GNOME Bugzilla – Bug 626802
NULL-ptr crash in g_str_equal in rsvg-styles.c
Last modified: 2011-09-07 09:05:46 UTC
In several places, the code uses g_str_equal instead of g_strcmp0, which would be NULL-ptr safe. Test file to reproduce: https://bugzilla.redhat.com/attachment.cgi?id=382575 http://www.clipart.clipartist.net/openclipart/openclipart-0.19/mikemagee/mikemagee_askwhy09_02_20_01.svg Bug reports: https://bugzilla.redhat.com/553069 https://bugzilla.redhat.com/603183
+ Trace 223219
Thread 1 (Thread 5596)
Anyone interested in either fixing this or in replying to my comment?
Its true, g_strncmp0 is NULL safe, and g_str_equal is not. The real question is, should the NULL get there in the first place...
Created attachment 181278 [details] compressed example file that crashes librsvg2 This file is gzipped, because it crashes Firefox when trying to attach it uncompressed. ;) It crashes because it specifies a stop-color property with an empty value: <stop offset='0%' style='stop-color:; stop-opacity:1'/> http://www.w3.org/TR/SVG11/pservers.html#StopColorProperty
Created attachment 181279 [details] fixed example This is the example file with a complete stop-color property. It does not crash Firefox, Nautilus, Geeqie, and many other apps that use librsvg.
No crash using the first URL from comment 0, nor from both attachments here. (The second URL from comment 0 is 404.) Also, no valgrind errors. Using librsvg 2.34.1.