Bug 630733 – invalid read in _set_rsvg_affine

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 630733 - invalid read in _set_rsvg_affine


Summary:	invalid read in _set_rsvg_affine


Status:	RESOLVED DUPLICATE of bug 621088

Product:	librsvg
Classification:	Core
Component:	general
Version:	git master
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	librsvg maintainers
QA Contact:	librsvg maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2010-09-27 14:01 UTC by Christian Persch
Modified:	2017-09-01 13:42 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Christian Persch 2010-09-27 14:01:48 UTC

Found this while valgrinding the test suite:

==20262== Invalid read of size 4
==20262==    at 0x4037621: _set_rsvg_affine (rsvg-cairo-draw.c:449)
==20262==    by 0x40377B9: rsvg_cairo_render_pango_layout (rsvg-cairo-draw.c:483)
==20262==    by 0x4031791: rsvg_text_render_text (rsvg-text.c:509)
==20262==    by 0x40307A0: _rsvg_node_text_type_children (rsvg-text.c:176)
==20262==    by 0x4030BB1: _rsvg_node_text_draw (rsvg-text.c:254)
==20262==    by 0x4029E89: rsvg_node_draw (rsvg-structure.c:69)
==20262==    by 0x4029F34: _rsvg_node_draw_children (rsvg-structure.c:87)
==20262==    by 0x403A223: rsvg_cairo_clip (rsvg-cairo-clip.c:175)
==20262==    by 0x40389C1: rsvg_cairo_push_early_clips (rsvg-cairo-draw.c:859)
==20262==    by 0x4038CD8: rsvg_cairo_push_discrete_layer (rsvg-cairo-draw.c:922)
==20262==    by 0x4035C09: rsvg_push_discrete_layer (rsvg-base.c:2055)
==20262==    by 0x4013523: rsvg_node_image_draw (rsvg-image.c:301)
==20262==    by 0x4029E89: rsvg_node_draw (rsvg-structure.c:69)
==20262==    by 0x4029F34: _rsvg_node_draw_children (rsvg-structure.c:87)
==20262==    by 0x4029E89: rsvg_node_draw (rsvg-structure.c:69)
==20262==    by 0x4029F34: _rsvg_node_draw_children (rsvg-structure.c:87)
==20262==    by 0x4029E89: rsvg_node_draw (rsvg-structure.c:69)
==20262==    by 0x402A9A9: rsvg_node_svg_draw (rsvg-structure.c:326)
==20262==    by 0x4029E89: rsvg_node_draw (rsvg-structure.c:69)
==20262==    by 0x4039D49: rsvg_handle_render_cairo_sub (rsvg-cairo-render.c:234)
==20262==    by 0x4039DA1: rsvg_handle_render_cairo (rsvg-cairo-render.c:256)
==20262==    by 0x8049619: rsvg_cairo_check (rsvg-test.c:270)
==20262==    by 0x8049B1B: main (rsvg-test.c:394)
==20262==  Address 0x4c23938 is 12 bytes after a block of size 44 alloc'd
==20262==    at 0x4004F1B: calloc (vg_replace_malloc.c:418)
==20262==    by 0x44B9779: g_malloc0 (gmem.c:196)
==20262==    by 0x44B9ABF: g_malloc0_n (gmem.c:408)
==20262==    by 0x403A0C0: rsvg_cairo_clip_render_new (rsvg-cairo-clip.c:135)
==20262==    by 0x403A179: rsvg_cairo_clip (rsvg-cairo-clip.c:158)
==20262==    by 0x40389C1: rsvg_cairo_push_early_clips (rsvg-cairo-draw.c:859)
==20262==    by 0x4038CD8: rsvg_cairo_push_discrete_layer (rsvg-cairo-draw.c:922)
==20262==    by 0x4035C09: rsvg_push_discrete_layer (rsvg-base.c:2055)
==20262==    by 0x4013523: rsvg_node_image_draw (rsvg-image.c:301)
==20262==    by 0x4029E89: rsvg_node_draw (rsvg-structure.c:69)
==20262==    by 0x4029F34: _rsvg_node_draw_children (rsvg-structure.c:87)
==20262==    by 0x4029E89: rsvg_node_draw (rsvg-structure.c:69)
==20262==    by 0x4029F34: _rsvg_node_draw_children (rsvg-structure.c:87)
==20262==    by 0x4029E89: rsvg_node_draw (rsvg-structure.c:69)
==20262==    by 0x402A9A9: rsvg_node_svg_draw (rsvg-structure.c:326)
==20262==    by 0x4029E89: rsvg_node_draw (rsvg-structure.c:69)
==20262==    by 0x4039D49: rsvg_handle_render_cairo_sub (rsvg-cairo-render.c:234)
==20262==    by 0x4039DA1: rsvg_handle_render_cairo (rsvg-cairo-render.c:256)
==20262==    by 0x8049619: rsvg_cairo_check (rsvg-test.c:270)
==20262==    by 0x8049B1B: main (rsvg-test.c:394)

Code:

static void
_set_rsvg_affine (RsvgCairoRender * render, const double affine[6])
{
    cairo_t * cr = render->cr;
    cairo_matrix_t matrix;
=>  gboolean nest = cr != render->initial_cr;

    cairo_matrix_init (&matrix,
                       affine[0], affine[1],
                       affine[2], affine[3],
                       affine[4] + (nest ? 0 : render->offset_x),
                       affine[5] + (nest ? 0 : render->offset_y));
    cairo_set_matrix (cr, &matrix);
}

struct RsvgCairoClipRender {
    RsvgRender super;
    cairo_t *cr;
    RsvgCairoRender *parent;
};

struct _RsvgCairoRender {
    RsvgRender super;
    cairo_t *cr;        
    double width;
    double height; // offset sizeof(RsvgCairoClipRender) + 4

    cairo_t *initial_cr;  // offset sizeof(RsvgCairoClipRender) + 12
    double offset_x;
    double offset_y;

    GList *cr_stack;

    RsvgBbox bbox;
    GList *bb_stack;
    GList *pixbuf_stack;
};

Seems the code was passed a RsvgCairoClipRender when it needs a RsvgCairoRender.

Comment 1 Christian Persch 2011-09-07 17:28:55 UTC

The file is tests/svg1.1/svg/masking-path-04-b.svg, and the cause is that rsvg_cairo_clip_render_new assigns create_pango_context and render_pango_layout to the RsvgCairoRender functions (that expect ctx->render be a RsvgCairoRender).

Comment 2 Christian Persch 2011-11-07 22:05:53 UTC

The crash is fixed on master, but the rendering isn't right.

Comment 3 Akhil Laddha 2011-12-23 11:32:22 UTC

is it duplicate of bug 621088 ?

Comment 4 Federico Mena Quintero 2017-09-01 13:42:03 UTC


*** This bug has been marked as a duplicate of bug 621088 ***