232576 – *** buffer overflow detected ***: evolution terminated

Bug 232576 - *** buffer overflow detected ***: evolution terminated

Summary: *** buffer overflow detected ***: evolution terminated

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	cairo
Sub Component:
Version:	rawhide
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	Behdad Esfahbod
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-03-16 06:51 UTC by sangu
Modified:	2007-11-30 22:11 UTC (History)
CC List:	0 users
Fixed In Version:	1.4.2-1.fc7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-04-04 11:50:49 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
evolution backtrace file (64.45 KB, text/plain) 2007-03-16 06:51 UTC, sangu	no flags	Details
~/.xsession-errors (37.50 KB, text/plain) 2007-03-16 06:52 UTC, sangu	no flags	Details
Patch (480 bytes, patch) 2007-03-16 12:47 UTC, Matthew Barnes	no flags	Details \| Diff
View All

Description sangu 2007-03-16 06:51:11 UTC

Description of problem:
Clicking printview on calendar, *** buffer overflow detected ***: evolution
terminated.


Version-Release number of selected component (if applicable):
evolution-2.10.0-2.fc7

How reproducible:
always

Steps to Reproduce:
1. click print preview
2.
3.
  
Additional info:
evolution-data-server-1.10.0-2.fc7
pango-1.16.1-1.fc7
glib2-2.12.11-1.fc7
gtk2-2.10.11-1.fc7
cairo-1.4.0-1.fc7

Comment 1 sangu 2007-03-16 06:51:11 UTC

Created attachment 150199 [details]
evolution backtrace file

Comment 2 sangu 2007-03-16 06:52:08 UTC

Created attachment 150200 [details]
~/.xsession-errors

Comment 3 sangu 2007-03-16 06:57:49 UTC

Clicking print preview, ***  buffer overflow detected ***:  evolution
terminatedin  all evo component.

Comment 4 Matthew Barnes 2007-03-16 11:54:10 UTC

Thanks for reporting this.

Can you give some more information about what you were trying to print when this
happened?  What calendar view were you printing (day, week, month, etc)?  Does
printing in other calendar views cause the same crash?  Were you using any
special page settings?

Such details will help me narrow down the search.

Comment 5 Matthew Barnes 2007-03-16 12:01:45 UTC

Actually, I can reproduce this too and it seems to be ALL calendar views that
are crashing.  This was working fine a few weeks ago and there have been no
changes to the printing code since then.  The backtraces all show the crash
originating from Cairo.  Could this possibly be a recently-introduced Cairo bug?

Comment 6 sangu 2007-03-16 12:19:38 UTC

in attachment 50199
[...]
#11 0x00af00ac in cairo_truetype_font_write_post_table (font=0x9fef5c0, 
    tag=1886352244) at cairo-truetype-subset.c:698
[....]
Please See : https://bugs.freedesktop.org/show_bug.cgi?id=10267
cairo-truetype-subset.c:698: warning: call to __builtin___snprintf_chk will
always overflow destination buffer

cairo bug?

Comment 7 Matthew Barnes 2007-03-16 12:45:51 UTC

Indeed, this seems to be a Cairo bug.

In cairo_truetype_font_write_post_table() we have:

    char buf[10];

    ...

    for (i = 1; i < font->base.num_glyphs; i++) {
        n = snprintf(buf + 1, 10, "g%d", i - 1);
        ...
    }

The length being passed to snprintf() is 10, even though we're only pointing at
the last 9 characters of the 'buf'.  Changing the length to 9 fixed the print
preview crash in Evolution.

Reassigning to cairo.

Comment 8 Matthew Barnes 2007-03-16 12:47:23 UTC

Created attachment 150219 [details]
Patch

This patch seems to fix the Evolution crash.

Comment 9 Behdad Esfahbod 2007-03-16 19:09:57 UTC

Will be fixed in cairo-1.4.2 due to be out today...

Note You need to log in before you can comment on or make changes to this bug.