Ubuntu
librsvg package

Bug #825497
Comment #0

Comment 0 for bug 825497

Revision history for this message

smpahlman (sauli-pahlman) wrote on 2011-08-12:

eg/librsvg crashes when attempting to call NULL while opening the attached reproducer. Marking initially as vuln since i did not check whether the call address can be changed to something else than just NULL. Backtrace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7d81b70 (LWP 17083)]
0x00000000 in ?? ()
(gdb) bt
#0 0x00000000 in ?? ()
#1 0x002b7d08 in rsvg_filter_primitive_render (ctx=0x8357b28,
    self=<optimized out>) at rsvg-filter.c:85
#2 rsvg_filter_render (self=0x82e57f8, source=0x82ce4f8, context=0x82ddfd0,
    bounds=0x82f9140, channelmap=0x2cf6cb "2103") at rsvg-filter.c:499
#3 0x002ca0e7 in rsvg_cairo_pop_render_stack (ctx=0x82ddfd0)
    at rsvg-cairo-draw.c:970
#4 rsvg_cairo_pop_discrete_layer (ctx=0x82ddfd0) at rsvg-cairo-draw.c:1023
#5 0x002c71cf in rsvg_pop_discrete_layer (ctx=0x82ddfd0) at rsvg-base.c:2049
#6 0x002c3df3 in _rsvg_node_text_type_children (ctx=0x82ddfd0, x=0xb7d80b80,
    y=0xb7d80b88, lastwasspace=0xb7d80b9c, self=<optimized out>)
    at rsvg-text.c:188
#7 0x002c40d9 in _rsvg_node_text_draw (self=0x82ffe50, ctx=0x82ddfd0,
    dominate=0) at rsvg-text.c:254
#8 0x002bdd54 in rsvg_node_draw (self=0x82ffe50, ctx=0x82ddfd0, dominate=0)
    at rsvg-structure.c:69
#9 0x002be1c7 in _rsvg_node_draw_children (self=0x82ff7e8, ctx=0x82ddfd0,
    dominate=0) at rsvg-structure.c:87
#10 0x002bdd54 in rsvg_node_draw (self=0x82ff7e8, ctx=0x82ddfd0, dominate=0)
    at rsvg-structure.c:69
#11 0x002be1c7 in _rsvg_node_draw_children (self=0x82fec40, ctx=0x82ddfd0,
    dominate=0) at rsvg-structure.c:87
#12 0x002bdd54 in rsvg_node_draw (self=0x82fec40, ctx=0x82ddfd0, dominate=0)
---Type <return> to continue, or q <return> to quit---
    at rsvg-structure.c:69
#13 0x002be0bf in rsvg_node_svg_draw (self=0x82ec768, ctx=0x82ddfd0,
    dominate=0) at rsvg-structure.c:326
#14 0x002bdd54 in rsvg_node_draw (self=0x82ec768, ctx=0x82ddfd0, dominate=0)
    at rsvg-structure.c:69
#15 0x002be1c7 in _rsvg_node_draw_children (self=0x8306a80, ctx=0x82ddfd0,
    dominate=0) at rsvg-structure.c:87
#16 0x002bdd54 in rsvg_node_draw (self=0x8306a80, ctx=0x82ddfd0, dominate=0)
    at rsvg-structure.c:69
#17 0x002be0bf in rsvg_node_svg_draw (self=0x82e8940, ctx=0x82ddfd0,
    dominate=0) at rsvg-structure.c:326
#18 0x002bdd54 in rsvg_node_draw (self=0x82e8940, ctx=0x82ddfd0, dominate=0)
    at rsvg-structure.c:69
#19 0x002cb804 in rsvg_handle_render_cairo_sub (handle=0x80eb738, cr=0xa98520,
    id=0x0) at rsvg-cairo-render.c:234
#20 0x002cbd53 in rsvg_handle_get_pixbuf_sub (handle=0x80eb738, id=0x0)
    at rsvg.c:101
#21 0x002cbe53 in rsvg_handle_get_pixbuf (handle=0x80eb738) at rsvg.c:137
#22 0x08062a91 in eog_image_load ()
#23 0x08066424 in ?? ()
#24 0x080676a4 in eog_job_run ()
#25 0x080650e1 in ?? ()
#26 0x00e39444 in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0
---Type <return> to continue, or q <return> to quit---
#27 0x00ee3d31 in start_thread (arg=0xb7d81b70) at pthread_create.c:304
#28 0x00fc9e3e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
Backtrace stopped: Not enough registers or memory available to unwind further

ProblemType: Crash
DistroRelease: Ubuntu 11.10
Package: eog 3.1.4-0ubuntu2
ProcVersionSignature: Ubuntu 3.0-3.4-generic 3.0.0-rc5
Uname: Linux 3.0-3-generic i686
Architecture: i386
Date: Fri Aug 12 23:53:54 2011
Disassembly: => 0x0: Cannot access memory at address 0x0
ExecutablePath: /usr/bin/eog
InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Alpha i386 (20110705.1)
ProcCmdline: eog sample.svg
ProcEnviron:
SHELL=/bin/bash
LANG=en_US.UTF-8
SegvAnalysis:
Segfault happened at: 0x0: Cannot access memory at address 0x0
PC (0x00000000) not located in a known VMA region (needed executable region)!
Stack memory exhausted (SP below stack segment)
SegvReason: executing NULL VMA
Signal: 11
SourcePackage: eog
StacktraceTop:
?? ()
rsvg_filter_primitive_render (ctx=0xa03e438, self=<optimized out>) at rsvg-filter.c:85
rsvg_filter_render (self=0x9fe10f0, source=0x9fb44f8, context=0x9fb7118, bounds=0x9fceba0, channelmap=0x4a56cb "2103") at rsvg-filter.c:499
rsvg_cairo_pop_render_stack (ctx=0x9fb7118) at rsvg-cairo-draw.c:970
rsvg_cairo_pop_discrete_layer (ctx=0x9fb7118) at rsvg-cairo-draw.c:1023
Title: eog crashed with SIGSEGV in rsvg_filter_primitive_render()
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7d81b70 (LWP 17083)]
0x00000000 in ?? ()
(gdb) bt
#0  0x00000000 in ?? ()
#1  0x002b7d08 in rsvg_filter_primitive_render (ctx=0x8357b28, 
    self=<optimized out>) at rsvg-filter.c:85
#2  rsvg_filter_render (self=0x82e57f8, source=0x82ce4f8, context=0x82ddfd0, 
    bounds=0x82f9140, channelmap=0x2cf6cb "2103") at rsvg-filter.c:499
#3  0x002ca0e7 in rsvg_cairo_pop_render_stack (ctx=0x82ddfd0)
    at rsvg-cairo-draw.c:970
#4  rsvg_cairo_pop_discrete_layer (ctx=0x82ddfd0) at rsvg-cairo-draw.c:1023
#5  0x002c71cf in rsvg_pop_discrete_layer (ctx=0x82ddfd0) at rsvg-base.c:2049
#6  0x002c3df3 in _rsvg_node_text_type_children (ctx=0x82ddfd0, x=0xb7d80b80, 
    y=0xb7d80b88, lastwasspace=0xb7d80b9c, self=<optimized out>)
    at rsvg-text.c:188
#7  0x002c40d9 in _rsvg_node_text_draw (self=0x82ffe50, ctx=0x82ddfd0, 
    dominate=0) at rsvg-text.c:254
#8  0x002bdd54 in rsvg_node_draw (self=0x82ffe50, ctx=0x82ddfd0, dominate=0)
    at rsvg-structure.c:69
#9  0x002be1c7 in _rsvg_node_draw_children (self=0x82ff7e8, ctx=0x82ddfd0, 
    dominate=0) at rsvg-structure.c:87
#10 0x002bdd54 in rsvg_node_draw (self=0x82ff7e8, ctx=0x82ddfd0, dominate=0)
    at rsvg-structure.c:69
#11 0x002be1c7 in _rsvg_node_draw_children (self=0x82fec40, ctx=0x82ddfd0, 
    dominate=0) at rsvg-structure.c:87
#12 0x002bdd54 in rsvg_node_draw (self=0x82fec40, ctx=0x82ddfd0, dominate=0)
---Type <return> to continue, or q <return> to quit---
    at rsvg-structure.c:69
#13 0x002be0bf in rsvg_node_svg_draw (self=0x82ec768, ctx=0x82ddfd0, 
    dominate=0) at rsvg-structure.c:326
#14 0x002bdd54 in rsvg_node_draw (self=0x82ec768, ctx=0x82ddfd0, dominate=0)
    at rsvg-structure.c:69
#15 0x002be1c7 in _rsvg_node_draw_children (self=0x8306a80, ctx=0x82ddfd0, 
    dominate=0) at rsvg-structure.c:87
#16 0x002bdd54 in rsvg_node_draw (self=0x8306a80, ctx=0x82ddfd0, dominate=0)
    at rsvg-structure.c:69
#17 0x002be0bf in rsvg_node_svg_draw (self=0x82e8940, ctx=0x82ddfd0, 
    dominate=0) at rsvg-structure.c:326
#18 0x002bdd54 in rsvg_node_draw (self=0x82e8940, ctx=0x82ddfd0, dominate=0)
    at rsvg-structure.c:69
#19 0x002cb804 in rsvg_handle_render_cairo_sub (handle=0x80eb738, cr=0xa98520, 
    id=0x0) at rsvg-cairo-render.c:234
#20 0x002cbd53 in rsvg_handle_get_pixbuf_sub (handle=0x80eb738, id=0x0)
    at rsvg.c:101
#21 0x002cbe53 in rsvg_handle_get_pixbuf (handle=0x80eb738) at rsvg.c:137
#22 0x08062a91 in eog_image_load ()
#23 0x08066424 in ?? ()
#24 0x080676a4 in eog_job_run ()
#25 0x080650e1 in ?? ()
#26 0x00e39444 in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0
---Type <return> to continue, or q <return> to quit---
#27 0x00ee3d31 in start_thread (arg=0xb7d81b70) at pthread_create.c:304
#28 0x00fc9e3e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
Backtrace stopped: Not enough registers or memory available to unwind further

ProblemType: Crash
DistroRelease: Ubuntu 11.10
Package: eog 3.1.4-0ubuntu2
ProcVersionSignature: Ubuntu 3.0-3.4-generic 3.0.0-rc5
Uname: Linux 3.0-3-generic i686
Architecture: i386
Date: Fri Aug 12 23:53:54 2011
Disassembly: => 0x0:	Cannot access memory at address 0x0
ExecutablePath: /usr/bin/eog
InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Alpha i386 (20110705.1)
ProcCmdline: eog sample.svg
ProcEnviron:
 SHELL=/bin/bash
 LANG=en_US.UTF-8
SegvAnalysis:
 Segfault happened at: 0x0:	Cannot access memory at address 0x0
 PC (0x00000000) not located in a known VMA region (needed executable region)!
 Stack memory exhausted (SP below stack segment)
SegvReason: executing NULL VMA
Signal: 11
SourcePackage: eog
StacktraceTop:
 ?? ()
 rsvg_filter_primitive_render (ctx=0xa03e438, self=<optimized out>) at rsvg-filter.c:85
 rsvg_filter_render (self=0x9fe10f0, source=0x9fb44f8, context=0x9fb7118, bounds=0x9fceba0, channelmap=0x4a56cb "2103") at rsvg-filter.c:499
 rsvg_cairo_pop_render_stack (ctx=0x9fb7118) at rsvg-cairo-draw.c:970
 rsvg_cairo_pop_discrete_layer (ctx=0x9fb7118) at rsvg-cairo-draw.c:1023
Title: eog crashed with SIGSEGV in rsvg_filter_primitive_render()
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare

Ubuntulibrsvg package

Comment 0 for bug 825497

Ubuntu
librsvg package