Bug 744299 – Pattern linking to non-pattern fallback leads to invalid memory access

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 744299 - Pattern linking to non-pattern fallback leads to invalid memory access


Summary:	Pattern linking to non-pattern fallback leads to invalid memory access


Status:	RESOLVED FIXED

Product:	librsvg
Classification:	Core
Component:	general
Version:	git master
Hardware:	Other All

Importance:	Normal normal
Target Milestone:	---
Assigned To:	librsvg maintainers
QA Contact:	librsvg maintainers

URL:
Whiteboard:

Duplicates:	744271 (view as bug list)
Depends on:
Blocks:

Reported:	2015-02-11 01:29 UTC by Federico Mena Quintero
Modified:	2015-02-11 20:29 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Federico Mena Quintero 2015-02-11 01:29:15 UTC

Atte Kettunen's fuzz testing produced an SVG that had this:

    <pattern
       patternTransform="matrix(1.5682937,1.5682937,-1.7214781,1.721478,589.69469,-269.03292)"
       id="pattern6236-31"
       xlink:href="#pattern6204-52"
       inkscape:collect="always" />
    <pattern
       patternTransform="matrix(1.5682937,1.5682937,-1.7214781,1.721478,589.69469,-269.03293)"
       id="pattern6204-52"
       xlink:href="#pattern6188-5-69"
       inkscape:collect="always" />
    <pattern
       inkscape:stockid="Stripes 1:1"
       id="Strips1_1-39-44"
       patternTransform="matrix(2.2179022,0,0,2.4345375,229.96544,-129.83887)"
       height="1"
       width="2"
       patternUnits="userSpaceOnUse"
       inkscape:collect="always">
      <rect
         id="pattern6204-52"
         height="1"
         width="1"
         y="-0.5"
         x="0"
         style="fill:black;stroke:none" />
    </pattern>

Note two things:

1. The first pattern has an xlink:href fallback to the second pattern.

2. The *third* pattern contains a rect, whose id is the same as the *second* pattern's.

This causes librsvg's resolver to link the pattern->fallback to a rect node, which should not be possible.  The functions that fix pattern fallbacks think they are getting a pointer to an RsvgPattern, but in reality they are getting a pointer to an RsvgNodeRect.

In addition, the resolver should complain about duplicated node IDs, but it doesn't.

I'll fix the first problem by modifying rsvg_defs_add_resolver() to take in an expected_type as well, so that rsvg_defs_resolve_all() can avoid creating links to unexpected data.

I'll see what to do about the second problem; maybe just refuse to load the SVG.

Comment 1 Federico Mena Quintero 2015-02-11 20:12:26 UTC

Fixed in commit 0035e95118a60c0cd3949c2300472d805e16a022

Actually, the checks can't be done preemptively in rsvg_defs_resolve_all(), since there are places (in the gradients code) that allow for different node types to be used, not just one type.  It's simpler to make each caller ensure the type of the nodes than to make the resolver responsible.

About the second problem (duplicated node IDs), we are probably leaking something in the resolver's hash table - I'll look into it.  Meanwhile I'll mark *this* bug as fixed, since it's about the invalid memory access when a pattern links back to a non-pattern node.

Comment 2 Federico Mena Quintero 2015-02-11 20:29:27 UTC

*** Bug 744271 has been marked as a duplicate of this bug. ***