Bug#757036: librsvg2-2: Stack overflow when thumbnailing deeply nested svg file from nautilus

Mon Aug 4 18:49:22 UTC 2014

Package: librsvg2-2
Version: 2.40.2-1
Severity: important

nautilus crashes while attempting to thumbnail a deeply nested svg file,
and the crash is due to a stack overflow caused by librsvg2.

rabin at debian:~/test$ ls
test.svg
rabin at debian:~/test$ gdb -q --args nautilus .
Reading symbols from /usr/bin/nautilus...Reading symbols from
/usr/lib/debug/usr/bin/nautilus...done.
done.
(gdb) r
Starting program: /usr/bin/nautilus .
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffebb89700 (LWP 22913)]
[New Thread 0x7fffe89f1700 (LWP 22914)]
[New Thread 0x7fffe3df2700 (LWP 22915)]
[New Thread 0x7fffd0d70700 (LWP 22916)]
[New Thread 0x7fffc60e4700 (LWP 22917)]
[New Thread 0x7fffe8044700 (LWP 22918)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffe8044700 (LWP 22918)]
0x00007ffff3d6d8ef in str_to_mpn (str=str at entry=0x7fffe9cf1910 "1",
digcnt=digcnt at entry=1, n=n at entry=0x7fffe80250a0,
    nsize=nsize at entry=0x7fffe8025090, exponent=exponent at entry=0x7fffe8025098,
decimal_len=decimal_len at entry=1,
    thousands=thousands at entry=0x0, decimal=0x7ffff3e93d8c <dot.2505> ".") at
strtod_l.c:352
352     strtod_l.c: Filen eller katalogen finns inte.
(gdb) disas
Dump of assembler code for function str_to_mpn:
   0x00007ffff3d6d8e0 <+0>:     push   %r15
   0x00007ffff3d6d8e2 <+2>:     push   %r14
   0x00007ffff3d6d8e4 <+4>:     mov    %rcx,%r14
   0x00007ffff3d6d8e7 <+7>:     push   %r13
   0x00007ffff3d6d8e9 <+9>:     push   %r12
   0x00007ffff3d6d8eb <+11>:    mov    %esi,%r12d
   0x00007ffff3d6d8ee <+14>:    push   %rbp
=> 0x00007ffff3d6d8ef <+15>:    push   %rbx
   0x00007ffff3d6d8f0 <+16>:    sub    $0x18,%rsp
   0x00007ffff3d6d8f4 <+20>:    test   %esi,%esi
(gdb) bt 15
#0  0x00007ffff3d6d8ef in str_to_mpn (str=str at entry=0x7fffe9cf1910 "1",
digcnt=digcnt at entry=1,
    n=n at entry=0x7fffe80250a0, nsize=nsize at entry=0x7fffe8025090,
exponent=exponent at entry=0x7fffe8025098,
    decimal_len=decimal_len at entry=1, thousands=thousands at entry=0x0,
decimal=0x7ffff3e93d8c <dot.2505> ".")
    at strtod_l.c:352
#1  0x00007ffff3d6e9a9 in __GI_____strtod_l_internal (nptr=<optimized out>,
endptr=<optimized out>,
    group=<optimized out>, loc=0x7ffff40d2ae0 <_nl_C_locobj>) at
strtod_l.c:1198
#2  0x00007fffe9ccddb7 in rsvg_css_parse_raw_length (relative_size=<synthetic
pointer>, ex=<synthetic pointer>,
    em=<synthetic pointer>, percent=<synthetic pointer>, in=<synthetic
pointer>, str=str at entry=0x7fffe9cf1910 "1")
    at rsvg-css.c:116
#3  _rsvg_css_parse_length (str=str at entry=0x7fffe9cf1910 "1") at rsvg-css.c:189
#4  0x00007fffe9ce6478 in rsvg_state_init (state=state at entry=0x7fffb832a9c0) at
rsvg-styles.c:125
#5  0x00007fffe9ce7be0 in rsvg_state_push (ctx=ctx at entry=0x7fffb800c480) at
rsvg-styles.c:1586
#6  0x00007fffe9ce3568 in _rsvg_node_draw_children (self=0x7fffb81c5640,
ctx=0x7fffb800c480, dominate=0)
    at rsvg-structure.c:86
#7  0x00007fffe9ce3503 in rsvg_node_draw (self=0x7fffb81c5640,
ctx=0x7fffb800c480, dominate=<optimized out>)
    at rsvg-structure.c:69
#8  0x00007fffe9ce3583 in _rsvg_node_draw_children (self=0x7fffb81c4950,
ctx=0x7fffb800c480, dominate=0)
    at rsvg-structure.c:87
#9  0x00007fffe9ce3503 in rsvg_node_draw (self=0x7fffb81c4950,
ctx=0x7fffb800c480, dominate=<optimized out>)
    at rsvg-structure.c:69
#10 0x00007fffe9ce3583 in _rsvg_node_draw_children (self=0x7fffb81c4460,
ctx=0x7fffb800c480, dominate=0)
    at rsvg-structure.c:87
#11 0x00007fffe9ce3503 in rsvg_node_draw (self=0x7fffb81c4460,
ctx=0x7fffb800c480, dominate=<optimized out>)
    at rsvg-structure.c:69
#12 0x00007fffe9ce3583 in _rsvg_node_draw_children (self=0x7fffb81c3f70,
ctx=0x7fffb800c480, dominate=0)
    at rsvg-structure.c:87
#13 0x00007fffe9ce3503 in rsvg_node_draw (self=0x7fffb81c3f70,
ctx=0x7fffb800c480, dominate=<optimized out>)
    at rsvg-structure.c:69
#14 0x00007fffe9ce3583 in _rsvg_node_draw_children (self=0x7fffb81c3a80,
ctx=0x7fffb800c480, dominate=0)
    at rsvg-structure.c:87
(More stack frames follow...)
(gdb) bt -15
#2497 0x00007fffe9ce3503 in rsvg_node_draw (self=0x7fffb800ee30,
ctx=0x7fffb800c480, dominate=<optimized out>)
    at rsvg-structure.c:69
#2498 0x00007fffe9ce3583 in _rsvg_node_draw_children (self=0x7fffb800d1d0,
ctx=0x7fffb800c480, dominate=0)
    at rsvg-structure.c:87
#2499 0x00007fffe9ce3503 in rsvg_node_draw (self=0x7fffb800d1d0,
ctx=0x7fffb800c480, dominate=<optimized out>)
    at rsvg-structure.c:69
#2500 0x00007fffe9ce3903 in rsvg_node_svg_draw (self=0x7fffb8009440,
ctx=0x7fffb800c480, dominate=<optimized out>)
    at rsvg-structure.c:323
#2501 0x00007fffe9ce3503 in rsvg_node_draw (self=0x7fffb8009440,
ctx=0x7fffb800c480, dominate=<optimized out>)
    at rsvg-structure.c:69
#2502 0x00007fffe9cefac3 in rsvg_handle_render_cairo_sub
(handle=handle at entry=0x7fffb80040d0, cr=cr at entry=0xb34000,
    id=id at entry=0x0) at rsvg-cairo-render.c:225
#2503 0x00007fffe9cefef4 in rsvg_handle_get_pixbuf_sub (handle=0x7fffb80040d0,
id=id at entry=0x0) at rsvg.c:90
#2504 0x00007fffe9ceff77 in rsvg_handle_get_pixbuf (handle=<optimized out>) at
rsvg.c:119
#2505 0x00007fffc60e5e46 in gdk_pixbuf__svg_image_stop_load
(data=0x7fffb80014c0, error=0x7fffe8042a98)
    at io-svg.c:160
#2506 0x00007ffff567b20b in gdk_pixbuf_loader_close () from /usr/lib/x86_64
-linux-gnu/libgdk_pixbuf-2.0.so.0
#2507 0x00007ffff75780b4 in ?? () from /usr/lib/libgnome-desktop-3.so.10
#2508 0x00007ffff7578612 in gnome_desktop_thumbnail_factory_generate_thumbnail
()
   from /usr/lib/libgnome-desktop-3.so.10
#2509 0x00000000004caa91 in thumbnail_thread_start (data=<optimized out>) at
nautilus-thumbnails.c:544
#2510 0x00007ffff40e20a4 in start_thread (arg=0x7fffe8044700) at
pthread_create.c:309
#2511 0x00007ffff3e1704d in clone () at
.../sysdeps/unix/sysv/linux/x86_64/clone.S:111

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (900, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.14-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages librsvg2-2 depends on:
ii  libc6                2.19-7
ii  libcairo2            1.12.16-2
ii  libcroco3            0.6.8-2
ii  libgdk-pixbuf2.0-0   2.30.7-1
ii  libglib2.0-0         2.40.0-3
ii  libpango-1.0-0       1.36.3-1
ii  libpangocairo-1.0-0  1.36.3-1
ii  libxml2              2.9.1+dfsg1-4
ii  multiarch-support    2.19-7

Versions of packages librsvg2-2 recommends:
ii  librsvg2-common  2.40.2-1

Versions of packages librsvg2-2 suggests:
ii  librsvg2-bin  2.40.2-1

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: core.gz
Type: application/gzip
Size: 2207840 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20140804/18dd5815/attachment-0001.bin>