GNOME Bugzilla – Bug 761296
ssconvert: font for sheet object widgets
Last modified: 2016-01-30 17:58:41 UTC
Git versions of glib, goffice, gnumeric, libgsf and libxml2. This is not a fuzzed sample. Test case: http://jutaky.com/fuzzing/gnumeric_case_002-2pdf.gnumeric $ ssconvert gnumeric_case_002-2pdf.gnumeric /tmp/out.pdf ==17688==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x7f8e147a410f bp 0x000000000001 sp 0x7ffc4c739af0 T0) #0 0x7f8e147a410e (/usr/lib/libgtk-3.so.0+0x2a110e) #1 0x7f8e147b7125 (/usr/lib/libgtk-3.so.0+0x2b4125) #2 0x7f8e1267bcb8 in g_type_create_instance gnumeric/glib/gobject/gtype.c:1875 #3 0x7f8e1265d94a in g_object_new_internal gnumeric/glib/gobject/gobject.c:1781 #4 0x7f8e1265f160 in g_object_newv gnumeric/glib/gobject/gobject.c:1928 #5 0x7f8e1265fa4b in g_object_new gnumeric/glib/gobject/gobject.c:1621 #6 0x7f8e17919c66 in get_font gnumeric/gnumeric/src/sheet-object-widget.c:599:27 #7 0x7f8e17919c66 in draw_cairo_text gnumeric/gnumeric/src/sheet-object-widget.c:665 #8 0x7f8e17925fca in sheet_widget_checkbox_draw_cairo gnumeric/gnumeric/src/sheet-object-widget.c:2719:2 #9 0x7f8e178e2950 in sheet_object_draw_cairo gnumeric/gnumeric/src/sheet-object.c:837:3 #10 0x7f8e17a49398 in gnm_print_sheet_objects gnumeric/gnumeric/src/print.c:259:3 #11 0x7f8e17a51c42 in print_page_cells gnumeric/gnumeric/src/print.c:277:2 #12 0x7f8e17a51c42 in print_page gnumeric/gnumeric/src/print.c:666 #13 0x7f8e17a51c42 in gnm_draw_page_cb gnumeric/gnumeric/src/print.c:1446 #14 0x7f8e12658734 in g_closure_invoke gnumeric/glib/gobject/gclosure.c:804 #15 0x7f8e1266a9f0 in signal_emit_unlocked_R gnumeric/glib/gobject/gsignal.c:3629 #16 0x7f8e126738de in g_signal_emit_valist gnumeric/glib/gobject/gsignal.c:3385 #17 0x7f8e12673c01 in g_signal_emit gnumeric/glib/gobject/gsignal.c:3441 #18 0x7f8e147685de (/usr/lib/libgtk-3.so.0+0x2655de) #19 0x7f8e14768c32 (/usr/lib/libgtk-3.so.0+0x265c32) #20 0x7f8e1425b5c7 (/usr/lib/libgdk-3.so.0+0x255c7) #21 0x7f8e1214fd89 in g_main_dispatch gnumeric/glib/glib/gmain.c:3154 #22 0x7f8e1214fd89 in g_main_context_dispatch gnumeric/glib/glib/gmain.c:3769 #23 0x7f8e12150107 in g_main_context_iterate.isra.29 gnumeric/glib/glib/gmain.c:3840 #24 0x7f8e12150421 in g_main_loop_run gnumeric/glib/glib/gmain.c:4034 #25 0x7f8e14767d62 (/usr/lib/libgtk-3.so.0+0x264d62) #26 0x7f8e14768e61 in gtk_print_operation_run (/usr/lib/libgtk-3.so.0+0x265e61) #27 0x7f8e17a4a3e7 in gnm_print_sheet gnumeric/gnumeric/src/print.c:1882:8 #28 0x7f8e1781808b in pdf_write_workbook gnumeric/gnumeric/src/print-info.c:851:2 #29 0x7f8e1781808b in pdf_export gnumeric/gnumeric/src/print-info.c:876 #30 0x7f8e16da92ce in go_file_saver_save_real gnumeric/goffice/goffice/app/file.c:577:2 #31 0x7f8e16da5512 in go_file_saver_save gnumeric/goffice/goffice/app/file.c:848:2 #32 0x7f8e179a993d in wbv_save_to_output gnumeric/gnumeric/src/workbook-view.c:1059:2 #33 0x7f8e179a9bb5 in wb_view_save_to_uri gnumeric/gnumeric/src/workbook-view.c:1093:3 #34 0x7f8e179aa184 in wb_view_save_as gnumeric/gnumeric/src/workbook-view.c:1129:2 #35 0x4df9f8 in convert gnumeric/gnumeric/src/ssconvert.c:845:9 #36 0x4dc714 in main gnumeric/gnumeric/src/ssconvert.c:918:19 #37 0x7f8e1174860f in __libc_start_main (/usr/lib/libc.so.6+0x2060f) #38 0x41a6a8 in _start (apps/bin/ssconvert+0x41a6a8) -- Juha Kylmänen
No crash for me, but valgrind is unhappy. Could you please add ../tools/gnmvalgrind to the command line and attach a log for that? ==19505== Invalid read of size 4 ==19505== at 0x80CAA90: ??? (in /usr/lib64/libcairo.so.2.11200.16) ==19505== by 0x80CBFF3: ??? (in /usr/lib64/libcairo.so.2.11200.16) ==19505== by 0x80CC493: ??? (in /usr/lib64/libcairo.so.2.11200.16) ==19505== by 0x8113E14: ??? (in /usr/lib64/libcairo.so.2.11200.16) ==19505== by 0x80C967F: ??? (in /usr/lib64/libcairo.so.2.11200.16) ==19505== by 0x811164F: ??? (in /usr/lib64/libcairo.so.2.11200.16) ==19505== by 0x80AE0F5: ??? (in /usr/lib64/libcairo.so.2.11200.16) ==19505== by 0x80AEC6A: cairo_surface_finish (in /usr/lib64/libcairo.so.2.11200.16) ==19505== by 0x8085763: ??? (in /usr/lib64/libcairo.so.2.11200.16) ==19505== by 0x80AE0F5: ??? (in /usr/lib64/libcairo.so.2.11200.16) ==19505== by 0x80AEC6A: cairo_surface_finish (in /usr/lib64/libcairo.so.2.11200.16) ==19505== by 0x6FE6328: ??? (in /usr/lib64/libgtk-3.so.0.1000.9) ==19505== by 0x6FE88CA: ??? (in /usr/lib64/libgtk-3.so.0.1000.9) ==19505== by 0x7529EE7: ??? (in /usr/lib64/libgdk-3.so.0.1000.9) ==19505== by 0x8B85315: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3800.2) ==19505== by 0x8B85667: ??? (in /usr/lib64/libglib-2.0.so.0.3800.2) ==19505== by 0x8B85A69: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3800.2) ==19505== by 0x6FE7A3E: ??? (in /usr/lib64/libgtk-3.so.0.1000.9) ==19505== by 0x6FE8B63: gtk_print_operation_run (in /usr/lib64/libgtk-3.so.0.1000.9) ==19505== by 0x4FC8E03: gnm_print_sheet (print.c:1882) ==19505== by 0x4F36FC3: pdf_export (print-info.c:851) ==19505== by 0x4F9D15C: wbv_save_to_output (workbook-view.c:1059) ==19505== by 0x4F9D266: wb_view_save_to_uri (workbook-view.c:1093) ==19505== by 0x4F9D470: wb_view_save_as (workbook-view.c:1129) ==19505== by 0x404809: convert (ssconvert.c:845) ==19505== by 0x403B36: main (ssconvert.c:917) ==19505== Address 0x14ec5da4 is 4 bytes inside a block of size 6 alloc'd ==19505== at 0x4C277AB: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==19505== by 0x80CAB51: ??? (in /usr/lib64/libcairo.so.2.11200.16) ==19505== by 0x80CBFF3: ??? (in /usr/lib64/libcairo.so.2.11200.16) ==19505== by 0x80CC493: ??? (in /usr/lib64/libcairo.so.2.11200.16) ==19505== by 0x8113E14: ??? (in /usr/lib64/libcairo.so.2.11200.16) ==19505== by 0x80C967F: ??? (in /usr/lib64/libcairo.so.2.11200.16) ==19505== by 0x811164F: ??? (in /usr/lib64/libcairo.so.2.11200.16) ==19505== by 0x80AE0F5: ??? (in /usr/lib64/libcairo.so.2.11200.16) ==19505== by 0x80AEC6A: cairo_surface_finish (in /usr/lib64/libcairo.so.2.11200.16) ==19505== by 0x8085763: ??? (in /usr/lib64/libcairo.so.2.11200.16) ==19505== by 0x80AE0F5: ??? (in /usr/lib64/libcairo.so.2.11200.16) ==19505== by 0x80AEC6A: cairo_surface_finish (in /usr/lib64/libcairo.so.2.11200.16) ==19505== by 0x6FE6328: ??? (in /usr/lib64/libgtk-3.so.0.1000.9) ==19505== by 0x6FE88CA: ??? (in /usr/lib64/libgtk-3.so.0.1000.9) ==19505== by 0x7529EE7: ??? (in /usr/lib64/libgdk-3.so.0.1000.9) ==19505== by 0x8B85315: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3800.2) ==19505== by 0x8B85667: ??? (in /usr/lib64/libglib-2.0.so.0.3800.2) ==19505== by 0x8B85A69: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3800.2) ==19505== by 0x6FE7A3E: ??? (in /usr/lib64/libgtk-3.so.0.1000.9) ==19505== by 0x6FE8B63: gtk_print_operation_run (in /usr/lib64/libgtk-3.so.0.1000.9) ==19505== by 0x4FC8E03: gnm_print_sheet (print.c:1882) ==19505== by 0x4F36FC3: pdf_export (print-info.c:851) ==19505== by 0x4F9D15C: wbv_save_to_output (workbook-view.c:1059) ==19505== by 0x4F9D266: wb_view_save_to_uri (workbook-view.c:1093) ==19505== by 0x4F9D470: wb_view_save_as (workbook-view.c:1129) ==19505== by 0x404809: convert (ssconvert.c:845) ==19505== by 0x403B36: main (ssconvert.c:917)
$ ../tools/gnmvalgrind ./ssconvert /tmp/gnumeric_case_002-2pdf.gnumeric /tmp/.pdf Setting G_SLICE=always-malloc Setting GNM_DEBUG=valgrind-bitfield-workarounds Executing ../libtool --mode=execute valgrind --num-callers=40 --suppressions=../test/common.supp --suppressions=../test/gui.supp ./ssconvert /tmp/gnumeric_case_002-2pdf.gnumeric /tmp/.pdf ==32039== Memcheck, a memory error detector ==32039== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==32039== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==32039== Command: /home/jutaky/fuzzing/gnumeric/gnumeric/src/.libs/lt-ssconvert /tmp/gnumeric_case_002-2pdf.gnumeric /tmp/.pdf ==32039== GLib-GIO-Message: Using the 'memory' GSettings backend. Your settings will not be saved or shared with other applications. (/home/jutaky/fuzzing/gnumeric/gnumeric/src/.libs/lt-ssconvert:32039): Gtk-CRITICAL **: gtk_settings_get_for_screen: assertion 'GDK_IS_SCREEN (screen)' failed ==32039== Invalid read of size 8 ==32039== at 0x740410F: ??? (in /usr/lib/libgtk-3.so.0.1800.6) ==32039== by 0x7417125: ??? (in /usr/lib/libgtk-3.so.0.1800.6) ==32039== by 0x9723CC8: g_type_create_instance (gtype.c:1875) ==32039== by 0x970595A: g_object_new_internal (gobject.c:1781) ==32039== by 0x9707170: g_object_newv (gobject.c:1928) ==32039== by 0x9707A5B: g_object_new (gobject.c:1621) ==32039== by 0x50618BE: get_font (sheet-object-widget.c:599) ==32039== by 0x50618BE: draw_cairo_text (sheet-object-widget.c:665) ==32039== by 0x5069CA5: sheet_widget_checkbox_draw_cairo (sheet-object-widget.c:2719) ==32039== by 0x503D595: sheet_object_draw_cairo (sheet-object.c:837) ==32039== by 0x5121644: gnm_print_sheet_objects (print.c:259) ==32039== by 0x512683D: print_page_cells (print.c:277) ==32039== by 0x512683D: print_page (print.c:666) ==32039== by 0x512683D: gnm_draw_page_cb (print.c:1446) ==32039== by 0x9700744: g_closure_invoke (gclosure.c:804) ==32039== by 0x9712A00: signal_emit_unlocked_R (gsignal.c:3629) ==32039== by 0x971B8EE: g_signal_emit_valist (gsignal.c:3385) ==32039== by 0x971BC11: g_signal_emit (gsignal.c:3441) ==32039== by 0x73C85DE: ??? (in /usr/lib/libgtk-3.so.0.1800.6) ==32039== by 0x73C8C32: ??? (in /usr/lib/libgtk-3.so.0.1800.6) ==32039== by 0x7AAB5C7: ??? (in /usr/lib/libgdk-3.so.0.1800.6) ==32039== by 0x9B95CB9: g_main_dispatch (gmain.c:3154) ==32039== by 0x9B95CB9: g_main_context_dispatch (gmain.c:3769) ==32039== by 0x9B96037: g_main_context_iterate.isra.29 (gmain.c:3840) ==32039== by 0x9B96351: g_main_loop_run (gmain.c:4034) ==32039== by 0x73C7D62: ??? (in /usr/lib/libgtk-3.so.0.1800.6) ==32039== by 0x73C8E61: gtk_print_operation_run (in /usr/lib/libgtk-3.so.0.1800.6) ==32039== by 0x5121EFB: gnm_print_sheet (print.c:1882) ==32039== by 0x4FC857F: pdf_write_workbook (print-info.c:851) ==32039== by 0x4FC857F: pdf_export (print-info.c:876) ==32039== by 0x55E944B: go_file_saver_save_real (file.c:577) ==32039== by 0x55E6673: go_file_saver_save (file.c:848) ==32039== by 0x50B6382: wbv_save_to_output (workbook-view.c:1059) ==32039== by 0x50B653A: wb_view_save_to_uri (workbook-view.c:1093) ==32039== by 0x50B6995: wb_view_save_as (workbook-view.c:1129) ==32039== by 0x406959: convert (ssconvert.c:845) ==32039== by 0x4041F1: main (ssconvert.c:918) ==32039== Address 0x18 is not stack'd, malloc'd or (recently) free'd ==32039== ==32039== ==32039== Process terminating with default action of signal 11 (SIGSEGV) ==32039== Access not within mapped region at address 0x18 ==32039== at 0x740410F: ??? (in /usr/lib/libgtk-3.so.0.1800.6) ==32039== by 0x7417125: ??? (in /usr/lib/libgtk-3.so.0.1800.6) ==32039== by 0x9723CC8: g_type_create_instance (gtype.c:1875) ==32039== by 0x970595A: g_object_new_internal (gobject.c:1781) ==32039== by 0x9707170: g_object_newv (gobject.c:1928) ==32039== by 0x9707A5B: g_object_new (gobject.c:1621) ==32039== by 0x50618BE: get_font (sheet-object-widget.c:599) ==32039== by 0x50618BE: draw_cairo_text (sheet-object-widget.c:665) ==32039== by 0x5069CA5: sheet_widget_checkbox_draw_cairo (sheet-object-widget.c:2719) ==32039== by 0x503D595: sheet_object_draw_cairo (sheet-object.c:837) ==32039== by 0x5121644: gnm_print_sheet_objects (print.c:259) ==32039== by 0x512683D: print_page_cells (print.c:277) ==32039== by 0x512683D: print_page (print.c:666) ==32039== by 0x512683D: gnm_draw_page_cb (print.c:1446) ==32039== by 0x9700744: g_closure_invoke (gclosure.c:804) ==32039== by 0x9712A00: signal_emit_unlocked_R (gsignal.c:3629) ==32039== by 0x971B8EE: g_signal_emit_valist (gsignal.c:3385) ==32039== by 0x971BC11: g_signal_emit (gsignal.c:3441) ==32039== by 0x73C85DE: ??? (in /usr/lib/libgtk-3.so.0.1800.6) ==32039== by 0x73C8C32: ??? (in /usr/lib/libgtk-3.so.0.1800.6) ==32039== by 0x7AAB5C7: ??? (in /usr/lib/libgdk-3.so.0.1800.6) ==32039== by 0x9B95CB9: g_main_dispatch (gmain.c:3154) ==32039== by 0x9B95CB9: g_main_context_dispatch (gmain.c:3769) ==32039== by 0x9B96037: g_main_context_iterate.isra.29 (gmain.c:3840) ==32039== by 0x9B96351: g_main_loop_run (gmain.c:4034) ==32039== by 0x73C7D62: ??? (in /usr/lib/libgtk-3.so.0.1800.6) ==32039== by 0x73C8E61: gtk_print_operation_run (in /usr/lib/libgtk-3.so.0.1800.6) ==32039== by 0x5121EFB: gnm_print_sheet (print.c:1882) ==32039== by 0x4FC857F: pdf_write_workbook (print-info.c:851) ==32039== by 0x4FC857F: pdf_export (print-info.c:876) ==32039== by 0x55E944B: go_file_saver_save_real (file.c:577) ==32039== by 0x55E6673: go_file_saver_save (file.c:848) ==32039== by 0x50B6382: wbv_save_to_output (workbook-view.c:1059) ==32039== by 0x50B653A: wb_view_save_to_uri (workbook-view.c:1093) ==32039== by 0x50B6995: wb_view_save_as (workbook-view.c:1129) ==32039== by 0x406959: convert (ssconvert.c:845) ==32039== by 0x4041F1: main (ssconvert.c:918) ==32039== If you believe this happened as a result of a stack ==32039== overflow in your program's main thread (unlikely but ==32039== possible), you can try to increase the size of the ==32039== main thread stack using the --main-stacksize= flag. ==32039== The main thread stack size used in this run was 67108864. ==32039== ==32039== HEAP SUMMARY: ==32039== in use at exit: 1,430,824 bytes in 17,232 blocks ==32039== total heap usage: 153,679 allocs, 136,447 frees, 856,757,058 bytes allocated ==32039== ==32039== LEAK SUMMARY: ==32039== definitely lost: 0 bytes in 0 blocks ==32039== indirectly lost: 13,470 bytes in 498 blocks ==32039== possibly lost: 279,703 bytes in 2 blocks ==32039== still reachable: 830,153 bytes in 11,394 blocks ==32039== of which reachable via heuristic: ==32039== length64 : 3,664 bytes in 67 blocks ==32039== newarray : 1,968 bytes in 43 blocks ==32039== suppressed: 268,642 bytes in 5,006 blocks ==32039== Rerun with --leak-check=full to see details of leaked memory ==32039== ==32039== For counts of detected and suppressed errors, rerun with: -v ==32039== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) Segmentation fault Gtk+ 3.18.6
GTK+ API/ABI break. Again. It doesn't look like we'll be able to use gtk_style_context_new.
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.