Bug#838486: inkscape: Segmentation fault in 0-48.5 src/display/nr-arena-image.cpp
On Mon 07/Nov/2016 18:16:00 +0100 Mattia Rizzolo wrote: control: tag -1 upstream - patch On Wed, Sep 21, 2016 at 09:26:10PM +0200, Alessandro Vesely wrote: I'll try and reapply the latter patch tomorrow, and see how it goes. How did that go? I sent a patch to Pixman's fast-path a month ago, and then a couple of messages to their mailing list, but didn't hear any more since the last I wrote. See (older to newer): https://bugs.freedesktop.org/show_bug.cgi?id=97938 https://lists.freedesktop.org/archives/pixman/2016-October/004647.html https://lists.freedesktop.org/archives/pixman/2016-October/004648.html https://lists.freedesktop.org/archives/pixman/2016-October/004653.html Note that what I sent are just some probationary patches looking for a resolution. Also, would you mind checking this upstream with 0.92 and possibly forward port your patch to that too (and send the bug/MR upstream)? I plan to put the pre-releases of 0.92 in experimental at one point if you want prefer to wait for that (i.e. if you don't play nice with bzr). IIR, the only other rowstride-overflow bug was in cairo: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838648 Thus, the burden lies rather with the accompanying libraries than inkscape sources proper. Ale ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#838486: inkscape: Segmentation fault in 0-48.5 src/display/nr-arena-image.cpp
control: tag -1 upstream - patch On Wed, Sep 21, 2016 at 09:26:10PM +0200, Alessandro Vesely wrote: > I'll try and reapply the latter patch tomorrow, and see how it goes. How did that go? Also, would you mind checking this upstream with 0.92 and possibly forward port your patch to that too (and send the bug/MR upstream)? I plan to put the pre-releases of 0.92 in experimental at one point if you want prefer to wait for that (i.e. if you don't play nice with bzr). -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `- signature.asc Description: PGP signature ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Processed: Re: Bug#838486: inkscape: Segmentation fault in 0-48.5 src/display/nr-arena-image.cpp
Processing control commands: > tag -1 upstream - patch Bug #838486 [inkscape] inkscape: Segmentation fault in 0-48.5 src/display/nr-arena-image.cpp Added tag(s) upstream. Bug #838486 [inkscape] inkscape: Segmentation fault in 0-48.5 src/display/nr-arena-image.cpp Removed tag(s) patch. -- 838486: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838486 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#838486: inkscape: Segmentation fault in 0-48.5 src/display/nr-arena-image.cpp
Hi Mattia, On Wed 21/Sep/2016 16:54:02 +0200 Mattia Rizzolo wrote: On Wed, Sep 21, 2016 at 02:13:24PM +0200, Alessandro Vesely wrote: $ gdb -q --args /usr/bin/inkscape test-pdf.svg Reading symbols from /usr/bin/inkscape...done. (gdb) run Starting program: /usr/bin/inkscape test-pdf.svg [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". [New Thread 0x7fffe66dd700 (LWP 14025)] [New Thread 0x7fff5442f700 (LWP 14030)] [New Thread 0x7fff53bce700 (LWP 14033)] Program received signal SIGSEGV, Segmentation fault. nr_arena_image_pick (item=0x29f5e00, p=..., delta=) at display /nr-arena-image.cpp:318 318 return (pix_ptr[3] > 0) ? item : NULL; nasty crash. Now, that's the stable release, though. And most of the development efforts are concentrated in unstable. Can you please check whether the crash happens with 0.91? you can just use what you find in jessie-backports for that. I got a crash at a different point: $ gdb -q --args /usr/bin/inkscape test-pdf.svg Reading symbols from /usr/bin/inkscape...done. (gdb) run Starting program: /usr/bin/inkscape test-pdf.svg [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". [New Thread 0x7fffe3026700 (LWP 21884)] [New Thread 0x7fff4c92b700 (LWP 21885)] [New Thread 0x7fff47f9f700 (LWP 21886)] Program received signal SIGSEGV, Segmentation fault. bits_image_fetch_separable_convolution_affine (repeat_mode=PIXMAN_REPEAT_NONE, format=PIXMAN_a8r8g8b8, convert_pixel=, mask=0x0, buffer=0x7fff4090, width=, line=, offset=, image=0x61e82e80) at ../../pixman/pixman-fast-path.c:2813 2813../../pixman/pixman-fast-path.c: No such file or directory. (gdb) This looks similar to an older bug I reported in July: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832579 I'll try and reapply the latter patch tomorrow, and see how it goes. Ale ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#838486: inkscape: Segmentation fault in 0-48.5 src/display/nr-arena-image.cpp
Hi Alessandro,
On Wed, Sep 21, 2016 at 02:13:24PM +0200, Alessandro Vesely wrote:
> $ gdb -q --args /usr/bin/inkscape test-pdf.svg
> Reading symbols from /usr/bin/inkscape...done.
> (gdb) run
> Starting program: /usr/bin/inkscape test-pdf.svg
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
> [New Thread 0x7fffe66dd700 (LWP 14025)]
> [New Thread 0x7fff5442f700 (LWP 14030)]
> [New Thread 0x7fff53bce700 (LWP 14033)]
>
> Program received signal SIGSEGV, Segmentation fault.
> nr_arena_image_pick (item=0x29f5e00, p=..., delta=) at display
> /nr-arena-image.cpp:318
> 318 return (pix_ptr[3] > 0) ? item : NULL;
nasty crash.
Now, that's the stable release, though. And most of the development
efforts are concentrated in unstable.
Can you please check whether the crash happens with 0.91? you can just
use what you find in jessie-backports for that.
> --- a/src/display/nr-arena-image.cpp
> +++ b/src/display/nr-arena-image.cpp
> @@ -303,17 +303,17 @@
> } else {
>
> unsigned char *const pixels = image->px;
> -int const width = image->pxw;
> -int const height = image->pxh;
> -int const rowstride = image->pxrs;
> +unsigned int const width = (unsigned int)(image->pxw);
> +unsigned int const height = (unsigned int)(image->pxh);
> +unsigned int const rowstride = (unsigned int)(image->pxrs);
> Geom::Point tp = p * image->grid2px;
> -int const ix = (int)(tp[Geom::X]);
> -int const iy = (int)(tp[Geom::Y]);
> +unsigned int const ix = (unsigned int)(tp[Geom::X]);
> +unsigned int const iy = (unsigned int)(tp[Geom::Y]);
>
> -if ((ix < 0) || (iy < 0) || (ix >= width) || (iy >= height))
> +if ((ix >= width) || (iy >= height))
> return NULL;
>
> -unsigned char *pix_ptr = pixels + iy * rowstride + ix * 4;
> +unsigned char *pix_ptr = pixels + iy * rowstride + ix * 4U;
> // is the alpha not transparent?
> return (pix_ptr[3] > 0) ? item : NULL;
also this patch even if sensible doesn't apply in 0.91 where that file
doesn't even exist anymore...
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
more about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
signature.asc
Description: PGP signature
___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#838486: inkscape: Segmentation fault in 0-48.5 src/display/nr-arena-image.cpp
Package: inkscape
Version: 0.48.5-3
Severity: normal
Tags: patch
Dear Maintainer,
$ gdb -q --args /usr/bin/inkscape test-pdf.svg
Reading symbols from /usr/bin/inkscape...done.
(gdb) run
Starting program: /usr/bin/inkscape test-pdf.svg
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffe66dd700 (LWP 14025)]
[New Thread 0x7fff5442f700 (LWP 14030)]
[New Thread 0x7fff53bce700 (LWP 14033)]
Program received signal SIGSEGV, Segmentation fault.
nr_arena_image_pick (item=0x29f5e00, p=..., delta=) at display
/nr-arena-image.cpp:318
318 return (pix_ptr[3] > 0) ? item : NULL;
(gdb) p pix_ptr[3]
Cannot access memory at address 0x7ffedc831b83
(gdb) p /x pixels
$1 = 0x7fff5af7d010
(gdb) p /x pixels + iy * image->pxrs + ix * 4
$2 = 0x7fffdc831b80
(gdb) p /x malloc_usable_size(pixels)
[Thread 0x7fff53bce700 (LWP 14033) exited]
$3 = 0x85082ff0
(gdb) p /x pixels + malloc_usable_size(pixels)
$4 = 0x7ffee000
(gdb) p /x pixels + (unsigned)malloc_usable_size(pixels)
$5 = 0x7fffe000
(gdb) p /x pixels + (unsigned)(iy * image->pxrs + ix * 4)
$6 = 0x7fffdc831b80
(gdb) p /x pix_ptr
$7 = 0x7ffedc831b80
(gdb) whatis image->pxrs
type = unsigned int
(gdb) q
A debugging session is active.
Inferior 1 [process 14021] will be killed.
Quit anyway? (y or n) y
ale@pcale:~/g/nano2016$
-- System Information:
Debian Release: 8.6
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages inkscape depends on:
ii gconf-service 3.2.6-3
ii libaspell150.60.7~20110707-1.3
ii libatk1.0-02.14.0-1
ii libatkmm-1.6-1 2.22.7-2.1
ii libc6 2.19-18+deb8u6
ii libcairo2 1.14.0-2.1+deb8u1
ii libcairomm-1.0-1 1.10.0-1.1
ii libfontconfig1 2.11.0-6.3+deb8u1
ii libfreetype6 2.5.2-3+deb8u1
ii libgc1c2 1:7.2d-6.4
ii libgcc11:4.9.2-10
ii libgconf-2-4 3.2.6-3
ii libgdk-pixbuf2.0-0 2.31.1-2+deb8u5
ii libglib2.0-0 2.42.1-1+b1
ii libglibmm-2.4-1c2a 2.42.0-1
ii libgnomevfs2-0 1:2.24.4-6+b1
ii libgomp1 4.9.2-10
ii libgsl0ldbl1.16+dfsg-2
ii libgtk2.0-02.24.25-3+deb8u1
ii libgtkmm-2.4-1c2a 1:2.24.4-1.1
ii libgtkspell0 2.0.16-1.1
ii liblcms2-2 2.6-3+b3
ii libmagick++-6.q16-58:6.8.9.9-5+deb8u4
ii libmagickcore-6.q16-2 8:6.8.9.9-5+deb8u4
ii libmagickwand-6.q16-2 8:6.8.9.9-5+deb8u4
ii libpango-1.0-0 1.36.8-3
ii libpangocairo-1.0-01.36.8-3
ii libpangoft2-1.0-0 1.36.8-3
ii libpangomm-1.4-1 2.34.0-1.1
ii libpng12-0 1.2.50-2+deb8u2
ii libpoppler-glib8 0.26.5-2+deb8u1
ii libpoppler46 0.26.5-2+deb8u1
ii libpopt0 1.16-10
ii librevenge-0.0-0 0.0.1-3
ii libsigc++-2.0-0c2a 2.4.0-1
ii libstdc++6 4.9.2-10
ii libwpg-0.3-3 0.3.0-3
ii libx11-6 2:1.6.2-3
ii libxml22.9.1+dfsg1-5+deb8u3
ii libxslt1.1 1.1.28-2+deb8u1
pn python:any
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages inkscape recommends:
ii aspell 0.60.7~20110707-1.3
ii imagemagick8:6.8.9.9-5+deb8u4
ii libgnomevfs2-extra 1:2.24.4-6+b1
ii libimage-magick-perl [perlmagick] 8:6.8.9.9-5+deb8u4
ii libwmf-bin 0.2.8.4-10.3+deb8u1
ii perlmagick 8:6.8.9.9-5+deb8u4
ii pstoedit 3.62-2+b1
ii python-lxml3.4.0-1
ii python-numpy 1:1.8.2-2
ii transfig 1:3.2.5.e-4
Versions of packages inkscape suggests:
ii dia 0.97.3-1
ii dia-gnome0.97.3-1
ii libsvg-perl 2.59-1
ii libxml-xql-perl 0.68-6
ii python-uniconvertor 1.1.4-1+b2
ii ruby 1:2.1.5+deb8u2
ii ruby1.8 [ruby] 1.8.7.358-7.1+deb7u3
-- no debconf information
--- a/src/display/nr-arena-image.cpp
+++ b/src/display/nr-arena-image.cpp
@@ -303,17 +303,17 @@
} else {
unsigned char *const pixels = image->px;
-int const width = image->pxw;
-int const height = image->pxh;
-int const rowstride = image->pxrs;
+unsigned int const width = (unsigned int)(image->pxw);
+unsigned int const height = (unsigned int)(image->pxh);
+unsigned int const rowstride = (unsigned int)(image->pxrs);
Geom::Point tp = p * image->grid2px;
-int const ix = (int)(tp[Geom::X]);
-int const iy = (int)(tp[Geom::Y]);
+unsigned int const ix = (unsigned in
