Ubuntu
librsvg package

eog crashed with SIGSEGV in __strlen_sse2()

Bug #594120 reported by smpahlman
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
librsvg
Fix Released
Critical
librsvg (Ubuntu)
Triaged
Medium
Unassigned

Bug Description

Binary package hint: eog

eog segfaults when opening the attached SVG file.

ProblemType: Crash
DistroRelease: Ubuntu 10.04
Package: eog 2.30.0-0ubuntu1
ProcVersionSignature: Ubuntu 2.6.32-22.36-generic 2.6.32.11+drm33.2
Uname: Linux 2.6.32-22-generic i686
Architecture: i386
Date: Mon Jun 14 15:57:26 2010
EcryptfsInUse: Yes
ExecutablePath: /usr/bin/eog
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Alpha i386 (20100113)
ProcCmdline: eog /tmp/sample.svg
ProcEnviron:
 SHELL=/bin/bash
 LANG=en_US.utf8
SegvAnalysis:
 Segfault happened at: 0x787b785 <__strlen_sse2+21>: pcmpeqb (%esi),%xmm0
 PC (0x0787b785) ok
 source "(%esi)" (0x33223d70) not located in a known VMA region (needed readable region)!
 destination "%xmm0" ok
SegvReason: reading unknown VMA
Signal: 11
SourcePackage: eog
StacktraceTop:
 __strlen_sse2 () at ../sysdeps/i386/i686/multiarch/strlen.S:87
 g_strdup () from /lib/libglib-2.0.so.0
 rsvg_css_parse_xml_attribute_string (
 rsvg_processing_instruction (ctx=0x841f5f8,
 xmlParsePI () from /usr/lib/libxml2.so.2
Title: eog crashed with SIGSEGV in __strlen_sse2()
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare
XsessionErrors:
 (polkit-gnome-authentication-agent-1:9303): GLib-CRITICAL **: g_once_init_leave: assertion `initialization_value != 0' failed
 (gnome-terminal:9409): Gtk-CRITICAL **: gtk_accel_map_unlock_path: assertion `entry != NULL && entry->lock_count > 0' failed

Revision history for this message
smpahlman (sauli-pahlman) wrote :
Revision history for this message
Apport retracing service (apport) wrote :

StacktraceTop:
 ?? () from /lib/tls/i686/cmov/libc.so.6
 g_strdup () from /lib/libglib-2.0.so.0
 ?? () from /usr/lib/librsvg-2.so.2
 ?? () from /usr/lib/librsvg-2.so.2
 xmlParsePI () from /usr/lib/libxml2.so.2

Revision history for this message
Apport retracing service (apport) wrote : Stacktrace.txt
Revision history for this message
Apport retracing service (apport) wrote : ThreadStacktrace.txt
tags: added: apport-failed-retrace
tags: removed: need-i386-retrace
Revision history for this message
Pedro Villavicencio (pedro) wrote :

Thanks for your bug report. Please try to obtain a backtrace http://wiki.ubuntu.com/DebuggingProgramCrash and attach the file to the bug report. This will greatly help us in tracking down your problem.

visibility: private → public
Changed in eog (Ubuntu):
importance: Undecided → Medium
status: New → Incomplete
Revision history for this message
smpahlman (sauli-pahlman) wrote :
Download full text (8.8 KiB)

(gdb) r /tmp/sample.svg
Starting program: /usr/bin/eog /home/sauli/Desktop/librsvg/fubwt-1116.svg
[Thread debugging using libthread_db enabled]
[New Thread 0xb7e7db70 (LWP 21478)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7e7db70 (LWP 21478)]
rsvg_css_parse_xml_attribute_string (
    attribute_string=0x842cca0 "typxt pon\" x=\"350\" {sts=\"ml-tless\" ")
    at rsvg-css.c:1250
1250 rsvg-css.c: No such file or directory.
 in rsvg-css.c
(gdb) backtrace full
#0 rsvg_css_parse_xml_attribute_string (
    attribute_string=0x842cca0 "typxt pon\" x=\"350\" {sts=\"ml-tless\" ")
    at rsvg-css.c:1250
        i = 1
        nb_atts = 3
        attributes = 0x8409600
        _attribute_string = 0x842cd70 "<tag typxt pon\" x=\"350\" {sts=\"ml-tless\" />\n"
#1 0x01836f5b in rsvg_processing_instruction (ctx=0x83125f8,
    target=0x8335043 "xml-stylesheet",
    data=0x842cca0 "typxt pon\" x=\"350\" {sts=\"ml-tless\" ")
    at rsvg-base.c:919
        atts = 0xfc0efb00
        xml_atts = 0xb7e7ce58
#2 0x00cb53b6 in xmlParsePI () from /usr/lib/libxml2.so.2
No symbol table info available.
#3 0x00cbff04 in ?? () from /usr/lib/libxml2.so.2
No symbol table info available.
#4 0x00cc0dc5 in xmlParseChunk () from /usr/lib/libxml2.so.2
No symbol table info available.
#5 0x018366da in rsvg_handle_write_impl (handle=0x83125f8, buf=0x0,
    count=1552, error=0x840940c) at rsvg-base.c:1128
        real_error = 0x0
        result = <value optimized out>
        __PRETTY_FUNCTION__ = "rsvg_handle_write_impl"
#6 0x0180ca34 in gdk_pixbuf__svg_image_load_increment (data=0x82bdbc0,
    buf=0x82a7e48 "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>\n<?xml-stylesheet typxt pon\" x=\"350\" {sts=\"ml-tless\" ?>\n<!DOCTYP120000110\"\" >\n <reete: SVG 1.0//EN\" \"http://www.w3.org/TR/2001/Rme\" ?>\n</tle\" 4/DTD/svg10."..., size=1552, error=0x840940c) at io-svg.c:128
No locals.
#7 0x00871d1e in IA__gdk_pixbuf_loader_write (loader=0x8319440,
    buf=0x82a7e48 "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>\n<?xml-stylesheet typxt pon\" x=\"350\" {sts=\"ml-tless\" ?>\n<!DOCTYP120000110\"\" >\n <reete: SVG 1.0//EN\" \"http://www.w3.org/TR/2001/Rme\" ?>\n</tle\" 4/DTD/svg10."..., count=1552, error=0x840940c)
    at /build/buildd/gtk+2.0-2.20.1/gdk-pixbuf/gdk-pixbuf-loader.c:473
        priv = 0xa
        __PRETTY_FUNCTION__ = "IA__gdk_pixbuf_loader_write"
#8 0x0807c324 in eog_image_real_load (img=0x80eee10, data2read=15,
    job=0x8409400, error=0x840940c) at eog-image.c:991
        mime_type = <value optimized out>
        buffer = <value optimized out>
        set_metadata = 1
        input_stream = 0x82f00c0
        failed = <value optimized out>
        md_reader = 0x0
        bytes_read = 1552
        read_image_data = 1
        priv = 0x80eee20
        format = <value optimized out>
        loader = 0x8319440
        bytes_read_total = 0
        first_run = 1
        read_only_dimension = 0
#9 eog_image_load (img=0x80eee10, data2read=15, job=0x8409400,
    error=0x840940c) at eog-image.c:1206
        priv = 0x80eee20
        success = <value optimized out>
        __PRETTY_FUNCTION__ = "eog_image_load"
#10 0x08088050 in eog...

Read more...

Changed in eog (Ubuntu):
status: Incomplete → New
Revision history for this message
smpahlman (sauli-pahlman) wrote :
Download full text (7.6 KiB)

Here's the valgrind output too.

==23610== Memcheck, a memory error detector
==23610== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==23610== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info
==23610== Command: eog /tmp/sample.svg
==23610==
==23610== Thread 2:
==23610== Conditional jump or move depends on uninitialised value(s)
==23610== at 0x77E154E: getAtts (rsvg-css.c:1170)
==23610== by 0x77E17FF: rsvg_css_parse_xml_attribute_string (rsvg-css.c:1238)
==23610== by 0x7801F5A: rsvg_processing_instruction (rsvg-base.c:919)
==23610== by 0x4BC43B5: xmlParsePI (in /usr/lib/libxml2.so.2.7.6)
==23610== by 0x4BCEF03: ??? (in /usr/lib/libxml2.so.2.7.6)
==23610== by 0x4BCFDC4: xmlParseChunk (in /usr/lib/libxml2.so.2.7.6)
==23610== by 0x78016D9: rsvg_handle_write_impl (rsvg-base.c:1128)
==23610== by 0x5B7CA33: gdk_pixbuf__svg_image_load_increment (io-svg.c:128)
==23610== by 0x477ED1D: gdk_pixbuf_loader_write (gdk-pixbuf-loader.c:473)
==23610== by 0x807C323: eog_image_load (eog-image.c:991)
==23610== by 0x808804F: eog_job_load_run (eog-jobs.c:336)
==23610== by 0x8087DA3: eog_job_run (eog-jobs.c:153)
==23610==
==23610== Invalid read of size 1
==23610== at 0x77E14D0: getAtts (rsvg-css.c:1190)
==23610== by 0x77E17FF: rsvg_css_parse_xml_attribute_string (rsvg-css.c:1238)
==23610== by 0x7801F5A: rsvg_processing_instruction (rsvg-base.c:919)
==23610== by 0x4BC43B5: xmlParsePI (in /usr/lib/libxml2.so.2.7.6)
==23610== by 0x4BCEF03: ??? (in /usr/lib/libxml2.so.2.7.6)
==23610== by 0x4BCFDC4: xmlParseChunk (in /usr/lib/libxml2.so.2.7.6)
==23610== by 0x78016D9: rsvg_handle_write_impl (rsvg-base.c:1128)
==23610== by 0x5B7CA33: gdk_pixbuf__svg_image_load_increment (io-svg.c:128)
==23610== by 0x477ED1D: gdk_pixbuf_loader_write (gdk-pixbuf-loader.c:473)
==23610== by 0x807C323: eog_image_load (eog-image.c:991)
==23610== by 0x808804F: eog_job_load_run (eog-jobs.c:336)
==23610== by 0x8087DA3: eog_job_run (eog-jobs.c:153)
==23610== Address 0x8f7d1ad is 0 bytes after a block of size 45 alloc'd
==23610== at 0x4024F20: malloc (vg_replace_malloc.c:236)
==23610== by 0x4ECEEBF: __vasprintf_chk (vasprintf_chk.c:82)
==23610== by 0x4B24ABE: g_vasprintf (in /lib/libglib-2.0.so.0.2400.1)
==23610== by 0x4B03505: g_strdup_vprintf (in /lib/libglib-2.0.so.0.2400.1)
==23610== by 0x4B03527: g_strdup_printf (in /lib/libglib-2.0.so.0.2400.1)
==23610== by 0x77E17D8: rsvg_css_parse_xml_attribute_string (rsvg-css.c:1235)
==23610== by 0x7801F5A: rsvg_processing_instruction (rsvg-base.c:919)
==23610== by 0x4BC43B5: xmlParsePI (in /usr/lib/libxml2.so.2.7.6)
==23610== by 0x4BCEF03: ??? (in /usr/lib/libxml2.so.2.7.6)
==23610== by 0x4BCFDC4: xmlParseChunk (in /usr/lib/libxml2.so.2.7.6)
==23610== by 0x78016D9: rsvg_handle_write_impl (rsvg-base.c:1128)
==23610== by 0x5B7CA33: gdk_pixbuf__svg_image_load_increment (io-svg.c:128)
==23610==
==23610== Invalid read of size 1
==23610== at 0x77E1496: getAtts (rsvg-css.c:1117)
==23610== by 0x77E17FF: rsvg_css_parse_xml_attribute_string (rsvg-css.c:1238)
==23610== by 0x7801F5A: rsvg_processing_ins...

Read more...

Revision history for this message
Pedro Villavicencio (pedro) wrote :

that's a librsvg crash ,re assigning

affects: eog (Ubuntu) → librsvg (Ubuntu)
Revision history for this message
Pedro Villavicencio (pedro) wrote :

Thank you for your bug report. This bug has been reported to the developers of the software. You can track it and make comments at:
 https://bugzilla.gnome.org/show_bug.cgi?id=621636

Changed in librsvg (Ubuntu):
status: New → Triaged
Bug Watch Updater (bug-watch-updater)
Changed in librsvg:
status: Unknown → New
Bug Watch Updater (bug-watch-updater)
Changed in librsvg:
importance: Unknown → Critical
Bug Watch Updater (bug-watch-updater)
Changed in librsvg:
status: New → Fix Released
Revision history for this message
madbiologist (me-again) wrote :

If this is still ocurring on Ubuntu 12.04 it might be fixed upstream in the newly released cairo 1.12.4, as per http://www.cairographics.org/news/cairo-1.12.4/ and https://bugs.freedesktop.org/show_bug.cgi?id=50852
This new version of cairo will probably soon appear in the xorg-edgers PPA available at https://launchpad.net/~xorg-edgers/+archive/ppa

Revision history for this message
madbiologist (me-again) wrote :

On Ubuntu 17.04 "Zesty Zapus" with eog 3.24.0-0ubuntu1 and librsvg2-2 2.40.16-2~svn1 this file no longer causes eog to crash, but instead of displaying the file eog displays an error message.

Not that this file contains errors and is not a valid SVG file.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.