Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 31 Jul 2003 02:49:40 +0900 (JST)
From:      Alexander Nedotsukov <bland@mail.ru>
To:        FreeBSD-gnats-submit@FreeBSD.org
Cc:        marcus@FreeBSD.org
Subject:   ports/55076: memory access after free() in librsvg2
Message-ID:  <200307301749.h6UHneKt066448@bbnest.dyndns.org>
Resent-Message-ID: <200307301750.h6UHo6Zi080420@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         55076
>Category:       ports
>Synopsis:       memory access after free() in librsvg2
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jul 30 10:50:06 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Alexander Nedotsukov
>Release:        FreeBSD 5.1-CURRENT i386
>Organization:
>Environment:
System: FreeBSD bbnest.dyndns.org 5.1-CURRENT FreeBSD 5.1-CURRENT #2: Tue Jul 29 21:17:03 JST 2003 bland@bbnest.dyndns.org:/usr/obj/usr/src/sys/SU i386


	
>Description:
librsvg2 2.2.x versions contains s/w bug wich access memory already been freed
to walk through the handlers stack. On system with J malloc option enabled this
lead to crash inside rsvg parser.
This bug affects GNOME users have a deal with .svg files badly.
	
>How-To-Repeat:
Assume librsvg2 and gnome-themes-extra iports installed.
$rsvg /usr/X11R6/share/icons/Lush/scalable/emblems/emblem-mail.svg crash.png
	
>Fix:
Apply patch attached
	

--- patch-rsvg.c begins here ---
--- rsvg.c.orig	Thu Jul 31 02:03:34 2003
+++ rsvg.c	Thu Jul 31 02:26:35 2003
@@ -332,13 +332,14 @@
 {
 	RsvgSaxHandlerGstops *z = (RsvgSaxHandlerGstops *)self;
 	RsvgHandle *ctx = z->ctx;
+	RsvgSaxHandler *prev = &z->parent->super;
 	
 	if (!strcmp((char *)name, z->parent_tag))
 		{
 			if (ctx->handler != NULL)
 				{
 					ctx->handler->free (ctx->handler);
-					ctx->handler = &z->parent->super;
+					ctx->handler = prev;
 				}
 		}
 }
@@ -679,13 +680,14 @@
 {
 	RsvgSaxHandlerStyle *z = (RsvgSaxHandlerStyle *)self;
 	RsvgHandle *ctx = z->ctx;
+	RsvgSaxHandler *prev = &z->parent->super;
 	
 	if (!strcmp ((char *)name, "style"))
 		{
 			if (ctx->handler != NULL)
 				{
 					ctx->handler->free (ctx->handler);
-					ctx->handler = &z->parent->super;
+					ctx->handler = prev;
 				}
 		}
 }
--- patch-rsvg.c ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200307301749.h6UHneKt066448>