After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 655606 - Crash when using uninitialized KernelMatrix struct
Crash when using uninitialized KernelMatrix struct
Status: RESOLVED DUPLICATE of bug 624835
Product: librsvg
Classification: Core
Component: general
2.32.x
Other Linux
: Normal critical
: ---
Assigned To: librsvg maintainers
librsvg maintainers
Depends on:
Blocks:
 
 
Reported: 2011-07-29 20:50 UTC by Nicolas Gregoire
Modified: 2011-11-07 22:10 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
Crash on invalid read of uninitialized KernelMatrix (237 bytes, image/svg+xml)
2011-07-29 20:50 UTC, Nicolas Gregoire 		Details

Description Nicolas Gregoire 2011-07-29 20:50:22 UTC 
Created attachment 192889 [details]
Crash on invalid read of uninitialized KernelMatrix

Overview : when a SVG file contains a filter using feConvolveMatrix, rsvg-filter.c

Steps to Reproduce : $> rsvg-convert uninitialized_KernelMatrix_crash.svg

Actual Results: when the attached SVG is open by a librsvg-enabled application (rsvg-convert, geeqie, eog, ...), the application will because some uninitialized values are used

Expected Results : no crash

Build Date & Platform : version 2.34.0 compiled from source, with symbols. Tested under Linux

Additional Information :
(gdb) r uninitialized_KernelMatrix_crash.svg
Starting program: /usr/local/bin/rsvg-convert uninitialized_KernelMatrix_crash.svg
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
0x001413eb in rsvg_filter_primitive_convolve_matrix_set_atts (self=0x805d810, ctx=0x8058800, atts=0x80523b0) at rsvg-filter.c:1211
1211	                filter->divisor += filter->KernelMatrix[j + i * filter->orderx];
(gdb) bt

+ Trace 227946

  • #0 rsvg_filter_primitive_convolve_matrix_set_atts
    at rsvg-filter.c line 1211
  • #1 rsvg_node_set_atts
    at rsvg-base.c line 2043
  • #2 rsvg_standard_element_start
    at rsvg-base.c line 271
  • #3 rsvg_start_element
    at rsvg-base.c line 666
  • #4 xmlParseStartTag
    from /usr/lib/libxml2.so.2
  • #5 ??
    from /usr/lib/libxml2.so.2
  • #6 xmlParseChunk
    from /usr/lib/libxml2.so.2
  • #7 rsvg_handle_write_impl
    at rsvg-base.c line 1164
  • #8 rsvg_handle_write
    at rsvg-base.c line 1737
  • #9 rsvg_handle_fill_with_data
    at rsvg-base-file-util.c line 38
  • #10 rsvg_handle_new_from_file
    at rsvg-base-file-util.c line 100
  • #11 main
    at rsvg-convert.c line 232 






Comment 1


Nicolas Gregoire





          2011-07-29 21:05:20 UTC
        



Oops, I submitted the form too early ...

Additional info : function rsvg_filter_primitive_convolve_matrix_set_atts in rsvg-convert.c will used an uninitialized filter->KernelMatrix if "kernelMatrix" is not defined in the SVG file. My PoC will crash on line 1211 when trying to access the content of the structure. It's possible to crash on free() too.






Comment 2


Christian Persch





          2011-11-07 22:10:55 UTC
        



Same as bug 624835 which has a patch.

*** This bug has been marked as a duplicate of bug 624835 ***