chromium.org, Sep 8, 2010 
(No comment was entered for this change.)
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Comment 13 by jsc...@chromium.org, Sep 15, 2010 
(No comment was entered for this change.)
Cc: dglaz...@chromium.org
Comment 14 by scarybea...@gmail.com, Sep 18, 2010 
(No comment was entered for this change.)
Status: Fixed
Labels: -Restrict-View-SecurityNotify
Comment 15 by jsc...@chromium.org, Mar 21, 2011 
(No comment was entered for this change.)
Labels: Type-Security
Comment 16 by jsc...@chromium.org, Oct 4, 2011 
Batch update.
Labels: SecImpacts-Stable
Sign in to add a comment

Powered by Google Project Hosting