Notes |
|
|
This is actually a libsvgtiny memory corruption. I attache dteh svg that explodes. valgrind output:
$ valgrind ./nsgtk https://www.one.com/static/images/onecom/sprite.svg?v=1420457225767
==3738== Memcheck, a memory error detector
==3738== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==3738== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==3738== Command: ./nsgtk https://www.one.com/static/images/onecom/sprite.svg?v=1420457225767
==3738==
==3738== Invalid write of size 4
==3738== at 0x4FF399: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4FE925: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4FE925: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4FE925: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x5017C8: svgtiny_parse (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4B6D54: svg_reformat (svg.c:139)
==3738== by 0x451B08: content__reformat (content.c:365)
==3738== by 0x475E83: browser_window_callback (browser.c:1328)
==3738== by 0x45C718: hlcache_content_callback (hlcache.c:191)
==3738== by 0x451882: content_broadcast (content.c:702)
==3738== by 0x451D4B: content_set_ready (content.c:310)
==3738== by 0x4B67B8: svg_convert (svg.c:115)
==3738== Address 0x1218a1b8 is 0 bytes after a block of size 296 alloc'd
==3738== at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==3738== by 0x4FEAF3: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4FE925: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4FE925: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4FE925: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x5017C8: svgtiny_parse (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4B6D54: svg_reformat (svg.c:139)
==3738== by 0x451B08: content__reformat (content.c:365)
==3738== by 0x475E83: browser_window_callback (browser.c:1328)
==3738== by 0x45C718: hlcache_content_callback (hlcache.c:191)
==3738== by 0x451882: content_broadcast (content.c:702)
==3738== by 0x451D4B: content_set_ready (content.c:310)
==3738==
==3738== Invalid write of size 4
==3738== at 0x4FF3B1: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4FE925: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4FE925: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4FE925: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x5017C8: svgtiny_parse (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4B6D54: svg_reformat (svg.c:139)
==3738== by 0x451B08: content__reformat (content.c:365)
==3738== by 0x475E83: browser_window_callback (browser.c:1328)
==3738== by 0x45C718: hlcache_content_callback (hlcache.c:191)
==3738== by 0x451882: content_broadcast (content.c:702)
==3738== by 0x451D4B: content_set_ready (content.c:310)
==3738== by 0x4B67B8: svg_convert (svg.c:115)
==3738== Address 0x1218a1bc is 4 bytes after a block of size 296 alloc'd
==3738== at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==3738== by 0x4FEAF3: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4FE925: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4FE925: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4FE925: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x5017C8: svgtiny_parse (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4B6D54: svg_reformat (svg.c:139)
==3738== by 0x451B08: content__reformat (content.c:365)
==3738== by 0x475E83: browser_window_callback (browser.c:1328)
==3738== by 0x45C718: hlcache_content_callback (hlcache.c:191)
==3738== by 0x451882: content_broadcast (content.c:702)
==3738== by 0x451D4B: content_set_ready (content.c:310)
and so on
|
|
|
|
Fixed issue in libsvgtiny which should mean the latest CI build will not crash like this any more (though I do not think it will render properly yet) |
|
|
|
Confirmed fixed in 3.3 release |
|