GNOME Bugzilla – Bug 667077
gnome_canvas_path_def_close_all returns malformed path
Last modified: 2014-08-02 12:52:11 UTC
Created attachment 204399 [details] [review] patch fixing the if statement gnome_canvas_path_def_close_all sometimes returns malformed path that fails sanity checks (sp_bpath_good) and crashes the invoking program (this was observed with a dev version of Xournal). Line 635 of libgnomecanvas/gnome-canvas-path-def.c works with uninitialized memory, as reported by Valgrind. The line is if ((!closed) && ((start->x3 != p->x3) || (start->y3 != p->y3))) Indeed, at this point p->code == ART_END, meaning p->x3 and p->y3 are NOT initialized. Most of the time, the argument of if returns TRUE since (start->x3 != p->x3) is TRUE most of the time, given that p->x3 is uninitialized. However, when many similar points are written to the same region in memory, the argument of if may return FALSE, at which point a malformed path is generated: it has allclosed flag set, but is, in fact, not closed. Although (start->x3 != p->x3) || (start->y3 != p->y3) is FALSE, the p here is not the last point of the path, but is one beyond the last point of the path. In general, the whole if statement seems extraneous. But at the very least, ((start->x3 != p->x3) || (start->y3 != p->y3)) check should be removed since it is a meaningless check against uninitialized variables.
The last libgnomecanvas code changes took place in January 2011: https://git.gnome.org/browse/archive/libgnomecanvas/log/ This project is not under active development anymore. This project got recently archived in GNOME Git. It is currently unlikely that there will be any further active development. Closing this report as WONTFIX as part of Bugzilla Housekeeping to reflect reality. Please feel free to reopen this bug report in the future if anyone takes the responsibility for active development again. If you are interested in maintainership, inform https://mail.gnome.org/mailman/listinfo/desktop-devel-list