Bug 1127719
| Summary: | rsvg-convert returns segfault on s390x | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Martin Simon <msimon> |
| Component: | librsvg2 | Assignee: | Matthias Clasen <mclasen> |
| Status: | CLOSED ERRATA | QA Contact: | Desktop QE <desktop-qa-list> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.6 | CC: | jkoten, rstrode, tlavigne, tpelka |
| Target Milestone: | rc | Keywords: | TestBlocker |
| Target Release: | --- | ||
| Hardware: | s390x | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | librsvg2-2.26.0-14.el6 | Doc Type: | Bug Fix |
| Doc Text: |
Cause: Missing forward declarations for various functions leading the compiler to assumpt an implicit 32-bit integer return type.
Consequence: crash resulting from string pointer getting truncated to 32-bits and then sign extended back to 64-bits
Fix: Adding #include lines for the appropriate headers at the top of the affected source files.
Result: no more crashes
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-10-14 07:41:18 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
*** Bug 1130059 has been marked as a duplicate of this bug. *** So i don't yet have an s390 machine to confirm (waiting on beaker), but looking at the backtrace on the other bug I think I see the problem:
In frame #6 we have:
#6 0x00000041ff2514b0 in _rsvg_io_acquire_data (href=0x96888b40 "/usr/share/gnome-panel/pixmaps/clock-face-small-night.svg", base_uri=0x96888b90 "/usr/share/gnome-panel/pixmaps/clock-face-small-night.svg", len=0x3fffff4e3e8, error=0x0) at rsvg-io.c:165
data = <value optimized out>
the filename is 0x9688b40
In frame 4 however we have:
#4 g_file_get_contents (filename=0xffffffff9687fb70 <Address 0xffffffff9687fb70 out of bounds>, contents=0x3fffff4e278, length=0x3fffff4e3e8, error=0x0) at gfileutils.c:843
__PRETTY_FUNCTION__ = "g_file_get_contents"
which has filename that looks like a pointer that's been stuffed into a 32-bit int and then sign extended back to 64bits. Indeed looking in the code I see:
+ path = rsvg_get_file_path (filename, base_uri);•
but no #include <rsvg-image.h> at the top of the file.
There's also an uninitialized variable access in the same patch that should probably be mopped up too.
i can confirm this patch fixes it:
diff --git a/split-io-handling.patch b/split-io-handling.patch
index 5a54e00..2319953 100644
--- a/split-io-handling.patch
+++ b/split-io-handling.patch
@@ -171,7 +171,7 @@ diff -up librsvg-2.26.0/rsvg-base.c.split-io librsvg-2.26.0/rsvg-base.c
if (type == XML_EXTERNAL_PARAMETER_ENTITY && !content) {
- GByteArray *arr;
-+ guint8 *entity_data;
++ guint8 *entity_data = NULL;
+ gsize entity_data_len;
+
+ if (systemId)
@@ -415,7 +415,7 @@ diff -up librsvg-2.26.0/rsvg-io.c.split-io librsvg-2.26.0/rsvg-io.c
+*/
+
+#include "config.h"
-+
++#include "rsvg-image.h"
+#include "rsvg-io.h"
+#include "rsvg-private.h"
+
diff --git a/strict-load.patch b/strict-load.patch
index 3ae2935..e0c7015 100644
--- a/strict-load.patch
+++ b/strict-load.patch
@@ -5,7 +5,7 @@ diff -up librsvg-2.26.0/rsvg-base.c.strict-load librsvg-2.26.0/rsvg-base.c
#include "config.h"
-+
++#define _GNU_SOURCE
#ifdef HAVE_SVGZ
#include <gsf/gsf-input-gzip.h>
#include <gsf/gsf-input-memory.h>
@@ -23,7 +23,7 @@ diff -up librsvg-2.26.0/rsvg-base.c.strict-load librsvg-2.26.0/rsvg-base.c
#include "rsvg-paint-server.h"
+#include "rsvg-xml.h"
-+
++#include <stdlib.h>
/*
* This is configurable at runtime
*/
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1554.html |
Description of problem: rsvg-convert utility used to convert svg files to different types returns segmentation fault on s390x Version-Release number of selected component (if applicable): librsvg2-2.26.0-13.el6.s390x How reproducible: 100% Steps to Reproduce: 1. get any sample.svg 2. rsvg-convert -f png -o output.png sample.svg Actual results: Segmentation Fault Expected results: the file should be converted Additional info: gdb output: Program received signal SIGSEGV, Segmentation fault. g_utf8_validate (str=0xffffffffa6270d10 <Address 0xffffffffa6270d10 out of bounds>, max_len=-1, end= 0x0) at gutf8.c:1771 1771 p = fast_validate (str);