Bug 312892 – ENOMEM when loading SVG files containing points far off the screen

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 312892 - ENOMEM when loading SVG files containing points far off the screen


Summary:	ENOMEM when loading SVG files containing points far off the screen


Status:	RESOLVED OBSOLETE

Product:	libart
Classification:	Deprecated
Component:	Other
Version:	unspecified
Hardware:	Other All

Importance:	High critical
Target Milestone:	---
Assigned To:	Nautilus Maintainers
QA Contact:	Nautilus Maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2005-08-08 14:18 UTC by Ondřej Surý
Modified:	2008-08-17 17:02 UTC

See Also:
GNOME target:	---
GNOME version:	2.11/2.12

Attachments
Full strace (86.03 KB, application/octet-stream) 2005-08-08 14:33 UTC, Ondřej Surý	Details

Description Ondřej Surý 2005-08-08 14:18:08 UTC

Steps to reproduce:
1. Look at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=298225
2. Download attached file
http://bugs.debian.org/cgi-bin/bugreport.cgi/d10.svg.gz?bug=298225&msg=5&att=1
3. Try to display it (f.e. with nautilus or rsvg-view)


Stack trace:
[...]
open("d10.svg", O_RDONLY)               = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=6123, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xb7efe000
read(4, "<?xml version=\"1.0\" encoding=\"UT"..., 8192) = 6123
read(4, "", 4096)                       = 0
close(4)                                = 0
munmap(0xb7efe000, 4096)                = 0
[...pango + font-config stuff stripped out...]
mmap2(NULL, 1635753984, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= -1 ENOMEM (Cannot allocate memory)
brk(0x69912000)                         = 0x8119000
mmap2(NULL, 1635885056, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= -1 ENOMEM (Cannot allocate memory)
mmap2(NULL, 2097152, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0)
= 0x5579d000
munmap(0x5579d000, 405504)              = 0
munmap(0x55900000, 643072)              = 0
mprotect(0x55800000, 135168, PROT_READ|PROT_WRITE) = 0
mmap2(NULL, 1635753984, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= -1 ENOMEM (Cannot allocate memory)
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++


Other information:

Comment 1 Ondřej Surý 2005-08-08 14:33:48 UTC

Created attachment 50393 [details]
Full strace

Comment 2 Ondřej Surý 2005-08-08 14:34:25 UTC

Backtrace from GDB:

Program received signal SIGSEGV, Segmentation fault.

+ Trace 62290

Thread NaN (LWP 22168)

#0 art_svp_seg_compare
from /usr/lib/libart_lgpl_2.so.2
#1 art_svp_intersector
from /usr/lib/libart_lgpl_2.so.2
#2 art_svp_intersect
from /usr/lib/libart_lgpl_2.so.2
#3 rsvg_clip_path_merge
from /usr/lib/librsvg-2.so.2
#4 rsvg_clip_path_merge
from /usr/lib/librsvg-2.so.2
#5 rsvg_render_path
from /usr/lib/librsvg-2.so.2
#6 rsvg_defs_drawable_draw_as_svp
from /usr/lib/librsvg-2.so.2
#7 rsvg_defs_drawable_draw
from /usr/lib/librsvg-2.so.2
#8 rsvg_defs_drawable_draw_as_svp
from /usr/lib/librsvg-2.so.2
#9 rsvg_defs_drawable_draw
from /usr/lib/librsvg-2.so.2
#10 rsvg_defs_drawable_draw_as_svp
from /usr/lib/librsvg-2.so.2
#11 rsvg_defs_drawable_draw
from /usr/lib/librsvg-2.so.2
#12 rsvg_handle_get_pixbuf
from /usr/lib/librsvg-2.so.2
#13 rsvg_pixbuf_from_data_with_size_data
from /usr/lib/librsvg-2.so.2
#14 main

Comment 3 Alessio Spadaro 2005-08-18 14:57:18 UTC

No duplicates found
I was able to reproduce on Gnome jhbuild 2005/08/17 with rsvg-view

The process eat up all memory before crashing in a slightly different way (i
think it doesn't matter as the problem seems the same).

Here's my stack trace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1223920992 (LWP 7820)]
art_vpath_add_point (p_vpath=0xbfffd1fc, pn_points=0x28000000,
pn_points_max=0x1, code=ART_MOVETO_OPEN,
    x=201.66959903935759, y=-144954777.65538234) at art_vpath.c:58
58        (*p_vpath)[i].x = x;
(gdb) thread apply all bt

+ Trace 62525

Thread 1 (Thread -1223920992 (LWP 7820))

#0 art_vpath_add_point
at art_vpath.c line 58
#1 art_vpath_dash
at art_vpath_dash.c line 170
#2 rsvg_render_outline
at rsvg-art-draw.c line 314
#3 rsvg_render_bpath
at rsvg-art-draw.c line 381
#4 rsvg_render_path
at rsvg.c line 1397
#5 rsvg_node_path_draw
at rsvg-shapes.c line 62
#6 rsvg_node_draw
at rsvg-structure.c line 46
#7 _rsvg_node_draw_children
at rsvg-structure.c line 64
#8 rsvg_node_draw
at rsvg-structure.c line 46
#9 _rsvg_node_draw_children
at rsvg-structure.c line 64
#10 rsvg_node_draw
at rsvg-structure.c line 46
#11 rsvg_node_svg_draw
at rsvg-structure.c line 280
#12 rsvg_node_draw
at rsvg-structure.c line 46
#13 rsvg_handle_get_pixbuf
at rsvg.c line 1303
#14 rsvg_pixbuf_from_data_with_size_data
at rsvg-file-util.c line 147
#15 main
at test-display.c line 701

Comment 4 Sven Arvidsson 2007-04-13 14:43:48 UTC

I can't reproduce this with libart 2.3.19, can somebody else confirm?

Comment 5 Olivier Cleynen 2008-08-17 16:34:35 UTC

I can't reproduce it with Nautilus 2.22.3.

Comment 6 Cosimo Cecchi 2008-08-17 17:02:27 UTC

Let's close this as OBSOLETE then.