Bug 361267 – SVGs with duplicate IDs cause Nautilus/eog to crash

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 361267 - SVGs with duplicate IDs cause Nautilus/eog to crash


Summary:	SVGs with duplicate IDs cause Nautilus/eog to crash


Status:	RESOLVED FIXED

Product:	librsvg
Classification:	Core
Component:	general
Version:	2.16.x
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	librsvg maintainers
QA Contact:	librsvg maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2006-10-10 21:04 UTC by Daniel Holbach
Modified:	2006-11-03 06:07 UTC

See Also:
GNOME target:	---
GNOME version:	2.15/2.16

Description Daniel Holbach 2006-10-10 21:04:32 UTC

Forwarded from: https://launchpad.net/distros/ubuntu/+source/librsvg2/+bug/35434

Attempting to render an SVG which attempts to <use> a duplicate ID causes the application to crash (Nautilus, eog, whatever). The following code,for example triggers the bug:

<svg>
        <defs>
                <polygon id="buggy" />
        </defs>

        <g id="buggy">
                <use xlink:href="#buggy" />
        </g>
</svg>

That code is bad and wrong, but shouldn't cause a segfault in the calling application! It took quite some time to work out that it was in fact that problem causing Nautilus to be unable to start (I had an offending SVG on my desktop).

Should be pretty easy to fix, I think.

Note: the original reporter indicated the bug was in package 'librsvg2'; however, that package was not published in Ubuntu.


An offending file: http://librarian.launchpad.net/4730014/test.svg








Backtrace:

+ Trace 75688

#0 ____strtod_l_internal
from /lib/libc.so.6
#1 IA__g_ascii_strtod
at /usr/include/stdlib.h line 330
#2 _rsvg_css_parse_length
at rsvg-css.c line 103
#3 rsvg_state_init
at rsvg-styles.c line 64
#4 rsvg_state_push
at rsvg-styles.c line 1452
#5 rsvg_node_use_draw
at rsvg-structure.c line 199
#6 rsvg_node_draw
at rsvg-structure.c line 54
#7 _rsvg_node_draw_children
at rsvg-structure.c line 73
#8 rsvg_node_draw
at rsvg-structure.c line 54
#9 rsvg_node_use_draw
at rsvg-structure.c line 200
#10 rsvg_node_draw
at rsvg-structure.c line 54
#11 _rsvg_node_draw_children
at rsvg-structure.c line 73
#12 rsvg_node_draw
at rsvg-structure.c line 54
#13 rsvg_node_use_draw
at rsvg-structure.c line 200
#14 rsvg_node_draw
at rsvg-structure.c line 54
#15 _rsvg_node_draw_children
at rsvg-structure.c line 73
#16 rsvg_node_draw
at rsvg-structure.c line 54



...

The backtrace goes on and on for pages like that :-)

Comment 1 Dominic Lachowicz 2006-10-10 21:07:52 UTC

Right, as it would try to render the <g> that included the <use>, which referenced the same <g>... recursively until some resource gave.

We might be able to track recursive draws, and thus draw nothing.

Decreasing severity, as this can't happen on valid XML documents.

Comment 2 Dominic Lachowicz 2006-11-03 01:51:38 UTC

Fixed. Should be in 2.16.1

Comment 3 Daniel Holbach 2006-11-03 06:07:04 UTC

Super! Thanks for your work! :-)