librsvg

Bug #825497
Activity log

Activity log for bug #825497

Date	Who	What changed	Old value	New value	Message
2011-08-12 20:58:24	smpahlman	bug			added bug
2011-08-12 20:58:24	smpahlman	attachment added		Reproducer https://bugs.launchpad.net/bugs/825497/+attachment/2272879/+files/sample.svg.gz
2011-08-12 20:59:11	smpahlman	bug			added subscriber Tomas Hoger
2011-08-24 16:56:09	Apport retracing service	bug			added subscriber Crash bug triagers for Ubuntu packages
2011-08-24 16:56:11	Apport retracing service	attachment added		Stacktrace.txt https://bugs.launchpad.net/bugs/825497/+attachment/2308760/+files/Stacktrace.txt
2011-08-24 16:56:12	Apport retracing service	attachment added		ThreadStacktrace.txt https://bugs.launchpad.net/bugs/825497/+attachment/2308761/+files/ThreadStacktrace.txt
2011-08-24 16:56:14	Apport retracing service	attachment removed	CoreDump.gz https://bugs.launchpad.net/bugs/825497/+attachment/2272880/+files/CoreDump.gz
2011-08-24 16:56:14	Apport retracing service	librsvg (Ubuntu): importance	Undecided	Medium
2011-08-24 16:56:16	Apport retracing service	tags	apport-crash i386 need-i386-retrace oneiric	apport-crash i386 oneiric
2011-08-26 19:54:30	Jamie Strandboge	librsvg (Ubuntu): assignee		Kees Cook (kees)
2011-08-27 03:11:17	Kees Cook	cve linked		2011-3146
2011-09-01 21:36:51	Kees Cook	bug watch added		https://bugzilla.gnome.org/show_bug.cgi?id=658014
2011-09-01 21:36:51	Kees Cook	bug task added		librsvg
2011-09-01 22:04:14	Kees Cook	attachment added		Store-node-type-separately-in-RsvgNode.patch https://bugs.launchpad.net/librsvg/+bug/825497/+attachment/2341421/+files/Store-node-type-separately-in-RsvgNode.patch
2011-09-02 18:38:40	Jamie Strandboge	librsvg (Ubuntu): status	New	Triaged
2011-09-09 23:53:34	Bug Watch Updater	librsvg: status	Unknown	Fix Released
2011-09-09 23:53:34	Bug Watch Updater	librsvg: importance	Unknown	Critical
2011-09-10 00:08:15	Ubuntu Foundations Team Bug Bot	tags	apport-crash i386 oneiric	apport-crash i386 oneiric patch
2011-09-12 22:35:58	Kees Cook	visibility	private	public
2011-09-12 22:36:05	Kees Cook	librsvg (Ubuntu): assignee	Kees Cook (kees)
2011-09-13 21:50:45	Kees Cook	librsvg (Ubuntu): status	Triaged	Fix Released
2011-10-05 11:55:48	joopbraak	description	eg/librsvg crashes when attempting to call NULL while opening the attached reproducer. Marking initially as vuln since i did not check whether the call address can be changed to something else than just NULL. Backtrace: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xb7d81b70 (LWP 17083)] 0x00000000 in ?? () (gdb) bt #0 0x00000000 in ?? () #1 0x002b7d08 in rsvg_filter_primitive_render (ctx=0x8357b28, self=<optimized out>) at rsvg-filter.c:85 #2 rsvg_filter_render (self=0x82e57f8, source=0x82ce4f8, context=0x82ddfd0, bounds=0x82f9140, channelmap=0x2cf6cb "2103") at rsvg-filter.c:499 #3 0x002ca0e7 in rsvg_cairo_pop_render_stack (ctx=0x82ddfd0) at rsvg-cairo-draw.c:970 #4 rsvg_cairo_pop_discrete_layer (ctx=0x82ddfd0) at rsvg-cairo-draw.c:1023 #5 0x002c71cf in rsvg_pop_discrete_layer (ctx=0x82ddfd0) at rsvg-base.c:2049 #6 0x002c3df3 in _rsvg_node_text_type_children (ctx=0x82ddfd0, x=0xb7d80b80, y=0xb7d80b88, lastwasspace=0xb7d80b9c, self=<optimized out>) at rsvg-text.c:188 #7 0x002c40d9 in _rsvg_node_text_draw (self=0x82ffe50, ctx=0x82ddfd0, dominate=0) at rsvg-text.c:254 #8 0x002bdd54 in rsvg_node_draw (self=0x82ffe50, ctx=0x82ddfd0, dominate=0) at rsvg-structure.c:69 #9 0x002be1c7 in _rsvg_node_draw_children (self=0x82ff7e8, ctx=0x82ddfd0, dominate=0) at rsvg-structure.c:87 #10 0x002bdd54 in rsvg_node_draw (self=0x82ff7e8, ctx=0x82ddfd0, dominate=0) at rsvg-structure.c:69 #11 0x002be1c7 in _rsvg_node_draw_children (self=0x82fec40, ctx=0x82ddfd0, dominate=0) at rsvg-structure.c:87 #12 0x002bdd54 in rsvg_node_draw (self=0x82fec40, ctx=0x82ddfd0, dominate=0) ---Type <return> to continue, or q <return> to quit--- at rsvg-structure.c:69 #13 0x002be0bf in rsvg_node_svg_draw (self=0x82ec768, ctx=0x82ddfd0, dominate=0) at rsvg-structure.c:326 #14 0x002bdd54 in rsvg_node_draw (self=0x82ec768, ctx=0x82ddfd0, dominate=0) at rsvg-structure.c:69 #15 0x002be1c7 in _rsvg_node_draw_children (self=0x8306a80, ctx=0x82ddfd0, dominate=0) at rsvg-structure.c:87 #16 0x002bdd54 in rsvg_node_draw (self=0x8306a80, ctx=0x82ddfd0, dominate=0) at rsvg-structure.c:69 #17 0x002be0bf in rsvg_node_svg_draw (self=0x82e8940, ctx=0x82ddfd0, dominate=0) at rsvg-structure.c:326 #18 0x002bdd54 in rsvg_node_draw (self=0x82e8940, ctx=0x82ddfd0, dominate=0) at rsvg-structure.c:69 #19 0x002cb804 in rsvg_handle_render_cairo_sub (handle=0x80eb738, cr=0xa98520, id=0x0) at rsvg-cairo-render.c:234 #20 0x002cbd53 in rsvg_handle_get_pixbuf_sub (handle=0x80eb738, id=0x0) at rsvg.c:101 #21 0x002cbe53 in rsvg_handle_get_pixbuf (handle=0x80eb738) at rsvg.c:137 #22 0x08062a91 in eog_image_load () #23 0x08066424 in ?? () #24 0x080676a4 in eog_job_run () #25 0x080650e1 in ?? () #26 0x00e39444 in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0 ---Type <return> to continue, or q <return> to quit--- #27 0x00ee3d31 in start_thread (arg=0xb7d81b70) at pthread_create.c:304 #28 0x00fc9e3e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130 Backtrace stopped: Not enough registers or memory available to unwind further ProblemType: Crash DistroRelease: Ubuntu 11.10 Package: eog 3.1.4-0ubuntu2 ProcVersionSignature: Ubuntu 3.0-3.4-generic 3.0.0-rc5 Uname: Linux 3.0-3-generic i686 Architecture: i386 Date: Fri Aug 12 23:53:54 2011 Disassembly: => 0x0: Cannot access memory at address 0x0 ExecutablePath: /usr/bin/eog InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Alpha i386 (20110705.1) ProcCmdline: eog sample.svg ProcEnviron: SHELL=/bin/bash LANG=en_US.UTF-8 SegvAnalysis: Segfault happened at: 0x0: Cannot access memory at address 0x0 PC (0x00000000) not located in a known VMA region (needed executable region)! Stack memory exhausted (SP below stack segment) SegvReason: executing NULL VMA Signal: 11 SourcePackage: eog StacktraceTop: ?? () rsvg_filter_primitive_render (ctx=0xa03e438, self=<optimized out>) at rsvg-filter.c:85 rsvg_filter_render (self=0x9fe10f0, source=0x9fb44f8, context=0x9fb7118, bounds=0x9fceba0, channelmap=0x4a56cb "2103") at rsvg-filter.c:499 rsvg_cairo_pop_render_stack (ctx=0x9fb7118) at rsvg-cairo-draw.c:970 rsvg_cairo_pop_discrete_layer (ctx=0x9fb7118) at rsvg-cairo-draw.c:1023 Title: eog crashed with SIGSEGV in rsvg_filter_primitive_render() UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare	eog/librsvg crashes when attempting to call NULL while opening the attached reproducer. Marking initially as vuln since i did not check whether the call address can be changed to something else than just NULL. Backtrace: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xb7d81b70 (LWP 17083)] 0x00000000 in ?? () (gdb) bt #0 0x00000000 in ?? () #1 0x002b7d08 in rsvg_filter_primitive_render (ctx=0x8357b28, self=<optimized out>) at rsvg-filter.c:85 #2 rsvg_filter_render (self=0x82e57f8, source=0x82ce4f8, context=0x82ddfd0, bounds=0x82f9140, channelmap=0x2cf6cb "2103") at rsvg-filter.c:499 #3 0x002ca0e7 in rsvg_cairo_pop_render_stack (ctx=0x82ddfd0) at rsvg-cairo-draw.c:970 #4 rsvg_cairo_pop_discrete_layer (ctx=0x82ddfd0) at rsvg-cairo-draw.c:1023 #5 0x002c71cf in rsvg_pop_discrete_layer (ctx=0x82ddfd0) at rsvg-base.c:2049 #6 0x002c3df3 in _rsvg_node_text_type_children (ctx=0x82ddfd0, x=0xb7d80b80, y=0xb7d80b88, lastwasspace=0xb7d80b9c, self=<optimized out>) at rsvg-text.c:188 #7 0x002c40d9 in _rsvg_node_text_draw (self=0x82ffe50, ctx=0x82ddfd0, dominate=0) at rsvg-text.c:254 #8 0x002bdd54 in rsvg_node_draw (self=0x82ffe50, ctx=0x82ddfd0, dominate=0) at rsvg-structure.c:69 #9 0x002be1c7 in _rsvg_node_draw_children (self=0x82ff7e8, ctx=0x82ddfd0, dominate=0) at rsvg-structure.c:87 #10 0x002bdd54 in rsvg_node_draw (self=0x82ff7e8, ctx=0x82ddfd0, dominate=0) at rsvg-structure.c:69 #11 0x002be1c7 in _rsvg_node_draw_children (self=0x82fec40, ctx=0x82ddfd0, dominate=0) at rsvg-structure.c:87 #12 0x002bdd54 in rsvg_node_draw (self=0x82fec40, ctx=0x82ddfd0, dominate=0) ---Type <return> to continue, or q <return> to quit--- at rsvg-structure.c:69 #13 0x002be0bf in rsvg_node_svg_draw (self=0x82ec768, ctx=0x82ddfd0, dominate=0) at rsvg-structure.c:326 #14 0x002bdd54 in rsvg_node_draw (self=0x82ec768, ctx=0x82ddfd0, dominate=0) at rsvg-structure.c:69 #15 0x002be1c7 in _rsvg_node_draw_children (self=0x8306a80, ctx=0x82ddfd0, dominate=0) at rsvg-structure.c:87 #16 0x002bdd54 in rsvg_node_draw (self=0x8306a80, ctx=0x82ddfd0, dominate=0) at rsvg-structure.c:69 #17 0x002be0bf in rsvg_node_svg_draw (self=0x82e8940, ctx=0x82ddfd0, dominate=0) at rsvg-structure.c:326 #18 0x002bdd54 in rsvg_node_draw (self=0x82e8940, ctx=0x82ddfd0, dominate=0) at rsvg-structure.c:69 #19 0x002cb804 in rsvg_handle_render_cairo_sub (handle=0x80eb738, cr=0xa98520, id=0x0) at rsvg-cairo-render.c:234 #20 0x002cbd53 in rsvg_handle_get_pixbuf_sub (handle=0x80eb738, id=0x0) at rsvg.c:101 #21 0x002cbe53 in rsvg_handle_get_pixbuf (handle=0x80eb738) at rsvg.c:137 #22 0x08062a91 in eog_image_load () #23 0x08066424 in ?? () #24 0x080676a4 in eog_job_run () #25 0x080650e1 in ?? () #26 0x00e39444 in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0 ---Type <return> to continue, or q <return> to quit--- #27 0x00ee3d31 in start_thread (arg=0xb7d81b70) at pthread_create.c:304 #28 0x00fc9e3e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130 Backtrace stopped: Not enough registers or memory available to unwind further ProblemType: Crash DistroRelease: Ubuntu 11.10 Package: eog 3.1.4-0ubuntu2 ProcVersionSignature: Ubuntu 3.0-3.4-generic 3.0.0-rc5 Uname: Linux 3.0-3-generic i686 Architecture: i386 Date: Fri Aug 12 23:53:54 2011 Disassembly: => 0x0: Cannot access memory at address 0x0 ExecutablePath: /usr/bin/eog InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Alpha i386 (20110705.1) ProcCmdline: eog sample.svg ProcEnviron: SHELL=/bin/bash LANG=en_US.UTF-8 SegvAnalysis: Segfault happened at: 0x0: Cannot access memory at address 0x0 PC (0x00000000) not located in a known VMA region (needed executable region)! Stack memory exhausted (SP below stack segment) SegvReason: executing NULL VMA Signal: 11 SourcePackage: eog StacktraceTop: ?? () rsvg_filter_primitive_render (ctx=0xa03e438, self=<optimized out>) at rsvg-filter.c:85 rsvg_filter_render (self=0x9fe10f0, source=0x9fb44f8, context=0x9fb7118, bounds=0x9fceba0, channelmap=0x4a56cb "2103") at rsvg-filter.c:499 rsvg_cairo_pop_render_stack (ctx=0x9fb7118) at rsvg-cairo-draw.c:970 rsvg_cairo_pop_discrete_layer (ctx=0x9fb7118) at rsvg-cairo-draw.c:1023 Title: eog crashed with SIGSEGV in rsvg_filter_primitive_render() UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare