Inkscape

Segfault on small sample input

Bug #1399711 reported by Dennis Felsing
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Inkscape
Fix Released
Undecided
Unassigned

Bug Description

When opening this file with inkscape I get a segfault. Discovered with AFL: http://lcamtuf.coredump.cx/afl/

inkscape is run with: inkscape --without-gui -e - id:000000,sig:11,src:000012,op:havoc,rep:32

I'm not sure if this is security relevant. Relevant output in GDB:

/media/fuzz/inkscape-output/crashes/id:000000,sig:11,src:000012,op:havoc,rep:32:1: parser error : Document is empty

^
/media/fuzz/inkscape-output/crashes/id:000000,sig:11,src:000012,op:havoc,rep:32:1: parser error : Start tag expected, '<' not found

^

Program received signal SIGSEGV, Segmentation fault.
0x00007fffef9496b4 in free () from /lib64/libc.so.6
(gdb) bt
#0 0x00007fffef9496b4 in free () from /lib64/libc.so.6
#1 0x0000000001899a4d in ~GzipInputStream (this=0x27da060, __in_chrg=<optimized out>) at io/gzipstream.cpp:59
#2 Inkscape::IO::GzipInputStream::~GzipInputStream (this=0x27da060, __in_chrg=<optimized out>)
    at io/gzipstream.cpp:66
#3 0x0000000000fa2d46 in close (this=0x7fffffffd590) at xml/repr-io.cpp:297
#4 XmlSource::closeCb (context=0x7fffffffd590) at xml/repr-io.cpp:241
#5 0x00007ffff44b363b in xmlFreeParserInputBuffer () from /usr/lib64/libxml2.so.2
#6 0x00007ffff44873d6 in xmlFreeInputStream () from /usr/lib64/libxml2.so.2
#7 0x00007ffff4487f40 in xmlFreeParserCtxt () from /usr/lib64/libxml2.so.2
#8 0x00007ffff449dbb1 in xmlDoRead () from /usr/lib64/libxml2.so.2
#9 0x0000000000fa4613 in XmlSource::readXml (this=this@entry=0x7fffffffd590) at xml/repr-io.cpp:222
#10 0x0000000000fa6b2b in sp_repr_read_file (
    filename=0x27d9450 "/media/fuzz/inkscape-output/crashes/id:000000,sig:11,src:000012,op:havoc,rep:32",
    default_ns=0x21175dd "http://www.w3.org/2000/svg") at xml/repr-io.cpp:355
#11 0x00000000004ad9b2 in sp_document_new (
    uri=0x27d9450 "/media/fuzz/inkscape-output/crashes/id:000000,sig:11,src:000012,op:havoc,rep:32", keepalive=1,
    make_new=<optimized out>) at document.cpp:452
#12 0x0000000000a4500d in Inkscape::Extension::open (key=<optimized out>,
    filename=0x27d9450 "/media/fuzz/inkscape-output/crashes/id:000000,sig:11,src:000012,op:havoc,rep:32")
    at extension/system.cpp:132
#13 0x000000000049207e in sp_process_file_list (fl=0x276ad50) at main.cpp:1001
#14 0x0000000000495552 in sp_main_console (argc=5, argv=0x7fffffffd9b8) at main.cpp:1171
#15 0x000000000046090f in main (argc=5, argv=0x7fffffffd9b8) at main.cpp:717
#16 0x00007fffef8eddc5 in __libc_start_main () from /lib64/libc.so.6
#17 0x000000000048aad9 in _start ()

Revision history for this message
Dennis Felsing (denni0) wrote :
su_v (suv-lp)
tags: added: cli crash
Revision history for this message
Martin Owens (doctormo) wrote :

Closing because it now doesn't crash in master (or in 0.92 actually).

Closed by: https://gitlab.com/doctormo

tags: added: bug-migration
Changed in inkscape:
status: New → Fix Released
Martin Owens (doctormo)
information type: Private Security → Public
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.