Bug 1127719
Summary: | rsvg-convert returns segfault on s390x | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Martin Simon <msimon> |
Component: | librsvg2 | Assignee: | Matthias Clasen <mclasen> |
Status: | CLOSED ERRATA | QA Contact: | Desktop QE <desktop-qa-list> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.6 | CC: | jkoten, rstrode, tlavigne, tpelka |
Target Milestone: | rc | Keywords: | TestBlocker |
Target Release: | --- | ||
Hardware: | s390x | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | librsvg2-2.26.0-14.el6 | Doc Type: | Bug Fix |
Doc Text: |
Cause: Missing forward declarations for various functions leading the compiler to assumpt an implicit 32-bit integer return type.
Consequence: crash resulting from string pointer getting truncated to 32-bits and then sign extended back to 64-bits
Fix: Adding #include lines for the appropriate headers at the top of the affected source files.
Result: no more crashes
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2014-10-14 07:41:18 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Martin Simon
2014-08-07 12:03:17 UTC
*** Bug 1130059 has been marked as a duplicate of this bug. *** So i don't yet have an s390 machine to confirm (waiting on beaker), but looking at the backtrace on the other bug I think I see the problem: In frame #6 we have: #6 0x00000041ff2514b0 in _rsvg_io_acquire_data (href=0x96888b40 "/usr/share/gnome-panel/pixmaps/clock-face-small-night.svg", base_uri=0x96888b90 "/usr/share/gnome-panel/pixmaps/clock-face-small-night.svg", len=0x3fffff4e3e8, error=0x0) at rsvg-io.c:165 data = <value optimized out> the filename is 0x9688b40 In frame 4 however we have: #4 g_file_get_contents (filename=0xffffffff9687fb70 <Address 0xffffffff9687fb70 out of bounds>, contents=0x3fffff4e278, length=0x3fffff4e3e8, error=0x0) at gfileutils.c:843 __PRETTY_FUNCTION__ = "g_file_get_contents" which has filename that looks like a pointer that's been stuffed into a 32-bit int and then sign extended back to 64bits. Indeed looking in the code I see: + path = rsvg_get_file_path (filename, base_uri);• but no #include <rsvg-image.h> at the top of the file. There's also an uninitialized variable access in the same patch that should probably be mopped up too. i can confirm this patch fixes it: diff --git a/split-io-handling.patch b/split-io-handling.patch index 5a54e00..2319953 100644 --- a/split-io-handling.patch +++ b/split-io-handling.patch @@ -171,7 +171,7 @@ diff -up librsvg-2.26.0/rsvg-base.c.split-io librsvg-2.26.0/rsvg-base.c if (type == XML_EXTERNAL_PARAMETER_ENTITY && !content) { - GByteArray *arr; -+ guint8 *entity_data; ++ guint8 *entity_data = NULL; + gsize entity_data_len; + + if (systemId) @@ -415,7 +415,7 @@ diff -up librsvg-2.26.0/rsvg-io.c.split-io librsvg-2.26.0/rsvg-io.c +*/ + +#include "config.h" -+ ++#include "rsvg-image.h" +#include "rsvg-io.h" +#include "rsvg-private.h" + diff --git a/strict-load.patch b/strict-load.patch index 3ae2935..e0c7015 100644 --- a/strict-load.patch +++ b/strict-load.patch @@ -5,7 +5,7 @@ diff -up librsvg-2.26.0/rsvg-base.c.strict-load librsvg-2.26.0/rsvg-base.c #include "config.h" -+ ++#define _GNU_SOURCE #ifdef HAVE_SVGZ #include <gsf/gsf-input-gzip.h> #include <gsf/gsf-input-memory.h> @@ -23,7 +23,7 @@ diff -up librsvg-2.26.0/rsvg-base.c.strict-load librsvg-2.26.0/rsvg-base.c #include "rsvg-paint-server.h" +#include "rsvg-xml.h" -+ ++#include <stdlib.h> /* * This is configurable at runtime */ Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1554.html |