Ubuntu
cairo package

SRU: Cairo crashes when loading some svg or pdf files

Bug #1074667 reported by Matthieu Baerts
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libcairo
Fix Released
Medium
cairo (Ubuntu)
Fix Released
High
Unassigned
Quantal
Fix Released
High
Unassigned

Bug Description

[ Impact ]

Some apps (which use Cairo) crash when loadgin some svg[1] or pdf[2] files.

[ Test case ]

 * Open this file with Evince: http://kernsec.org/files/LinuxSecuritySummit2012_rpm.pdf
 * Open the svg file[1] with this little program compiled with:
  $ gcc -ggdb test.c -o test `pkg-config --libs --cflags gtk+-3.0`
Then, launch it from the same dir of the 'geany.svg' file[1]

===========

#include <stdio.h>
#include <gtk/gtk.h>

int main (int argc, char **argv)
{
 gtk_init (&argc, &argv);
 GdkPixbuf *pixbuf = gdk_pixbuf_new_from_file_at_size ("geany.svg", 64, 64, NULL);
 return 0;
}

===========

[ Regression Potential ]

 * The new proposed version contains a patch from Git upstream repository. It is also available in the 1.12.4 version. According to Cairo devs, it should have any regression:
  - http://cgit.freedesktop.org/cairo/commit/?id=797441093a8346003552e0cf89aef2a644ff53ab
  - https://bugs.freedesktop.org/show_bug.cgi?id=54822
  - https://bugs.freedesktop.org/show_bug.cgi?id=56698 (a duplicated bug)

[ Other Info ]

 * This BZR branch should fix this bug: lp:~matttbe/ubuntu/quantal/cairo/lp1074667
 * You can easily test the new version by using these packages on Quantal: https://launchpad.net/~matttbe/+archive/experimental-debian-build/+sourcepub/2781148/+listing-archive-extra
 * Or on Ubuntu Raring: https://launchpad.net/~matttbe/+archive/ppa/+sourcepub/2767939/+listing-archive-extra

[ Original bug report ]

Hello,

Cairo (libcairo2 1.12.2-2ubuntu1) crashes when loading some svg[1] or pdf[2] files.
This bug has already been reported to Cairo devs:
  * https://bugs.freedesktop.org/show_bug.cgi?id=54822
  * https://bugs.freedesktop.org/show_bug.cgi?id=56698 (a duplicated bug)

And it's already fixed in the bug-fix version 1.12.4 thanks to this commit by Chris Wilson:
  * http://cgit.freedesktop.org/cairo/commit/?id=797441093a8346003552e0cf89aef2a644ff53ab

How to reproduce this crash:
 1] Open this file with Evince: http://kernsec.org/files/LinuxSecuritySummit2012_rpm.pdf

 2] Open the svg file[1] with this little program compiled with:
  $ gcc -ggdb test.c -o test `pkg-config --libs --cflags gtk+-3.0`
Then, launch it from the same dir of the 'geany.svg' file[1]

===========

#include <stdio.h>
#include <gtk/gtk.h>

int main (int argc, char **argv)
{
 gtk_init (&argc, &argv);
 GdkPixbuf *pixbuf = gdk_pixbuf_new_from_file_at_size ("geany.svg", 64, 64, NULL);
 return 0;
}

===========

A bzr branch will be linked to this bug report: lp:~matttbe/ubuntu/raring/cairo/1074667
This new version should fix this bug.

How to easily test the new version:
 You can use the new version of this package available in my ppa:matttbe/ppa
 https://launchpad.net/~matttbe/+archive/ppa/+sourcepub/2767939/+listing-archive-extra

Is it possible to upload this new package to Raring repos?
And is it also possible to backport this change to Quantal-update repos?

Thank you for your help! :)

[1] The svg file joined to this bug report: https://bugs.launchpad.net/ubuntu/+source/cairo/+bug/1074667/+attachment/3422628/+files/geany.svg
[2] http://kernsec.org/files/LinuxSecuritySummit2012_rpm.pdf

See original description
Revision history for this message
In , Riccardo Magliocchetti (riccardo) wrote :
Download full text (3.8 KiB)

This file [1] makes evince crash in cairo. Debian sid with cairo 1.12.2-2 and evince 3.4.0-3.

[1] http://kernsec.org/files/LinuxSecuritySummit2012_rpm.pdf

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xef6ffb70 (LWP 10039)]
full_row (mask=4294967295, coverages=0xf5ffcbac, active=0xf5ffcb3c)
    at /build/buildd-cairo_1.12.2-2-i386-1cmzkR/cairo-1.12.2/src/cairo-tor-scan-converter.c:1358
1358 /build/buildd-cairo_1.12.2-2-i386-1cmzkR/cairo-1.12.2/src/cairo-tor-scan-converter.c: File o directory non esistente.
(gdb) bt full
#0 full_row (mask=4294967295, coverages=0xf5ffcbac, active=0xf5ffcb3c)
    at /build/buildd-cairo_1.12.2-2-i386-1cmzkR/cairo-1.12.2/src/cairo-tor-scan-converter.c:1358
        right = 0x0
        winding = 36752
        left = 0xf5ffcad4
#1 glitter_scan_converter_render (renderer=0xef6fd1ac, antialias=1,
    winding_mask=4294967295, converter=0xf5ffc394)
    at /build/buildd-cairo_1.12.2-2-i386-1cmzkR/cairo-1.12.2/src/cairo-tor-scan-converter.c:1713
        do_full_row = 1
        j = 4
        ymax_i = <optimized out>
        xmin_i = 81
        active = 0xf5ffcb3c
        ymin_i = <optimized out>
        h = <optimized out>
        polygon = 0xf5ffc394
        buckets = {0x0 <repeats 15 times>}
        i = <optimized out>
        xmax_i = 97
        coverages = 0xf5ffcbac
#2 _cairo_tor_scan_converter_generate (converter=0xf5ffc388,
---Type <return> to continue, or q <return> to quit---
    renderer=0xef6fd1ac)
    at /build/buildd-cairo_1.12.2-2-i386-1cmzkR/cairo-1.12.2/src/cairo-tor-scan-converter.c:1809
        self = 0xef6fd1ac
        status = <optimized out>
#3 0xf7722a15 in composite_polygon (extents=extents@entry=0xef6fe210,
    polygon=polygon@entry=0xef6fde08,
    fill_rule=fill_rule@entry=CAIRO_FILL_RULE_WINDING,
    antialias=antialias@entry=CAIRO_ANTIALIAS_DEFAULT,
    compositor=<error reading variable: Unhandled dwarf expression opcode 0xfa>, compositor=<error reading variable: Unhandled dwarf expression opcode 0xfa>)
    at /build/buildd-cairo_1.12.2-2-i386-1cmzkR/cairo-1.12.2/src/cairo-spans-compositor.c:716
        renderer = {base = {status = 3221996115, destroy = 0x3eb82b6a,
            render_rows = 0xf76ed850 <_inplace_spans>, finish = 0},
          data = "\020\342o\357D`\022=\003\302\v\300 \000\000\000`\362u\357h\367u\357\350\362\361\365\000\000\000\000\000\000\000\000\217\261\303'\017\205ɿ\225^\254/\035X\335?\301\361h\347\v", '\000' <repeats 14 times>, "\005\341\366ÿBXp\367\364\217|\367H\322o\357H\322o\357\244\327o\357O]p\367\\\325o\357H\322o\357\003\000\000\000\260\357p\367\\\325o\357\f\335o\357p\322oﻻ\273\273\000\000\000\000\000\022\254?\322Q\000\000\016/\000\000[`\000\000\231.\000\000\211.\000\000$.\000\000.\000\000\000\024\000\000\000\351\363wM\364\217|\367\344\177\223V\000\000\000\000$`\000\000\236\364p\367\260\325o\357\212(\000\000\022)\000\000\377\377\37---Type <return> to continue, or q <return> to quit---
7\377W^\"\367.a\"\367\000\373\377\377M[p\367\370\331o\357[`\000\000\000Q\000\000\000a\000\000\212(\000\000\022)\000\000[`\000\000\320'\000\000 \324o\357@g\327?\303.\000\000dR\000\000\000Q\000\000C/\000\000\000a\000\000\320'\000\000\000]\372\377\377\...

Read more...

Revision history for this message
In , Psychon-d (psychon-d) wrote :

The file loads fine here. I have to zoom out to make it crash. The crash is a NULL pointer dereference in dec(), the struct edge *e argument is NULL.

git bisect unhelpfully points at the new compositor architecture (Why does that commit remove asserts from the scan converter?):

git bisect start
# good: [0540bf384aed344899417d3b0313bd6704679c1c] ps: improve formatting of fallback image comment
git bisect good 0540bf384aed344899417d3b0313bd6704679c1c
# bad: [65a954d5bab9ab6fed15bd98b7018aca2fc50107] test-surfaces: compilation fixes
git bisect bad 65a954d5bab9ab6fed15bd98b7018aca2fc50107
# skip: [af9fbd176b145f042408ef5391eef2a51d7531f8] Introduce a new compositor architecture
git bisect skip af9fbd176b145f042408ef5391eef2a51d7531f8

_cairo_debug_print_polygon() against the polygon that causes this produces something which doesn't look correct in show-polygon, which means the error might be elsewhere.

Revision history for this message
In , Psychon-d (psychon-d) wrote :

Created attachment 67144
The result of _cairo_debug_print_polygon().

Revision history for this message
In , Chris Wilson (ickle) wrote :

Because the asserts were a crutch and implied the code was buggy. :-p

Revision history for this message
In , Chris Wilson (ickle) wrote :

commit 797441093a8346003552e0cf89aef2a644ff53ab
Author: Chris Wilson <email address hidden>
Date: Thu Sep 27 15:21:42 2012 +0100

    tor: Fudge the edge if it is projected into a point

    If we generate an edge (through polygon-intersect) where its end-points
    lie outside the line definition then it is possible for that line to be
    degenerate under sample grid projection. Apply a fudge factor to prevent
    explosions as otherwise we reject an edge whose height is not strictly
    0.

    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=54822
    Signed-off-by: Chris Wilson <email address hidden>

Revision history for this message
In , Chris Wilson (ickle) wrote :

*** Bug 56698 has been marked as a duplicate of this bug. ***

Revision history for this message
Matthieu Baerts (matttbe) wrote :
Matthieu Baerts (matttbe)
description: updated
Matthieu Baerts (matttbe)
description: updated
Bug Watch Updater (bug-watch-updater)
Changed in libcairo:
importance: Unknown → Medium
status: Unknown → Fix Released
Sebastien Bacher (seb128)
Changed in cairo (Ubuntu):
importance: Undecided → High
status: New → Fix Committed
Revision history for this message
Matthieu Baerts (matttbe) wrote : Re: Cairo crashes when loading some svg or pdf files

@Sebastien: Before deleting my merge request: can I introduce a SRU in order to upload this patch to Ubuntu Quantal? or is the new version (1.12.8) will be uploaded to Quantal in a few days?

Matthieu Baerts (matttbe)
description: updated
summary: - Cairo crashes when loading some svg or pdf files
+ SRU: Cairo crashes when loading some svg or pdf files
Sebastien Bacher (seb128)
Changed in cairo (Ubuntu Quantal):
importance: Undecided → High
status: New → Triaged
Revision history for this message
Martin Pitt (pitti) wrote :

This patch is in 1.12.8, thus fixed in raring.

Changed in cairo (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote :

I uploaded the Quantal SRU from Matt's branch, thanks! Unsubscribing sponsors, subscribing SRU team for review.

Changed in cairo (Ubuntu Quantal):
status: Triaged → In Progress
Revision history for this message
Matthieu Baerts (matttbe) wrote :

@pitti: Thank you for your help :)

Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Matthieu, or anyone else affected,

Accepted cairo into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/cairo/1.12.2-1ubuntu2.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in cairo (Ubuntu Quantal):
status: In Progress → Fix Committed
tags: added: verification-needed
Matthieu Baerts (matttbe)
tags: added: verification-done
removed: verification-needed
Revision history for this message
Colin Watson (cjwatson) wrote : Update Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cairo - 1.12.2-1ubuntu2.2

---------------
cairo (1.12.2-1ubuntu2.2) quantal-proposed; urgency=low

  * debian/patches/git-crash_in_tor-fudge_the_edge.patch: Fix crashes when
    loading some svg or pdf files (LP: #1074667).
 -- Matthieu Baerts (matttbe) <email address hidden> Sat, 10 Nov 2012 15:21:25 +0100

Changed in cairo (Ubuntu Quantal):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.