Inkscape

transform matrix with very high numbers crashes inkscape

Bug #827192 reported by Thomas Bartosik
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Inkscape
Invalid
High
Unassigned

Bug Description

An svg containing the following transform matrix crashes inkscape on nearly every interaction (try drag select f. ex.)
transform="matrix(218412.69,0,0,218412.69,-13173289,-160849960)"

The numbers are extremely high, I know. But this is a line inkscape produced itself. I just clicked too long on the arrow to enlarge the object. As there have been lots of effects on the object, scaling went slowly and I stopped too late. Inkscape crashed eventually as well.

However, I think there should be some kind of bounds-checking before the memcpy() crashes inkscape upon trying to apply the insane transformation matrix!

The attached file is stripped of all the other content, but I think it should still be complete syntax-wise.

Inkscape 0.48 64bit on stable Gentoo.

Revision history for this message
Thomas Bartosik (j-launchpad-tbart) wrote :
su_v (suv-lp)
tags: added: transformations
removed: large matrix sigsegv transform
Changed in inkscape:
importance: Undecided → High
Revision history for this message
su_v (suv-lp) wrote :

Crash not reproduced with Inkscape 0.48.1 on Mac OS X 10.5.8 (i386), but Inkscape is unable to display the scaled object (group) on-canvas even when zoomed out to the max (1.0%). Removing the filter effects does prevent the console messages, but the object appears to be simply too large for Inkscape's support of canvas size.

repeated console messages (AFAIU from the filter effects inside the 'matrix'-transformed group(s)):
WARNING **: 203190120 bytes requested for pixel buffer, I won't try to allocate that.

Revision history for this message
su_v (suv-lp) wrote :

Inkscape 0.48+devel r10558 on Mac OS X 10.5.8 (i386) immediately crashes on opening the file, console message and backtrace indicates due to bug #825767.

Revision history for this message
su_v (suv-lp) wrote :

Could you provide a backtrace of one of the crashes you see with Inkscape 0.48 (0.48.0 or 0.48.1?) on Gentoo? Or at least any console messages from inkscape when the crash happens?

Revision history for this message
Thomas Bartosik (j-launchpad-tbart) wrote :

I remember the
WARNING **: 203190120 bytes requested for pixel buffer, I won't try to allocate that.
output, but I think there has not been anything more when inkscape crashed.

I'll try to do a debug build and provide a full bt with gdb. Might take some time however..

nightrow (jb-benoit)
Changed in inkscape:
status: New → Incomplete
Revision history for this message
jazzynico (jazzynico) wrote :

Almost reproduced on Windows XP, Inkscape trunk revision 12506. The application doesn't really crash, bug show very poor performances and hangs whatever you do.
Removing the transform attribute from the group fixes the issue.

Changed in inkscape:
status: Incomplete → Confirmed
tags: added: performance
Revision history for this message
jazzynico (jazzynico) wrote :
Revision history for this message
Diederik van Lierop (mail-diedenrezi) wrote :

It looks like Inkscape gets very busy when the Gaussian filters are applied. When zoomed in, no cairo surface is created for the filter, and indirectly this leads to this warning:

** (inkscape:19204): WARNING **: gaussian_pass_IIR: unsupported image format

There's no surface, and hence Inkscape cannot determine its type. Now when zooming out, then at some point (in my case when going below approx. 6%) a cairo surface will be created of 18416 x 17524 pixels, and from that point onwards the filters will be calculated. This will however take very very long, and Inkscape stops responding, but it doesn't crash!

I don't know yet how this should be fixed..

Attached are two backtraces, showing where Inkscape is spending its time when it becomes unresponsive

su_v (suv-lp)
tags: added: filters-svg
Revision history for this message
mray (mrayyyy) wrote :

I can open the attached file in 1.0alpha (1:0.92.0+devel+201904052254+98d368e) on Ubuntu.
Closing because can not be reproduced..

Closed by: https://gitlab.com/mray

tags: added: bug-migration
Changed in inkscape:
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.