Bug 50852

Summary: Rendering specific SVG file at certain sizes causes a segmentation fault
Product: cairo Reporter: Evangelos Foutras <evangelos>
Component: generalAssignee: Carl Worth <cworth>
Status: RESOLVED FIXED QA Contact: cairo-bugs mailing list <cairo-bugs>
Severity: major    
Priority: medium CC: andyrtr
Version: 1.12.2   
Hardware: x86-64 (AMD64)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:
Attachments: SVG file causing cairo to segfault
gdb backtrace
Premiliary test case
Preliminary

Description Evangelos Foutras 2012-06-07 11:03:31 UTC 
Created attachment 62751 [details]
SVG file causing cairo to segfault

There is a bug report [1] in Arch Linux from a user who is seeing xfce4-panel segfaults when using the Faenza icon theme and specifically the icon for the Geany application.

I have attached a modified geany.svg which is reduced to a single path. Converting it to the PNG format using rsvg results in a segmentation fault.

E.g.:

$ rsvg-convert geany.svg -o geany.png -w 40
Segmentation fault
$ rsvg-convert geany.svg -o geany.png -w 10 (this size works correctly)
$ rsvg-convert geany.svg -o geany.png -w 16
Segmentation fault

cairo is compiled with gcc 4.7; maybe this matters.

[1] https://bugs.archlinux.org/task/29751
Comment 1 Evangelos Foutras 2012-06-07 11:04:26 UTC 
Created attachment 62752 [details]
gdb backtrace

I'm also attaching a gdb backtrace using a debug build of cairo. The fault occurs at cairo-tor-scan-converter.c:1361 when trying to dereference right->next which is NULL.
Comment 2 Chris Wilson 2012-06-07 11:45:00 UTC 
Created attachment 62757 [details]
Premiliary test case
Comment 3 Chris Wilson 2012-06-07 11:45:30 UTC 
Created attachment 62758 [details]
Preliminary
Comment 4 Chris Wilson 2012-06-08 09:27:26 UTC 
commit f228769dfe5a8b5d73c49a41e95e31ed73a77fb3
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Fri Jun 8 17:22:41 2012 +0100

    polygon-reduce: Reduce broken stopped-edge continuation
    
    This is hopefully a lesser used path and the attempted optimisation to
    continue a stopped edge with a colinear stopped edge highly unlikely and
    lost in the noise of the general inefficiency of the routine. As it was
    broken, rather than attempt to rectify the "optimisation" remove it.
    
    Reported-by: Evangelos Foutras <evangelos@foutrelis.com>
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=50852
    Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.