After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 626802 - NULL-ptr crash in g_str_equal in rsvg-styles.c
NULL-ptr crash in g_str_equal in rsvg-styles.c
Status: RESOLVED OBSOLETE
Product: librsvg
Classification: Core
Component: general
2.31.x
Other Linux
: Normal normal
: ---
Assigned To: librsvg maintainers
librsvg maintainers
Depends on:
Blocks:
 
 
Reported: 2010-08-13 09:51 UTC by Michael Schwendt
Modified: 2011-09-07 09:05 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
compressed example file that crashes librsvg2 (2.07 KB, application/x-gzip)
2011-02-18 21:10 UTC, Michael Schwendt
Details
fixed example (4.30 KB, image/svg+xml)
2011-02-18 21:12 UTC, Michael Schwendt
Details

Description Michael Schwendt 2010-08-13 09:51:06 UTC
In several places, the code uses g_str_equal instead of g_strcmp0, which would be NULL-ptr safe.

Test file to reproduce:
https://bugzilla.redhat.com/attachment.cgi?id=382575
http://www.clipart.clipartist.net/openclipart/openclipart-0.19/mikemagee/mikemagee_askwhy09_02_20_01.svg

Bug reports:
https://bugzilla.redhat.com/553069
https://bugzilla.redhat.com/603183

Thread 1 (Thread 5596)

  • #0 __strcmp_ssse3
    at ../sysdeps/x86_64/strcmp.S line 106
  • #1 IA__g_str_equal
    at gstring.c line 116
  • #2 rsvg_parse_style_pair
    at rsvg-styles.c line 698

Comment 1 Michael Schwendt 2011-02-18 13:50:45 UTC
Anyone interested in either fixing this or in replying to my comment?
Comment 2 Matthias Clasen 2011-02-18 19:46:45 UTC
Its true, g_strncmp0 is NULL safe, and g_str_equal is not.
The real question is, should the NULL get there in the first place...
Comment 3 Michael Schwendt 2011-02-18 21:10:57 UTC
Created attachment 181278 [details]
compressed example file that crashes librsvg2

This file is gzipped, because it crashes Firefox when trying to attach it uncompressed. ;)

It crashes because it specifies a stop-color property with an empty value:

<stop offset='0%' style='stop-color:;
   stop-opacity:1'/>

http://www.w3.org/TR/SVG11/pservers.html#StopColorProperty
Comment 4 Michael Schwendt 2011-02-18 21:12:12 UTC
Created attachment 181279 [details]
fixed example

This is the example file with a complete stop-color property. It does not crash Firefox, Nautilus, Geeqie, and many other apps that use librsvg.
Comment 5 Christian Persch 2011-09-07 09:05:46 UTC
No crash using the first URL from comment 0, nor from both attachments here. (The second URL from comment 0 is 404.) Also, no valgrind errors. Using librsvg 2.34.1.