Using eog-3.20.3-1.fc24.x86_64, I get no crash but the following output:


(eog:3744): GLib-WARNING **: GError set over the top of a previous GError or uninitialized memory.
This indicates a bug in someone's code. You must ensure an error is NULL before it's set.
The overwriting error message was: Error domain 1 code 73 on line 1 column 4 of file:///home/user/crashEOG.svg: Couldn't find end of Start Tag \xf4

(eog:3744): Gtk-WARNING **: Failed to set text '<small>Error domain 1 code 73 on line 1 column 4 of file:///home/user/crashEOG.svg: Couldn&apos;t find end of Start Tag \xf4
X</small>' from markup due to error parsing markup: Error on line 2 char 3: Invalid UTF-8 encoded text in name - not valid 'Error domain 1 code 73 on line 1 column 4 of file:///home/user/crashEOG.svg: Couldn't find end of Start Tag \xf4
X'

(eog:3744): Pango-WARNING **: Invalid UTF-8 string passed to pango_layout_set_text()

Okay, there's probably two things here.

1. Overwriting the error is a problem in eog which doesn't watch out to overwrite the previous (identical) error when closing the handle. This is should be a simple fix as we already do the same for gdk-pixbuf-decoded images. The problem shouldn't cause any problems besides the leaked error though.

2. The second problem, the crash in GMarkup, seems to be caused by the non-UTF8 character in the error message. This was apparently a weakness glib seems to have been hardened against (bug 631597) since 2.44.1 (GNOME 3.16) so it's not segfaultin anymore on recent distros. I'll try to verify this. 

Although it's a problem in older glib versions I'm not saying it's a bug but a weakness in glib as eog is actually passing unsupported data to GMarkup (which is UTF8-only) here. I'll see if eog's UTF8 sanitizing code can be applied here.

(In reply to Felix Riemann from comment #2)
> Okay, there's probably two things here.
> 
> 1. Overwriting the error is a problem in eog which doesn't watch out to
> overwrite the previous (identical) error when closing the handle. This is
> should be a simple fix as we already do the same for gdk-pixbuf-decoded
> images. The problem shouldn't cause any problems besides the leaked error
> though.

I split that bug off into bug 770197.

So, this is indeed as I thought in comment 2.

GMarkup in glib pre-2.44.1 could cause this out-of-bounds access if given invalid input (bug 631597). eog triggered this by passing invalid UTF8 to GMarkup.
I patched eog now to make sure the error messages in the ErrorMessageArea are valid UTF8.  This also avoids the broken markup when using newer glib versions that wouldn't crash anymore.

I'll do new eog-3.18 and 3.20 releases and possibly also a 3.16 tarball containing this fix. I won't prepare older releases for now though as the demand for those should rather small and LTS distros in my experience tend to prefer cherry-picking patches over newer tarballs anyway.

Thanks for reporting this.

commit e99a8c00f959652fe7c10e2fa5a3a7a5c25e6af4
Author: Felix Riemann <>
Date:   Sun Aug 21 15:56:46 2016 +0200

    EogErrorMessageArea: Make sure error messages are valid UTF8
    
    GMarkup requires valid UTF8 input strings and would cause odd
    looking messages if given invalid input. This could also trigger an
    out-of-bounds write in glib before 2.44.1. Reported by kaslovdmitri.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=770143
---
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.

Created attachment 333820 [details] [review]
reference patch

Attaching the patch for easier reference and cherry-picking.

You patched this way sooner than I anticipated.
It was a pleasure reporting this