After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 672212 - librsvg crashes on handling svg with <script>
librsvg crashes on handling svg with <script>
Status: RESOLVED OBSOLETE
Product: librsvg
Classification: Core
Component: general
git master
Other Linux
: Normal normal
: ---
Assigned To: librsvg maintainers
librsvg maintainers
Depends on:
Blocks:
 
 
Reported: 2012-03-16 09:12 UTC by Vadim Rutkovsky
Modified: 2012-03-16 12:22 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description Vadim Rutkovsky 2012-03-16 09:12:24 UTC 
Original report: https://bugs.launchpad.net/ubuntu/+source/nautilus/+bug/955927

On my 11.04 system if I have the following svg file in a directory:
<svg><script>alert(4);</script></svg>
(say in a file called 'svg.svg')
 when I go and preview it (I found that I sometimes have to copy it / move around to get trigger nautlius to trigger the 'preview' view) nautilus reliably crashes. (The backtrace suggests that it might be a bug in librsvg-2.so.2).

Here is some gdb output:

Program received signal SIGSEGV, Segmentation fault.

+ Trace 229891

Thread 140315977721600 (LWP 29529)

  • #0 g_hash_table_size
    from /lib/x86_64-linux-gnu/libglib-2.0.so.0
  • #1 ??
    from /usr/lib/librsvg-2.so.2
  • #2 ??
    from /usr/lib/libxml2.so.2
  • #3 ??
    from /usr/lib/libxml2.so.2
  • #4 xmlParseChunk
    from /usr/lib/libxml2.so.2
  • #5 rsvg_handle_write
    from /usr/lib/librsvg-2.so.2
  • #6 ??
    from /usr/lib/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so
  • #7 ??
    from /usr/lib/libgdk_pixbuf-2.0.so.0
  • #8 gdk_pixbuf_loader_close
    from /usr/lib/libgdk_pixbuf-2.0.so.0
  • #9 ??
    from /usr/lib/libgnome-desktop-2.so.17
  • #10 gnome_desktop_thumbnail_factory_generate_thumbnail
    from /usr/lib/libgnome-desktop-2.so.17
  • #11 ??
  • #12 start_thread
    at pthread_create.c line 308
  • #13 clone
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S line 112
  • #14 ?? 

a command file or a user-defined command.
(gdb) i frame
Stack level 0, frame at 0x7f9ddc0207f0:
 rip = 0x7f9de62045c9 in g_hash_table_size; saved rip 0x7f9dd5464045
 called by frame at 0x7f9ddc020810
 Arglist at 0x7f9ddc0207d8, args:
 Locals at 0x7f9ddc0207d8, Previous frame's sp is 0x7f9ddc0207f0
 Saved registers:
  rip at 0x7f9ddc0207e8
Comment 1 Christian Persch 2012-03-16 12:20:31 UTC 
Not reproducible using librsvg 2.35.2 / git master.

Also, this bug report is incomplete. I had to go to the launchpad bug to find the testcase; please *always* make upstream bugs have a *complete* record of all relevant information from the downstream bug.
Comment 2 Christian Persch 2012-03-16 12:22:56 UTC 
Sorry, that last paragraph wasn't for this bug... this one does have the testcase here :-)