Crash in SPFilterPrimitive dereferencing an invalid pointer triggered by fuzz-generated SVG file
Visible fault:
Inkscape crashes with SIGSEGV trying to open (or renderize on its file chooser) an specially crafted Svg file.
Expected behavior:
Inkscape should handle a corrupted Svg file rather than crash.
Steps to reproduce:
$ inkscape crash.svg
-or-
Open Inkscape, File -> Open, then navigate to the folder where crash.svg is located.
Possible cause:
SPFilterPrimitive is trying to dereference an invalid pointer.
gdb output:
Thread 1 "inkscape" received signal SIGSEGV, Segmentation fault.
0x00000000005fc488 in SPFilterPrimitive::update (this=0x78927c0, ctx=0x7fffffffc600, flags=29) at sp-filter-primitive.cpp:144
144 if( parent->primitiveUnits == SP_FILTER_UNITS_USERSPACEONUSE ) {
Backtrace:
#0 0x00000000005fc488 in SPFilterPrimitive::update (this=0x78927c0, ctx=0x7fffffffc600, flags=29) at sp-filter-primitive.cpp:144
#1 0x0000000000843aab in SPFeOffset::update (this=0x78927c0, ctx=0x7fffffffc600, flags=29) at filters/offset.cpp:105
#2 0x000000000067889c in SPObject::updateDisplay (this=0x78927c0, ctx=0x7fffffffc600, flags=29) at sp-object.cpp:1157
#3 0x000000000063e1c3 in SPGroup::update (this=0x78c0310, ctx=0x7fffffffc600, flags=27) at sp-item-group.cpp:186
#4 0x000000000068c7d7 in SPRoot::update (this=0x78c0310, ctx=0x7fffffffc700, flags=27) at sp-root.cpp:304
#5 0x000000000067889c in SPObject::updateDisplay (this=0x78c0310, ctx=0x7fffffffc700, flags=27) at sp-object.cpp:1157
#6 0x00000000004b877c in SPDocument::_updateDocument (this=0x4e99d20) at document.cpp:1066
#7 0x00000000004b8905 in sp_document_idle_handler (data=0x4e99d20) at document.cpp:1134
#8 0x00007ffff3de605a in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#9 0x00007ffff3de6400 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#10 0x00007ffff3de6722 in g_main_loop_run () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#11 0x00007ffff6b5eb93 in gtk_dialog_run () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#12 0x0000000000a930c2 in Inkscape::UI::Dialog::FileOpenDialogImplGtk::show (this=0x779a000) at ui/dialog/filedialogimpl-gtkmm.cpp:871
#13 0x00000000004e0ed8 in sp_file_open_dialog (parentWindow=...) at file.cpp:546
#14 0x00000000006e88eb in Inkscape::FileVerb::perform (action=0x340d2c0, data=0x3) at verbs.cpp:846
#15 0x00000000006f65d1 in sigc::pointer_functor2<SPAction*, void*, void>::operator() (this=0x3620508, _A_a1=@0x3620518: 0x340d2c0, _A_a2=@0x3620510: 0x3) at /usr/include/sigc++-2.0/sigc++/functors/ptr_fun.h:147
#16 0x00000000006f6377 in sigc::adaptor_functor<sigc::pointer_functor2<SPAction*, void*, void> >::operator()<SPAction*&, void*&> (this=0x3620500, _A_arg1=@0x3620518: 0x340d2c0, _A_arg2=@0x3620510: 0x3) at /usr/include/sigc++-2.0/sigc++/adaptors/adaptor_trait.h:108
#17 0x00000000006f608e in sigc::bind_functor<-1, sigc::pointer_functor2<SPAction*, void*, void>, void*, sigc::nil, sigc::nil, sigc::nil, sigc::nil, sigc::nil, sigc::nil>::operator()<SPAction*&> (this=0x36204f8, _A_arg1=@0x3620518: 0x340d2c0) at /usr/include/sigc++-2.0/sigc++/adaptors/bind.h:1129
#18 0x00000000006f5c0e in sigc::bind_functor<-1, sigc::bind_functor<-1, sigc::pointer_functor2<SPAction*, void*, void>, void*, sigc::nil, sigc::nil, sigc::nil, sigc::nil, sigc::nil, sigc::nil>, SPAction*, sigc::nil, sigc::nil, sigc::nil, sigc::nil, sigc::nil, sigc::nil>::operator() (this=0x36204f0) at /usr/include/sigc++-2.0/sigc++/adaptors/bind.h:1117
#19 0x00000000006f5635 in sigc::internal::slot_call0<sigc::bind_functor<-1, sigc::bind_functor<-1, sigc::pointer_functor2<SPAction*, void*, void>, void*, sigc::nil, sigc::nil, sigc::nil, sigc::nil, sigc::nil, sigc::nil>, SPAction*, sigc::nil, sigc::nil, sigc::nil, sigc::nil, sigc::nil, sigc::nil>, void>::call_it (rep=0x36204c0) at /usr/include/sigc++-2.0/sigc++/functors/slot.h:108
#20 0x000000000048f58b in sigc::internal::signal_emit0<void, sigc::nil>::emit (impl=0x36201f0) at /usr/include/sigc++-2.0/sigc++/signal.h:774
#21 0x0000000000491e7e in sigc::signal0<void, sigc::nil>::emit (this=0x340d318) at /usr/include/sigc++-2.0/sigc++/signal.h:2681
#22 0x000000000084785c in sp_action_perform (action=0x340d2c0) at helper/action.cpp:136
#23 0x000000000052cdc4 in sp_ui_menu_activate (action=0x340d2c0) at interface.cpp:371
#24 0x00007ffff40bcfa5 in g_closure_invoke () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#25 0x00007ffff40cefc1 in ?? () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#26 0x00007ffff40d7d5c in g_signal_emit_valist () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#27 0x00007ffff40d808f in g_signal_emit () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#28 0x00007ffff6cee67e in gtk_widget_activate () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#29 0x00007ffff6be98ed in gtk_menu_shell_activate_item () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#30 0x00007ffff6be9c56 in ?? () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#31 0x00007ffff6bd7afc in ?? () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#32 0x00007ffff40bcfa5 in g_closure_invoke () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#33 0x00007ffff40cf56e in ?? () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#34 0x00007ffff40d77f9 in g_signal_emit_valist () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#35 0x00007ffff40d808f in g_signal_emit () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#36 0x00007ffff6cef8cc in ?? () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#37 0x00007ffff6bd6294 in gtk_propagate_event () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#38 0x00007ffff6bd664b in gtk_main_do_event () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#39 0x000000000044d619 in snooper (event=0x4669890) at main.cpp:1009
#40 0x00007ffff684ac4c in ?? () from /usr/lib/x86_64-linux-gnu/libgdk-x11-2.0.so.0
#41 0x00007ffff3de61a7 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#42 0x00007ffff3de6400 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#43 0x00007ffff3de6722 in g_main_loop_run () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#44 0x00007ffff6bd56a7 in gtk_main () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#45 0x000000000044db41 in sp_main_gui (argc=1, argv=0x7fffffffdc58) at main.cpp:1075
#46 0x000000000044d052 in main (argc=1, argv=0x7fffffffdc58) at main.cpp:789
Setup:
- Inkscape 0.91 r13725 compiled from source
- Ubuntu 16.04 x86_64
The test case was generated using QuickFuzz.
Edited by Bryce Harrington