GNOME Bugzilla – Bug 630732
array out of bounds read
Last modified: 2015-10-21 22:25:02 UTC
Found this one while valgrinding the test suite: ==20262== Invalid read of size 4 ==20262== at 0x401E155: table_component_transfer_func (rsvg-filter.c:2039) ==20262== by 0x401E5D3: rsvg_filter_primitive_component_transfer_render (rsvg-filter.c:2150) ==20262== by 0x4017A06: rsvg_filter_primitive_render (rsvg-filter.c:85) ==20262== by 0x401910F: rsvg_filter_render (rsvg-filter.c:499) ==20262== by 0x4038E0C: rsvg_cairo_pop_render_stack (rsvg-cairo-draw.c:952) ==20262== by 0x40390A0: rsvg_cairo_pop_discrete_layer (rsvg-cairo-draw.c:1002) ==20262== by 0x40380CD: rsvg_cairo_render_path (rsvg-cairo-draw.c:639) ==20262== by 0x4035C4D: rsvg_render_path (rsvg-base.c:2067) ==20262== by 0x40287FE: _rsvg_node_rect_draw (rsvg-shapes.c:445) ==20262== by 0x4029E89: rsvg_node_draw (rsvg-structure.c:69) ==20262== by 0x4029F34: _rsvg_node_draw_children (rsvg-structure.c:87) ==20262== by 0x4029E89: rsvg_node_draw (rsvg-structure.c:69) ==20262== by 0x402A9A9: rsvg_node_svg_draw (rsvg-structure.c:326) ==20262== by 0x4029E89: rsvg_node_draw (rsvg-structure.c:69) ==20262== by 0x4029F34: _rsvg_node_draw_children (rsvg-structure.c:87) ==20262== by 0x4029E89: rsvg_node_draw (rsvg-structure.c:69) ==20262== by 0x402A9A9: rsvg_node_svg_draw (rsvg-structure.c:326) ==20262== by 0x4029E89: rsvg_node_draw (rsvg-structure.c:69) ==20262== by 0x4039D49: rsvg_handle_render_cairo_sub (rsvg-cairo-render.c:234) ==20262== by 0x4039DA1: rsvg_handle_render_cairo (rsvg-cairo-render.c:256) ==20262== by 0x8049619: rsvg_cairo_check (rsvg-test.c:270) ==20262== by 0x8049B1B: main (rsvg-test.c:394) ==20262== Address 0x4a14848 is 0 bytes after a block of size 16 alloc'd ==20262== at 0x4005BDC: malloc (vg_replace_malloc.c:195) ==20262== by 0x44B96F0: g_malloc (gmem.c:164) ==20262== by 0x44B9A37: g_malloc_n (gmem.c:381) ==20262== by 0x401EB14: rsvg_node_component_transfer_function_set_atts (rsvg-filter.c:2237) ==20262== by 0x4035BD9: rsvg_node_set_atts (rsvg-base.c:2043) ==20262== by 0x4032708: rsvg_standard_element_start (rsvg-base.c:271) ==20262== by 0x40333F5: rsvg_start_element (rsvg-base.c:666) ==20262== by 0x549D597: xmlParseStartTag (parser.c:8157) ==20262== by 0x54A39C0: xmlParseTryOrFinish (parser.c:10840) ==20262== by 0x54A4596: xmlParseChunk (parser.c:11611) ==20262== by 0x4034343: rsvg_handle_write_impl (rsvg-base.c:1164) ==20262== by 0x40352A4: rsvg_handle_write (rsvg-base.c:1737) ==20262== by 0x401785D: rsvg_handle_fill_with_data (rsvg-base-file-util.c:38) ==20262== by 0x40179AC: rsvg_handle_new_from_file (rsvg-base-file-util.c:100) ==20262== by 0x8049522: rsvg_cairo_check (rsvg-test.c:253) ==20262== by 0x8049B1B: main (rsvg-test.c:394) static gint table_component_transfer_func (gint C, RsvgNodeComponentTransferFunc * user_data) { guint k; gint vk, vk1, distancefromlast; if (!user_data->nbTableValues) return C; k = (C * (user_data->nbTableValues - 1)) / 255; vk = user_data->tableValues[k]; => vk1 = user_data->tableValues[k + 1]; distancefromlast = (C * (user_data->nbTableValues - 1)) - k * 255; return vk + distancefromlast * (vk1 - vk) / 255; }
Fixed in commit 0b2b1424caeb3fa928689d9ed956edddb0e3e7ec. Better late than never! This should appear in librsvg 2.40.12.