Copied from http://bugzilla.gnome.org/show_bug.cgi?id=456850 Using rsvg-convert to convert this SVG to a PNG, you get a SEGV with the following stack trace: #0 0xb79d534c in memcpy () from /lib/tls/i686/cmov/libc.so.6 #1 0xb7be4fbb in png_memcpy_check () from /usr/lib/libpng12.so.0 #2 0xb7bdc723 in png_write_row () from /usr/lib/libpng12.so.0 #3 0xb7bdc98d in png_write_image () from /usr/lib/libpng12.so.0 #4 0xb7c19450 in write_png () from /usr/lib/libcairo.so.2 #5 0xb7c194cd in cairo_surface_write_to_png_stream () #6 0x08049e8c in main (argc=1, argv=0xbfc2de64) at rsvg-convert.c:293
Created attachment 11155 [details] [review] Protect pixel allocation from integer overflow.
(In reply to comment #1) > Created an attachment (id=11155) [details] > Protect pixel allocation from integer overflow. > Is this something that might benefit from Vlad's malloc wrappers that check for overflow?
(In reply to comment #2) > (In reply to comment #1) > > Created an attachment (id=11155) [details] [details] > > Protect pixel allocation from integer overflow. > > > > Is this something that might benefit from Vlad's malloc wrappers that check for > overflow? No this is one was a call to calloc and was missed during the wrapping - I too had the same thought and had to double check my source tree! [Transferring to libpixman.]
Fixed in: commit 958a650b8eb1b61143122c3ad1f9b637b6467984 Author: Chris Wilson <chris@chris-wilson.co.uk> Date: Thu Sep 27 12:40:59 2007 +0100 [pixman-image] Avoid integer overflow when allocating bits. Check for potential overflows at every step of the calculation of the buffer size required for the pixels. (Fixes https://bugs.freedesktop.org/show_bug.cgi?id=11627)
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.