Bug#838486: inkscape: Segmentation fault in 0-48.5 src/display/nr-arena-image.cpp

Mattia Rizzolo mattia at debian.org
Wed Sep 21 14:54:02 UTC 2016 

Hi Alessandro,

On Wed, Sep 21, 2016 at 02:13:24PM +0200, Alessandro Vesely wrote:
> $ gdb -q --args /usr/bin/inkscape test-pdf.svg
> Reading symbols from /usr/bin/inkscape...done.
> (gdb) run
> Starting program: /usr/bin/inkscape test-pdf.svg
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
> [New Thread 0x7fffe66dd700 (LWP 14025)]
> [New Thread 0x7fff5442f700 (LWP 14030)]
> [New Thread 0x7fff53bce700 (LWP 14033)]
> 
> Program received signal SIGSEGV, Segmentation fault.
> nr_arena_image_pick (item=0x29f5e00, p=..., delta=<optimized out>) at display
> /nr-arena-image.cpp:318
> 318             return (pix_ptr[3] > 0) ? item : NULL;

nasty crash.

Now, that's the stable release, though.  And most of the development
efforts are concentrated in unstable.
Can you please check whether the crash happens with 0.91?  you can just
use what you find in jessie-backports for that.

> --- a/src/display/nr-arena-image.cpp
> +++ b/src/display/nr-arena-image.cpp
> @@ -303,17 +303,17 @@
>      } else {
>  
>          unsigned char *const pixels = image->px;
> -        int const width = image->pxw;
> -        int const height = image->pxh;
> -        int const rowstride = image->pxrs;
> +        unsigned int const width = (unsigned int)(image->pxw);
> +        unsigned int const height = (unsigned int)(image->pxh);
> +        unsigned int const rowstride = (unsigned int)(image->pxrs);
>          Geom::Point tp = p * image->grid2px;
> -        int const ix = (int)(tp[Geom::X]);
> -        int const iy = (int)(tp[Geom::Y]);
> +        unsigned int const ix = (unsigned int)(tp[Geom::X]);
> +        unsigned int const iy = (unsigned int)(tp[Geom::Y]);
>  
> -        if ((ix < 0) || (iy < 0) || (ix >= width) || (iy >= height))
> +        if ((ix >= width) || (iy >= height))
>              return NULL;
>  
> -        unsigned char *pix_ptr = pixels + iy * rowstride + ix * 4;
> +        unsigned char *pix_ptr = pixels + iy * rowstride + ix * 4U;
>          // is the alpha not transparent?
>          return (pix_ptr[3] > 0) ? item : NULL;

also this patch even if sensible doesn't apply in 0.91 where that file
doesn't even exist anymore...

-- 
regards,
                        Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540      .''`.
more about me:  https://mapreri.org                             : :'  :
Launchpad user: https://launchpad.net/~mapreri                  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20160921/432899d9/attachment.sig>

More information about the pkg-multimedia-maintainers mailing list