GNOME Bugzilla – Bug 339637
Crash when parsing a .svg
Last modified: 2006-04-25 12:42:37 UTC
When parsing a SVG file produced by Illustrator, librsvg (2.14.3) crashes. Starting program: /usr/bin/gqview scummvm_icon.svg [snip] Program received signal SIGSEGV, Segmentation fault. 0xb7aadfa7 in g_array_new () from /usr/lib/libglib-2.0.so.0 (gdb) bt
+ Trace 67831
$4 = (RsvgNode *) 0x83485b8 (gdb) print *(ctx->priv->currentnode) $5 = {state = 0x8348610, parent = 0x834d540, type = 0x82ac3d0, children = 0x623b676e, free = 0xb6da8b4d <rsvg_node_image_free>, draw = 0xb6da8bb8 <rsvg_node_image_draw>, set_atts = 0xb6da8d77 <rsvg_node_image_set_atts>} (gdb) print ctx->priv->currentnode->parent $6 = (RsvgNode *) 0x834d540 (gdb) print ctx->priv->currentnode->children $7 = (GPtrArray *) 0x623b676e (gdb) print *(ctx->priv->currentnode->children) Cannot access memory at address 0x623b676e It looks like the "children" pointer was corrupted or wrongly allocated. This could be earlier in librsvg or this could be a libxml issue (using 2.6.23). I'm afraid I don't know enough about libxml and the librsvg internals to go further. The test case follows.
Created attachment 64238 [details] Crash case
The attached file is a PNG, not a SVG, and librsvg fails gracefully on the image: [dom@fry librsvg]$ file /tmp/s.svg /tmp/s.svg: PNG image data, 239 x 275, 8-bit/color RGBA, non-interlaced [dom@fry librsvg]$ /usr/bin/rsvg-view /tmp/s.svg Error displaying image: Error parsing XML data Please reopen if you can find the original source SVG. Thanks.
I've just downloaded the SVG file from the attachment on another system, and it's exactly the same: $ md5sum scummvm_icon.svg 1dd2fb5e5760db3e8b3b115580226395 scummvm_icon.svg $ file scummvm_icon.svg scummvm_icon.svg: XML 1.0 document text $ rsvg-view scummvm_icon.svg (rsvg-view:4072): GLib-CRITICAL **: g_ptr_array_add: assertion `array' failed Erreur de segmentation
Valgrind reported a similar error. Thanks. This is committed to the HEAD and gnome-2-14 branches. ==27896== ERROR SUMMARY: 2 errors from 1 contexts (suppressed: 62 from 1) ==27896== ==27896== 2 errors in context 1 of 1: ==27896== Conditional jump or move depends on uninitialised value(s) ==27896== at 0xA85BA2: g_ptr_array_add (in /usr/lib/libglib-2.0.so.0.1100.0) ==27896== by 0x403B855: rsvg_node_group_pack (rsvg-structure.c:167) ==27896== by 0x40440CB: rsvg_characters (rsvg-base.c:620) ==27896== by 0x747DFFA: xmlParseCharData (in /usr/lib/libxml2.so.2.6.23) ==27896== by 0x7487B8B: xmlParseChunk (in /usr/lib/libxml2.so.2.6.23) ==27896== by 0x40444EC: rsvg_handle_write_impl (rsvg-base.c:797) ==27896== by 0x40451C4: rsvg_handle_write (rsvg-base.c:1281) ==27896== by 0x402A2F9: rsvg_handle_fill_with_data (rsvg-base-file-util.c:39) ==27896== by 0x402A447: rsvg_handle_new_from_file (rsvg-base-file-util.c:103) ==27896== by 0x8049B3D: main (rsvg-convert.c:218)