Created attachment 18395 [details] [review] cairo-1.6.4-flush-png.patch Starting with libpng-1.2.30, in their infinite wisdom, the libpng developers have changed the behavior of png_write_end(); now, it calls png_ptr->output_flush_fn. In libpng-1.2.31, there will be a compile-time option to turn this off this behavior, but it looks like the default setting will be with the flush. See http://sourceforge.net/mailarchive/forum.php?thread_name=4ab4bbae0808190908y47c2f133w4fd3630f1e54b0fd%40mail.gmail.com&forum_name=png-mng-implement and http://sourceforge.net/mailarchive/forum.php?thread_name=e56ccc8f0808191245l318cef05mbed7a09ebb875c87%40mail.gmail.com&forum_name=png-mng-implement Now, why is this such a problem for cairo? In write_png(), cairo calls png_set_write_fn (png, closure, write_func, NULL); That NULL results in png->output_flush_fn being set to png's default flush function - which is a wrapper around fflush(closure). And when we call png_write via png_surface_write_to_png(), that is perfectly OK - because closure is a FILE pointer. But if we are calling write_png() from cairo_surface_write_to_png_stream(), closure is now a struct png_write_closure_t pointer, and calling fflush on it results in spectacular segfaults. Consequently, we must actually set a dummy output_flush_fn to avoid segfaulting. See attachment for the patch that does so.
See Gentoo bugreport http://bugs.gentoo.org/show_bug.cgi?id=235072 for a test case of this bug: dot, a part of graphviz, will crash or hang in write_png() on certain input (see attachment to the Gentoo bug). The patch above fixes crashes in graphviz.
Thanks, pushed to master: 186e7a2602cf140ac03b730b95ed10f25f9319c6. Another candidate for the overdue 1.6.6 release.
1.8 has superseded 1.6 as the stable, so we can close this bug.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.