[Bug 339637] New: Crash when parsing a .svg

Mon Apr 24 21:00:16 UTC 2006

Do not reply to this via email (we are currently unable to handle email
responses and they get discarded).  You can add comments to this bug at
http://bugzilla.gnome.org/show_bug.cgi?id=339637
 librsvg | general | Ver: 2.14.x

           Summary: Crash when parsing a .svg
           Product: librsvg
           Version: 2.14.x
          Platform: Other
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: Normal
         Component: general
        AssignedTo: librsvg-maint at gnome.bugs
        ReportedBy: joss at debian.org
         QAContact: librsvg-maint at gnome.bugs
                CC: pkg-gnome-maintainers at lists.alioth.debian.org
     GNOME version: 2.13/2.14
   GNOME milestone: Unspecified

When parsing a SVG file produced by Illustrator, librsvg (2.14.3) crashes.

Starting program: /usr/bin/gqview scummvm_icon.svg
[snip]
Program received signal SIGSEGV, Segmentation fault.
0xb7aadfa7 in g_array_new () from /usr/lib/libglib-2.0.so.0
(gdb) bt
#0  0xb7aadfa7 in g_array_new () from /usr/lib/libglib-2.0.so.0
#1  0xb7aae534 in g_ptr_array_add () from /usr/lib/libglib-2.0.so.0
#2  0xb6dbfcb5 in rsvg_node_group_pack (self=0x83485b8, child=0x834d960)
    at rsvg-structure.c:167
#3  0xb6dc9f9b in rsvg_characters (data=0x82859b0,
    ch=0x83518e6 "\n\t</image>\n</g>\n<path
d=\"M233.421875,171.4472656c-0.4414063-3.0947266-1.1308594-6.1865234-2.0683594-9.1689453\n\tc-1.7060547-5.421875-4.09375-10.652832-7.0449219-15.512207c-1.8759766-3.0849609-3.8046875"...,
len=2)
    at rsvg-base.c:620
#4  0xb6c4cd72 in xmlParseCharData () from /usr/lib/libxml2.so.2
#5  0xb6c598e0 in xmlParseChunk () from /usr/lib/libxml2.so.2
#6  0xb6dca3e6 in rsvg_handle_write_impl (handle=0x82859b0,
    buf=0xbf8a5894
"cR+Gdwns\njoBIN1HDeSwBCi4FwKApAWfpGfBJFXjLIDSNQq8v8N4lajBlTXPjINIDKAAGzS9SjavppJrvcplF\nCmH0VPYoiAAUAIMWdC3HNdHl0gcTSgBS9n0EYFBFrnEunbyABMAg7oOpgQYhhBBCCCGEEEIIIYQQ\nQgghhBBCCCGEEEIIIYQQQgghhBBCCCGEEEIII"...,
    count=512, error=0x0) at rsvg-base.c:797
#7  0xb6dcb161 in rsvg_handle_write (handle=0x82859b0,
    buf=0xbf8a5894
"cR+Gdwns\njoBIN1HDeSwBCi4FwKApAWfpGfBJFXjLIDSNQq8v8N4lajBlTXPjINIDKAAGzS9SjavppJrvcplF\nCmH0VPYoiAAUAIMWdC3HNdHl0gcTSgBS9n0EYFBFrnEunbyABMAg7oOpgQYhhBBCCCGEEEIIIYQQ\nQgghhBBCCCGEEEIIIYQQQgghhBBCCCGEEEIII"...,
    count=512, error=0x0) at rsvg-base.c:1280
#8  0xb74c9b44 in ?? () from /usr/lib/gtk-2.0/2.4.0/loaders/svg_loader.so
#9  0x082859b0 in ?? ()
[etc.]

I tried to look a bit into it:
(gdb) up
#1  0xb7aae534 in g_ptr_array_add () from /usr/lib/libglib-2.0.so.0
(gdb) up
#2  0xb6dbfcb5 in rsvg_node_group_pack (self=0x83485b8, child=0x834d960)
    at rsvg-structure.c:167
167             g_ptr_array_add(self->children, child);
(gdb) print child
$1 = (RsvgNode *) 0x834d960
(gdb) print self
$2 = (RsvgNode *) 0x83485b8
(gdb) print self->children
$3 = (GPtrArray *) 0x623b676e
(gdb) print self->children->len
Cannot access memory at address 0x623b6772
(gdb) print *(self->children)
Cannot access memory at address 0x623b676e
(gdb) up
#3  0xb6dc9f9b in rsvg_characters (data=0x82859b0,
    ch=0x83518e6 "\n\t</image>\n</g>\n<path
d=\"M233.421875,171.4472656c-0.4414063-3.0947266-1.1308594-6.1865234-2.0683594-9.1689453\n\tc-1.7060547-5.421875-4.09375-10.652832-7.0449219-15.512207c-1.8759766-3.0849609-3.8046875"...,
len=2)
    at rsvg-base.c:620
620                     rsvg_node_group_pack(ctx->priv->currentnode, (RsvgNode
*)self);
(gdb) print ctx->priv->currentnode
$4 = (RsvgNode *) 0x83485b8
(gdb) print *(ctx->priv->currentnode)
$5 = {state = 0x8348610, parent = 0x834d540, type = 0x82ac3d0,
  children = 0x623b676e, free = 0xb6da8b4d <rsvg_node_image_free>,
  draw = 0xb6da8bb8 <rsvg_node_image_draw>,
  set_atts = 0xb6da8d77 <rsvg_node_image_set_atts>}
(gdb) print ctx->priv->currentnode->parent
$6 = (RsvgNode *) 0x834d540
(gdb) print ctx->priv->currentnode->children
$7 = (GPtrArray *) 0x623b676e
(gdb) print *(ctx->priv->currentnode->children)
Cannot access memory at address 0x623b676e

It looks like the "children" pointer was corrupted or wrongly allocated. This
could be earlier in librsvg or this could be a libxml issue (using 2.6.23). I'm
afraid I don't know enough about libxml and the librsvg internals to go
further.

The test case follows.

-- 
Configure bugmail: http://bugzilla.gnome.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.