Control: reassign -1 libgd3 2.1.0~rc1-1 Control: affects -1 mscgen Control: tag -1 patch Control: user ubuntu-de...@lists.ubuntu.com Control: usertags -1 ubuntu-patch
On Thu, May 23, 2013 at 06:56:01PM +0200, Ondřej Surý wrote: > were you able to discover something? I don't see anything in gd, but I did > study it very hard. This is relevant (from 'make check VALGRIND=valgrind' with a libgd built with debugging symbols): testinput0.msc ==31147== Memcheck, a memory error detector ==31147== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al. ==31147== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info ==31147== Command: ../src/mscgen -T png -i ../../test/testinput0.msc -o testinput0.msc.png ==31147== ==31147== Invalid write of size 4 ==31147== at 0x4098400: fontFetch (gdft.c:1490) ==31147== by 0x40979C0: gdCacheGet (gdcache.c:125) ==31147== by 0x4098910: gdImageStringFTEx (gdft.c:890) ==31147== by 0x40FC934: (below main) (libc-start.c:260) ==31147== Address 0x4706c0c is 4 bytes before a block of size 16 free'd ==31147== at 0x402AC08: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==31147== by 0x43E6E1A: FcPatternDestroy (in /usr/lib/i386-linux-gnu/libfontconfig.so.1.7.0) ==31147== by 0x4098350: fontFetch (gdft.c:1472) ==31147== by 0x40979C0: gdCacheGet (gdcache.c:125) ==31147== by 0x4098910: gdImageStringFTEx (gdft.c:890) ==31147== by 0x40FC934: (below main) (libc-start.c:260) ==31147== ==31147== Syscall param open(filename) points to uninitialised byte(s) ==31147== at 0x41C2773: __open_nocancel (syscall-template.S:81) ==31147== by 0x433A103: FT_Stream_Open (in /usr/lib/i386-linux-gnu/libfreetype.so.6.10.0) ==31147== by 0x4340CE6: FT_Stream_New (in /usr/lib/i386-linux-gnu/libfreetype.so.6.10.0) ==31147== by 0x4342EE6: FT_Open_Face (in /usr/lib/i386-linux-gnu/libfreetype.so.6.10.0) ==31147== by 0x4706B47: ??? ==31147== Address 0x482c927 is 47 bytes inside a block of size 48 alloc'd ==31147== at 0x40299A8: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==31147== by 0x409A16A: gdMalloc (gdhelpers.c:73) ==31147== by 0x40983D2: fontFetch (gdft.c:1485) ==31147== by 0x40979C0: gdCacheGet (gdcache.c:125) ==31147== by 0x4098910: gdImageStringFTEx (gdft.c:890) ==31147== by 0x40FC934: (below main) (libc-start.c:260) ==31147== ==31147== Conditional jump or move depends on uninitialised value(s) ==31147== at 0x402F93C: strstr (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==31147== by 0x40982CC: fontFetch (gdft.c:512) ==31147== by 0x40979C0: gdCacheGet (gdcache.c:125) ==31147== by 0x4098910: gdImageStringFTEx (gdft.c:890) ==31147== by 0x40FC934: (below main) (libc-start.c:260) ==31147== ==31147== Conditional jump or move depends on uninitialised value(s) ==31147== at 0x402F93C: strstr (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==31147== by 0x40984B6: fontFetch (gdft.c:513) ==31147== by 0x40979C0: gdCacheGet (gdcache.c:125) ==31147== by 0x4098910: gdImageStringFTEx (gdft.c:890) ==31147== by 0x40FC934: (below main) (libc-start.c:260) ==31147== ==31147== ==31147== HEAP SUMMARY: ==31147== in use at exit: 97,032 bytes in 1,728 blocks ==31147== total heap usage: 4,464 allocs, 2,736 frees, 2,116,808 bytes allocated ==31147== ==31147== LEAK SUMMARY: ==31147== definitely lost: 128 bytes in 1 blocks ==31147== indirectly lost: 20 bytes in 1 blocks ==31147== possibly lost: 0 bytes in 0 blocks ==31147== still reachable: 96,884 bytes in 1,726 blocks ==31147== suppressed: 0 bytes in 0 blocks ==31147== Rerun with --leak-check=full to see details of leaked memory ==31147== ==31147== For counts of detected and suppressed errors, rerun with: -v ==31147== Use --track-origins=yes to see where uninitialised values come from ==31147== ERROR SUMMARY: 4 errors from 4 contexts (suppressed: 0 from 0) I read the relevant line of code several times before I spotted the mistake - it's an easy one to miss. Patch follows. * Add missing pointer dereference in font_pattern (closes: #709050). diff -Nru libgd2-2.1.0~rc1/debian/patches/font-pattern-pointer-deref.patch libgd2-2.1.0~rc1/debian/patches/font-pattern-pointer-deref.patch --- libgd2-2.1.0~rc1/debian/patches/font-pattern-pointer-deref.patch 1970-01-01 01:00:00.000000000 +0100 +++ libgd2-2.1.0~rc1/debian/patches/font-pattern-pointer-deref.patch 2013-06-01 22:51:52.000000000 +0100 @@ -0,0 +1,18 @@ +Description: Add missing pointer dereference in font_pattern +Author: Colin Watson <cjwat...@ubuntu.com> +Bug-Debian: http://bugs.debian.org/709050 +Last-Update: 2013-06-01 + +Index: b/src/gdft.c +=================================================================== +--- a/src/gdft.c ++++ b/src/gdft.c +@@ -1487,7 +1487,7 @@ + return "could not alloc font path"; + } + strncpy(*fontpath, (const char *)file, file_len); +- fontpath[file_len] = 0; ++ (*fontpath)[file_len] = 0; + } + FcPatternDestroy(font); + diff -Nru libgd2-2.1.0~rc1/debian/patches/series libgd2-2.1.0~rc1/debian/patches/series --- libgd2-2.1.0~rc1/debian/patches/series 2013-05-24 08:10:58.000000000 +0100 +++ libgd2-2.1.0~rc1/debian/patches/series 2013-06-01 22:39:37.000000000 +0100 @@ -1 +1,2 @@ gdlib-config-uses-pkgconfig.patch +font-pattern-pointer-deref.patch Thanks, -- Colin Watson [cjwat...@ubuntu.com] -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
