Package: inkscape Version: 0.48.5-3 Severity: normal Tags: patch Dear Maintainer,
$ gdb -q --args /usr/bin/inkscape test-pdf.svg Reading symbols from /usr/bin/inkscape...done. (gdb) run Starting program: /usr/bin/inkscape test-pdf.svg [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". [New Thread 0x7fffe66dd700 (LWP 14025)] [New Thread 0x7fff5442f700 (LWP 14030)] [New Thread 0x7fff53bce700 (LWP 14033)] Program received signal SIGSEGV, Segmentation fault. nr_arena_image_pick (item=0x29f5e00, p=..., delta=<optimized out>) at display /nr-arena-image.cpp:318 318 return (pix_ptr[3] > 0) ? item : NULL; (gdb) p pix_ptr[3] Cannot access memory at address 0x7ffedc831b83 (gdb) p /x pixels $1 = 0x7fff5af7d010 (gdb) p /x pixels + iy * image->pxrs + ix * 4 $2 = 0x7fffdc831b80 (gdb) p /x malloc_usable_size(pixels) [Thread 0x7fff53bce700 (LWP 14033) exited] $3 = 0x85082ff0 (gdb) p /x pixels + malloc_usable_size(pixels) $4 = 0x7ffee0000000 (gdb) p /x pixels + (unsigned)malloc_usable_size(pixels) $5 = 0x7fffe0000000 (gdb) p /x pixels + (unsigned)(iy * image->pxrs + ix * 4) $6 = 0x7fffdc831b80 (gdb) p /x pix_ptr $7 = 0x7ffedc831b80 (gdb) whatis image->pxrs type = unsigned int (gdb) q A debugging session is active. Inferior 1 [process 14021] will be killed. Quit anyway? (y or n) y ale@pcale:~/g/nano2016$ -- System Information: Debian Release: 8.6 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages inkscape depends on: ii gconf-service 3.2.6-3 ii libaspell15 0.60.7~20110707-1.3 ii libatk1.0-0 2.14.0-1 ii libatkmm-1.6-1 2.22.7-2.1 ii libc6 2.19-18+deb8u6 ii libcairo2 1.14.0-2.1+deb8u1 ii libcairomm-1.0-1 1.10.0-1.1 ii libfontconfig1 2.11.0-6.3+deb8u1 ii libfreetype6 2.5.2-3+deb8u1 ii libgc1c2 1:7.2d-6.4 ii libgcc1 1:4.9.2-10 ii libgconf-2-4 3.2.6-3 ii libgdk-pixbuf2.0-0 2.31.1-2+deb8u5 ii libglib2.0-0 2.42.1-1+b1 ii libglibmm-2.4-1c2a 2.42.0-1 ii libgnomevfs2-0 1:2.24.4-6+b1 ii libgomp1 4.9.2-10 ii libgsl0ldbl 1.16+dfsg-2 ii libgtk2.0-0 2.24.25-3+deb8u1 ii libgtkmm-2.4-1c2a 1:2.24.4-1.1 ii libgtkspell0 2.0.16-1.1 ii liblcms2-2 2.6-3+b3 ii libmagick++-6.q16-5 8:6.8.9.9-5+deb8u4 ii libmagickcore-6.q16-2 8:6.8.9.9-5+deb8u4 ii libmagickwand-6.q16-2 8:6.8.9.9-5+deb8u4 ii libpango-1.0-0 1.36.8-3 ii libpangocairo-1.0-0 1.36.8-3 ii libpangoft2-1.0-0 1.36.8-3 ii libpangomm-1.4-1 2.34.0-1.1 ii libpng12-0 1.2.50-2+deb8u2 ii libpoppler-glib8 0.26.5-2+deb8u1 ii libpoppler46 0.26.5-2+deb8u1 ii libpopt0 1.16-10 ii librevenge-0.0-0 0.0.1-3 ii libsigc++-2.0-0c2a 2.4.0-1 ii libstdc++6 4.9.2-10 ii libwpg-0.3-3 0.3.0-3 ii libx11-6 2:1.6.2-3 ii libxml2 2.9.1+dfsg1-5+deb8u3 ii libxslt1.1 1.1.28-2+deb8u1 pn python:any <none> ii zlib1g 1:1.2.8.dfsg-2+b1 Versions of packages inkscape recommends: ii aspell 0.60.7~20110707-1.3 ii imagemagick 8:6.8.9.9-5+deb8u4 ii libgnomevfs2-extra 1:2.24.4-6+b1 ii libimage-magick-perl [perlmagick] 8:6.8.9.9-5+deb8u4 ii libwmf-bin 0.2.8.4-10.3+deb8u1 ii perlmagick 8:6.8.9.9-5+deb8u4 ii pstoedit 3.62-2+b1 ii python-lxml 3.4.0-1 ii python-numpy 1:1.8.2-2 ii transfig 1:3.2.5.e-4 Versions of packages inkscape suggests: ii dia 0.97.3-1 ii dia-gnome 0.97.3-1 ii libsvg-perl 2.59-1 ii libxml-xql-perl 0.68-6 ii python-uniconvertor 1.1.4-1+b2 ii ruby 1:2.1.5+deb8u2 ii ruby1.8 [ruby] 1.8.7.358-7.1+deb7u3 -- no debconf information
--- a/src/display/nr-arena-image.cpp +++ b/src/display/nr-arena-image.cpp @@ -303,17 +303,17 @@ } else { unsigned char *const pixels = image->px; - int const width = image->pxw; - int const height = image->pxh; - int const rowstride = image->pxrs; + unsigned int const width = (unsigned int)(image->pxw); + unsigned int const height = (unsigned int)(image->pxh); + unsigned int const rowstride = (unsigned int)(image->pxrs); Geom::Point tp = p * image->grid2px; - int const ix = (int)(tp[Geom::X]); - int const iy = (int)(tp[Geom::Y]); + unsigned int const ix = (unsigned int)(tp[Geom::X]); + unsigned int const iy = (unsigned int)(tp[Geom::Y]); - if ((ix < 0) || (iy < 0) || (ix >= width) || (iy >= height)) + if ((ix >= width) || (iy >= height)) return NULL; - unsigned char *pix_ptr = pixels + iy * rowstride + ix * 4; + unsigned char *pix_ptr = pixels + iy * rowstride + ix * 4U; // is the alpha not transparent? return (pix_ptr[3] > 0) ? item : NULL; }