Bug 47245

Summary: Stack smashing in composite_boxes (trigger segfault if built with stack protector)
Product: cairo Reporter: Luca Bruno <lucab>
Component: generalAssignee: Carl Worth <cworth>
Status: RESOLVED FIXED QA Contact: cairo-bugs mailing list <cairo-bugs>
Severity: major    
Priority: medium    
Version: 1.10.3   
Hardware: Other   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description Luca Bruno 2012-03-12 11:28:00 UTC 
This is a forwarded bug from Inkscape bugtracker, please follow-up at
https://bugs.launchpad.net/inkscape/+bug/910100

It looks like some stack corruption is going on within composite_boxes(), which triggers segfaults in Inkscape if built with stack protector enabled (as in Ubuntu).

#4  0x00007ffff0673260 in __stack_chk_fail ()
   from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#5  0x00007ffff16a3172 in composite_boxes (extents=0x7fffffffd510, 
    boxes=<optimized out>, compositor=<optimized out>)
    at /build/buildd/cairo-1.11.3+git20120228.3c665102/src/cairo-spans-compositor.c:609

For the full backtrace and the original bug procedure, see the report on launchpad.
A reduced crashing input-file is available there too.
Comment 1 Chris Wilson 2012-03-12 11:39:24 UTC 
I was not able to reproduce that on master. Judging from the trace, I believe the fix is

commit 300e32a4a9d79c26077f33e9b67bad2106071849
Author: Seongwon Cho <seongwon1.cho@samsung.com>
Date:   Wed Feb 29 18:59:34 2012 +0900

    mono-scan-convertor: Include space for the closing span
    
    When estimating the maximum number of spans required for a particular
    width, we need to include a closing span.
    
    Reviewed-by: Zhigang Gong <zhigang.gong@linux.intel.com>
    Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.