Bug 47245 - Stack smashing in composite_boxes (trigger segfault if built with stack protector)
Summary: Stack smashing in composite_boxes (trigger segfault if built with stack prote...
Status: RESOLVED FIXED
Alias: None
Product: cairo
Classification: Unclassified
Component: general (show other bugs)
Version: 1.10.3
Hardware: Other Linux (All)
: medium major
Assignee: Carl Worth
QA Contact: cairo-bugs mailing list
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-03-12 11:28 UTC by Luca Bruno
Modified: 2012-03-12 11:39 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Luca Bruno 2012-03-12 11:28:00 UTC
This is a forwarded bug from Inkscape bugtracker, please follow-up at
https://bugs.launchpad.net/inkscape/+bug/910100

It looks like some stack corruption is going on within composite_boxes(), which triggers segfaults in Inkscape if built with stack protector enabled (as in Ubuntu).

#4  0x00007ffff0673260 in __stack_chk_fail ()
   from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#5  0x00007ffff16a3172 in composite_boxes (extents=0x7fffffffd510, 
    boxes=<optimized out>, compositor=<optimized out>)
    at /build/buildd/cairo-1.11.3+git20120228.3c665102/src/cairo-spans-compositor.c:609

For the full backtrace and the original bug procedure, see the report on launchpad.
A reduced crashing input-file is available there too.
Comment 1 Chris Wilson 2012-03-12 11:39:24 UTC
I was not able to reproduce that on master. Judging from the trace, I believe the fix is

commit 300e32a4a9d79c26077f33e9b67bad2106071849
Author: Seongwon Cho <seongwon1.cho@samsung.com>
Date:   Wed Feb 29 18:59:34 2012 +0900

    mono-scan-convertor: Include space for the closing span
    
    When estimating the maximum number of spans required for a particular
    width, we need to include a closing span.
    
    Reviewed-by: Zhigang Gong <zhigang.gong@linux.intel.com>
    Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.