Date: Thu, 31 Jul 2003 02:49:40 +0900 (JST) From: Alexander Nedotsukov <bland@mail.ru> To: FreeBSD-gnats-submit@FreeBSD.org Cc: marcus@FreeBSD.org Subject: ports/55076: memory access after free() in librsvg2 Message-ID: <200307301749.h6UHneKt066448@bbnest.dyndns.org> Resent-Message-ID: <200307301750.h6UHo6Zi080420@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 55076 >Category: ports >Synopsis: memory access after free() in librsvg2 >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Jul 30 10:50:06 PDT 2003 >Closed-Date: >Last-Modified: >Originator: Alexander Nedotsukov >Release: FreeBSD 5.1-CURRENT i386 >Organization: >Environment: System: FreeBSD bbnest.dyndns.org 5.1-CURRENT FreeBSD 5.1-CURRENT #2: Tue Jul 29 21:17:03 JST 2003 bland@bbnest.dyndns.org:/usr/obj/usr/src/sys/SU i386 >Description: librsvg2 2.2.x versions contains s/w bug wich access memory already been freed to walk through the handlers stack. On system with J malloc option enabled this lead to crash inside rsvg parser. This bug affects GNOME users have a deal with .svg files badly. >How-To-Repeat: Assume librsvg2 and gnome-themes-extra iports installed. $rsvg /usr/X11R6/share/icons/Lush/scalable/emblems/emblem-mail.svg crash.png >Fix: Apply patch attached --- patch-rsvg.c begins here --- --- rsvg.c.orig Thu Jul 31 02:03:34 2003 +++ rsvg.c Thu Jul 31 02:26:35 2003 @@ -332,13 +332,14 @@ { RsvgSaxHandlerGstops *z = (RsvgSaxHandlerGstops *)self; RsvgHandle *ctx = z->ctx; + RsvgSaxHandler *prev = &z->parent->super; if (!strcmp((char *)name, z->parent_tag)) { if (ctx->handler != NULL) { ctx->handler->free (ctx->handler); - ctx->handler = &z->parent->super; + ctx->handler = prev; } } } @@ -679,13 +680,14 @@ { RsvgSaxHandlerStyle *z = (RsvgSaxHandlerStyle *)self; RsvgHandle *ctx = z->ctx; + RsvgSaxHandler *prev = &z->parent->super; if (!strcmp ((char *)name, "style")) { if (ctx->handler != NULL) { ctx->handler->free (ctx->handler); - ctx->handler = &z->parent->super; + ctx->handler = prev; } } } --- patch-rsvg.c ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200307301749.h6UHneKt066448>