Package: libcairo2
Version: 1.10.2-6
Severity: important
rsvg-convert (2.26.3-1, persists after upgrade to 2.32.0-1) crashes
inside libcairo while converting the attached test file to PDF. High
severity because this has the potential to exploit somebody remotely
by sending him a manipulated SVG file.
max@woodpecker:/tmp$ gdb --args rsvg-convert -a -f pdf test.svg -o test.pdf
Reading symbols from /usr/bin/rsvg-convert...Reading symbols from
/usr/lib/debug/usr/bin/rsvg-convert...done.
(no debugging symbols found)...done.
(gdb) run
Starting program: /usr/bin/rsvg-convert -a -f pdf test.svg -o test.pdf
[Thread debugging using libthread_db enabled]
Program received signal SIGSEGV, Segmentation fault.
memcpy () at ../sysdeps/x86_64/memcpy.S:267
267 ../sysdeps/x86_64/memcpy.S: No such file or directory.
in ../sysdeps/x86_64/memcpy.S
Current language: auto
The current source language is "auto; currently asm".
(gdb) bt
#0 memcpy () at ../sysdeps/x86_64/memcpy.S:267
#1 0x00007ffff7b6b905 in _cairo_surface_snapshot_copy_on_write
(surface=0x617680)
at /usr/include/bits/string3.h:52
#2 0x00007ffff7b64ea1 in _cairo_surface_detach_snapshot (snapshot=0x617680)
at /tmp/buildd/cairo-1.10.2/src/cairo-surface.c:329
#3 0x00007ffff7b64efc in _cairo_surface_detach_snapshots (surface=0x61bad0)
at /tmp/buildd/cairo-1.10.2/src/cairo-surface.c:314
#4 0x00007ffff7b64d15 in *INT_cairo_surface_finish (surface=0x61bad0)
at /tmp/buildd/cairo-1.10.2/src/cairo-surface.c:715
#5 0x00007ffff7b64dd5 in *INT_cairo_surface_destroy (surface=0x61bad0)
at /tmp/buildd/cairo-1.10.2/src/cairo-surface.c:645
#6 0x00007ffff7b5724f in *INT_cairo_pattern_destroy (pattern=0x61bc50)
at /tmp/buildd/cairo-1.10.2/src/cairo-pattern.c:828
#7 0x00007ffff7b3dea7 in _cairo_gstate_fini (gstate=0x61b0e0)
at /tmp/buildd/cairo-1.10.2/src/cairo-gstate.c:229
#8 0x00007ffff7b3e21b in _cairo_gstate_restore (gstate=<value optimized out>,
freelist=0x7ffff7ddb6a0)
at /tmp/buildd/cairo-1.10.2/src/cairo-gstate.c:290
#9 0x00007ffff7b352b0 in *INT_cairo_restore (cr=0x7ffff7ddb340) at
/tmp/buildd/cairo-1.10.2/src/cairo.c:583
#10 0x00007ffff71e7876 in rsvg_cairo_pop_discrete_layer (ctx=0x616b30) at
rsvg-cairo-draw.c:1042
#11 0x00007ffff71dd373 in rsvg_node_draw (self=0x61a8a0, ctx=0x616b30,
dominate=<value optimized out>)
at rsvg-structure.c:69
#12 0x00007ffff71dd784 in rsvg_node_svg_draw (self=0x6188c0, ctx=0x616b30,
dominate=<value optimized out>)
at rsvg-structure.c:326
#13 0x00007ffff71dd373 in rsvg_node_draw (self=0x6188c0, ctx=0x616b30,
dominate=<value optimized out>)
at rsvg-structure.c:69
#14 0x00007ffff71e9d7a in rsvg_handle_render_cairo_sub (handle=0x614800,
cr=0x7ffff7ddb340,
id=<value optimized out>) at rsvg-cairo-render.c:234
#15 0x0000000000402191 in main (argc=1, argv=0x7fffffffe868) at
rsvg-convert.c:319
Valgrind:
max@woodpecker:/tmp$ valgrind rsvg-convert -a -f pdf test.svg -o test.pdf
==16883== Memcheck, a memory error detector
==16883== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==16883== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for
copyright info
==16883== Command: rsvg-convert -a -f pdf test.svg -o test.pdf
==16883==
==16883== Invalid read of size 1
==16883== at 0x4C25F98: memcpy (mc_replace_strmem.c:497)
==16883== by 0x4E79904: _cairo_surface_snapshot_copy_on_write (string3.h:52)
==16883== by 0x4E72EA0: _cairo_surface_detach_snapshot (cairo-surface.c:329)
==16883== by 0x4E72EFB: _cairo_surface_detach_snapshots (cairo-surface.c:314)
==16883== by 0x4E72D14: cairo_surface_finish (cairo-surface.c:715)
==16883== by 0x4E72DD4: cairo_surface_destroy (cairo-surface.c:645)
==16883== by 0x4E6524E: cairo_pattern_destroy (cairo-pattern.c:828)
==16883== by 0x4E4BEA6: _cairo_gstate_fini (cairo-gstate.c:229)
==16883== by 0x4E4C21A: _cairo_gstate_restore (cairo-gstate.c:290)
==16883== by 0x4E432AF: cairo_restore (cairo.c:583)
==16883== by 0x583E875: rsvg_cairo_pop_discrete_layer
(rsvg-cairo-draw.c:1042)
==16883== by 0x5834372: rsvg_node_draw (rsvg-structure.c:69)
==16883== Address 0xa152eff is 159,999 bytes inside a block of size 160,000
free'd
==16883== at 0x4C240FD: free (vg_replace_malloc.c:366)
==16883== by 0x81D8066: ??? (in /usr/lib/libgdk_pixbuf-2.0.so.0.2000.1)
==16883== by 0x50FC443: g_object_unref (gobject.c:2484)
==16883== by 0x583E85E: rsvg_cairo_pop_discrete_layer
(rsvg-cairo-draw.c:1033)
==16883== by 0x5834372: rsvg_node_draw (rsvg-structure.c:69)
==16883== by 0x5834783: rsvg_node_svg_draw (rsvg-structure.c:326)
==16883== by 0x5834372: rsvg_node_draw (rsvg-structure.c:69)
==16883== by 0x5840D79: rsvg_handle_render_cairo_sub
(rsvg-cairo-render.c:234)
==16883== by 0x402190: main (rsvg-convert.c:319)
==16883==
==16883== Invalid read of size 1
==16883== at 0x4C25FA1: memcpy (mc_replace_strmem.c:497)
==16883== by 0x4E79904: _cairo_surface_snapshot_copy_on_write (string3.h:52)
==16883== by 0x4E72EA0: _cairo_surface_detach_snapshot (cairo-surface.c:329)
==16883== by 0x4E72EFB: _cairo_surface_detach_snapshots (cairo-surface.c:314)
==16883== by 0x4E72D14: cairo_surface_finish (cairo-surface.c:715)
==16883== by 0x4E72DD4: cairo_surface_destroy (cairo-surface.c:645)
==16883== by 0x4E6524E: cairo_pattern_destroy (cairo-pattern.c:828)
==16883== by 0x4E4BEA6: _cairo_gstate_fini (cairo-gstate.c:229)
==16883== by 0x4E4C21A: _cairo_gstate_restore (cairo-gstate.c:290)
==16883== by 0x4E432AF: cairo_restore (cairo.c:583)
==16883== by 0x583E875: rsvg_cairo_pop_discrete_layer
(rsvg-cairo-draw.c:1042)
==16883== by 0x5834372: rsvg_node_draw (rsvg-structure.c:69)
==16883== Address 0xa152efe is 159,998 bytes inside a block of size 160,000
free'd
==16883== at 0x4C240FD: free (vg_replace_malloc.c:366)
==16883== by 0x81D8066: ??? (in /usr/lib/libgdk_pixbuf-2.0.so.0.2000.1)
==16883== by 0x50FC443: g_object_unref (gobject.c:2484)
==16883== by 0x583E85E: rsvg_cairo_pop_discrete_layer
(rsvg-cairo-draw.c:1033)
==16883== by 0x5834372: rsvg_node_draw (rsvg-structure.c:69)
==16883== by 0x5834783: rsvg_node_svg_draw (rsvg-structure.c:326)
==16883== by 0x5834372: rsvg_node_draw (rsvg-structure.c:69)
==16883== by 0x5840D79: rsvg_handle_render_cairo_sub
(rsvg-cairo-render.c:234)
==16883== by 0x402190: main (rsvg-convert.c:319)
==16883==
==16883== Invalid read of size 1
==16883== at 0x4C25FAC: memcpy (mc_replace_strmem.c:497)
==16883== by 0x4E79904: _cairo_surface_snapshot_copy_on_write (string3.h:52)
==16883== by 0x4E72EA0: _cairo_surface_detach_snapshot (cairo-surface.c:329)
==16883== by 0x4E72EFB: _cairo_surface_detach_snapshots (cairo-surface.c:314)
==16883== by 0x4E72D14: cairo_surface_finish (cairo-surface.c:715)
==16883== by 0x4E72DD4: cairo_surface_destroy (cairo-surface.c:645)
==16883== by 0x4E6524E: cairo_pattern_destroy (cairo-pattern.c:828)
==16883== by 0x4E4BEA6: _cairo_gstate_fini (cairo-gstate.c:229)
==16883== by 0x4E4C21A: _cairo_gstate_restore (cairo-gstate.c:290)
==16883== by 0x4E432AF: cairo_restore (cairo.c:583)
==16883== by 0x583E875: rsvg_cairo_pop_discrete_layer
(rsvg-cairo-draw.c:1042)
==16883== by 0x5834372: rsvg_node_draw (rsvg-structure.c:69)
==16883== Address 0xa152efd is 159,997 bytes inside a block of size 160,000
free'd
==16883== at 0x4C240FD: free (vg_replace_malloc.c:366)
==16883== by 0x81D8066: ??? (in /usr/lib/libgdk_pixbuf-2.0.so.0.2000.1)
==16883== by 0x50FC443: g_object_unref (gobject.c:2484)
==16883== by 0x583E85E: rsvg_cairo_pop_discrete_layer
(rsvg-cairo-draw.c:1033)
==16883== by 0x5834372: rsvg_node_draw (rsvg-structure.c:69)
==16883== by 0x5834783: rsvg_node_svg_draw (rsvg-structure.c:326)
==16883== by 0x5834372: rsvg_node_draw (rsvg-structure.c:69)
==16883== by 0x5840D79: rsvg_handle_render_cairo_sub
(rsvg-cairo-render.c:234)
==16883== by 0x402190: main (rsvg-convert.c:319)
==16883==
==16883== Invalid read of size 1
==16883== at 0x4C25FB7: memcpy (mc_replace_strmem.c:497)
==16883== by 0x4E79904: _cairo_surface_snapshot_copy_on_write (string3.h:52)
==16883== by 0x4E72EA0: _cairo_surface_detach_snapshot (cairo-surface.c:329)
==16883== by 0x4E72EFB: _cairo_surface_detach_snapshots (cairo-surface.c:314)
==16883== by 0x4E72D14: cairo_surface_finish (cairo-surface.c:715)
==16883== by 0x4E72DD4: cairo_surface_destroy (cairo-surface.c:645)
==16883== by 0x4E6524E: cairo_pattern_destroy (cairo-pattern.c:828)
==16883== by 0x4E4BEA6: _cairo_gstate_fini (cairo-gstate.c:229)
==16883== by 0x4E4C21A: _cairo_gstate_restore (cairo-gstate.c:290)
==16883== by 0x4E432AF: cairo_restore (cairo.c:583)
==16883== by 0x583E875: rsvg_cairo_pop_discrete_layer
(rsvg-cairo-draw.c:1042)
==16883== by 0x5834372: rsvg_node_draw (rsvg-structure.c:69)
==16883== Address 0xa152efc is 159,996 bytes inside a block of size 160,000
free'd
==16883== at 0x4C240FD: free (vg_replace_malloc.c:366)
==16883== by 0x81D8066: ??? (in /usr/lib/libgdk_pixbuf-2.0.so.0.2000.1)
==16883== by 0x50FC443: g_object_unref (gobject.c:2484)
==16883== by 0x583E85E: rsvg_cairo_pop_discrete_layer
(rsvg-cairo-draw.c:1033)
==16883== by 0x5834372: rsvg_node_draw (rsvg-structure.c:69)
==16883== by 0x5834783: rsvg_node_svg_draw (rsvg-structure.c:326)
==16883== by 0x5834372: rsvg_node_draw (rsvg-structure.c:69)
==16883== by 0x5840D79: rsvg_handle_render_cairo_sub
(rsvg-cairo-render.c:234)
==16883== by 0x402190: main (rsvg-convert.c:319)
==16883==
==16883==
==16883== HEAP SUMMARY:
==16883== in use at exit: 64,492 bytes in 437 blocks
==16883== total heap usage: 827 allocs, 390 frees, 1,743,773 bytes allocated
==16883==
==16883== LEAK SUMMARY:
==16883== definitely lost: 35 bytes in 3 blocks
==16883== indirectly lost: 9 bytes in 1 blocks
==16883== possibly lost: 25,397 bytes in 229 blocks
==16883== still reachable: 39,051 bytes in 204 blocks
==16883== suppressed: 0 bytes in 0 blocks
==16883== Rerun with --leak-check=full to see details of leaked memory
==16883==
==16883== For counts of detected and suppressed errors, rerun with: -v
==16883== ERROR SUMMARY: 160000 errors from 4 contexts (suppressed: 4 from 4)
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
