thorvg
thorvg copied to clipboard
Published
20 hours ago •
thorvg
thorvg
Stack overflow and crash when using svg2png
svg2png file.svg -r 300x300
files - thorvg.zip
../src/renderer/sw_engine/tvgSwRle.cpp:716:31: runtime error: member access within null pointer of type 'struct SwOutline'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==71421==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7fdd12e62613 bp 0x7fdd0cbf54e0 sp 0x7fdd0cbf52a0 T5)
==71421==The signal is caused by a READ memory access.
==71421==Hint: address points to the zero page.
#0 0x7fdd12e62613 in tvg::Array<unsigned int>::begin() ../src/common/tvgArray.h:100
#1 0x7fdd12e62613 in _decomposeOutline ../src/renderer/sw_engine/tvgSwRle.cpp:716
#2 0x7fdd12e62613 in _genRle ../src/renderer/sw_engine/tvgSwRle.cpp:755
#3 0x7fdd12e64572 in rleRender(SwRleData*, SwOutline const*, SwBBox const&, bool) ../src/renderer/sw_engine/tvgSwRle.cpp:989
#4 0x7fdd12e67a79 in shapeGenRle(SwShape*, tvg::RenderShape const*, bool) ../src/renderer/sw_engine/tvgSwShape.cpp:477
#5 0x7fdd12e588e1 in SwShapeTask::run(unsigned int) ../src/renderer/sw_engine/tvgSwRenderer.cpp:153
#6 0x7fdd12e07a83 in tvg::Task::operator()(unsigned int) ../src/renderer/tvgTaskScheduler.h:64
#7 0x7fdd12e09fbb in tvg::TaskSchedulerImpl::run(unsigned int) (/home/rafal/test/thorvg/build/src/tools/svg2png/../../libthorvg.so.0+0x409fbb) (BuildId: c671918882fb3c4597fa585d8556c27a6c92e052)
#8 0x7fdd126e6332 (/lib/x86_64-linux-gnu/libstdc++.so.6+0xe6332) (BuildId: 102661775a59c09123f226bc3021556fd42bc563)
#9 0x7fdd11a97b59 in start_thread nptl/pthread_create.c:444
#10 0x7fdd11b285fb in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../src/common/tvgArray.h:100 in tvg::Array<unsigned int>::begin()
Thread T5 created by T0 here:
#0 0x7fdd13449175 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:208
#1 0x7fdd126e6408 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xe6408) (BuildId: 102661775a59c09123f226bc3021556fd42bc563)
#2 0x7fdd12e0741d in tvg::TaskScheduler::init(unsigned int) ../src/renderer/tvgTaskScheduler.cpp:201
#3 0x7fdd12dcefe3 in tvg::Initializer::init(unsigned int, tvg::CanvasEngine) ../src/renderer/tvgInitializer.cpp:128
#4 0x559b170e21bd in Renderer::createCanvas() (/home/rafal/test/thorvg/build/src/tools/svg2png/svg2png+0xa91bd) (BuildId: 0861227cb93a50128027ed215938c5acde50cf94)
#5 0x559b170e2ea7 in Renderer::render(char const*, int, int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned int) (/home/rafal/test/thorvg/build/src/tools/svg2png/svg2png+0xa9ea7) (BuildId: 0861227cb93a50128027ed215938c5acde50cf94)
#6 0x559b170e5465 in App::renderFile(char const*) (/home/rafal/test/thorvg/build/src/tools/svg2png/svg2png+0xac465) (BuildId: 0861227cb93a50128027ed215938c5acde50cf94)
#7 0x559b170e6dc5 in App::setup(int, char**) (/home/rafal/test/thorvg/build/src/tools/svg2png/svg2png+0xaddc5) (BuildId: 0861227cb93a50128027ed215938c5acde50cf94)
#8 0x559b170dce67 in main ../src/tools/svg2png/svg2png.cpp:414
#9 0x7fdd11a2814f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
../src/loaders/svg/tvgSvgSceneBuilder.cpp:763:25: runtime error: member access within null pointer of type 'struct Scene'
../src/loaders/svg/tvgSvgSceneBuilder.cpp:763:25: runtime error: member call on null pointer of type 'struct Paint'
../src/loaders/svg/tvgSvgSceneBuilder.cpp:763:25: runtime error: member access within null pointer of type 'struct Paint'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==71465==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fa1ca8d1fd5 bp 0x7fa1c61efe10 sp 0x7fa1c61ef2d0 T1)
==71465==The signal is caused by a READ memory access.
==71465==Hint: address points to the zero page.
#0 0x7fa1ca8d1fd5 in _useBuildHelper ../src/loaders/svg/tvgSvgSceneBuilder.cpp:763
#1 0x7fa1ca8d1fd5 in _sceneBuildHelper ../src/loaders/svg/tvgSvgSceneBuilder.cpp:790
#2 0x7fa1ca8d2406 in _sceneBuildHelper ../src/loaders/svg/tvgSvgSceneBuilder.cpp:792
#3 0x7fa1ca8cffbe in _useBuildHelper ../src/loaders/svg/tvgSvgSceneBuilder.cpp:704
#4 0x7fa1ca8cffbe in _sceneBuildHelper ../src/loaders/svg/tvgSvgSceneBuilder.cpp:790
#5 0x7fa1ca8d2406 in _sceneBuildHelper ../src/loaders/svg/tvgSvgSceneBuilder.cpp:792
#6 0x7fa1ca8cffbe in _useBuildHelper ../src/loaders/svg/tvgSvgSceneBuilder.cpp:704
#363 0x7fa1ca8cffbe in _useBuildHelper ../src/loaders/svg/tvgSvgSceneBuilder.cpp:704
#364 0x7fa1ca8cffbe in _sceneBuildHelper ../src/loaders/svg/tvgSvgSceneBuilder.cpp:790
#365 0x7fa1ca8d2406 in _sceneBuildHelper ../src/loaders/svg/tvgSvgSceneBuilder.cpp:792
#366 0x7fa1ca8cffbe in _useBuildHelper ../src/loaders/svg/tvgSvgSceneBuilder.cpp:704
#367 0x7fa1ca8cffbe in _sceneBuildHelper ../src/loaders/svg/tvgSvgSceneBuilder.cpp:790
#368 0x7fa1ca8d2406 in _sceneBuildHelper ../src/loaders/svg/tvgSvgSceneBuilder.cpp:792
#369 0x7fa1ca8cffbe in _useBuildHelper ../src/loaders/svg/tvgSvgSceneBuilder.cpp:704
#370 0x7fa1ca8cffbe in _sceneBuildHelper ../src/loaders/svg/tvgSvgSceneBuilder.cpp:790
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../src/loaders/svg/tvgSvgSceneBuilder.cpp:763 in _useBuildHelper
Thread T1 created by T0 here:
#0 0x7fa1cae49175 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:208
#1 0x7fa1ca0e6408 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xe6408) (BuildId: 102661775a59c09123f226bc3021556fd42bc563)
#2 0x7fa1ca80741d in tvg::TaskScheduler::init(unsigned int) ../src/renderer/tvgTaskScheduler.cpp:201
#3 0x7fa1ca7cefe3 in tvg::Initializer::init(unsigned int, tvg::CanvasEngine) ../src/renderer/tvgInitializer.cpp:128
#4 0x5642d48511bd in Renderer::createCanvas() (/home/rafal/test/thorvg/build/src/tools/svg2png/svg2png+0xa91bd) (BuildId: 0861227cb93a50128027ed215938c5acde50cf94)
#5 0x5642d4851ea7 in Renderer::render(char const*, int, int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned int) (/home/rafal/test/thorvg/build/src/tools/svg2png/svg2png+0xa9ea7) (BuildId: 0861227cb93a50128027ed215938c5acde50cf94)
#6 0x5642d4854465 in App::renderFile(char const*) (/home/rafal/test/thorvg/build/src/tools/svg2png/svg2png+0xac465) (BuildId: 0861227cb93a50128027ed215938c5acde50cf94)
#7 0x5642d4855dc5 in App::setup(int, char**) (/home/rafal/test/thorvg/build/src/tools/svg2png/svg2png+0xaddc5) (BuildId: 0861227cb93a50128027ed215938c5acde50cf94)
#8 0x5642d484be67 in main ../src/tools/svg2png/svg2png.cpp:414
#9 0x7fa1c942814f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
==71465==ABORTING
files - thorvg.zip
-
large stroke issue SVG_FILE_123165.png https://github.com/thorvg/thorvg/issues/2084
-
Empty path issue SVG_FILE_64471.svg SVG_FILE_14088.svg -> Use animate(unsupported) element SVG_FILE_14090.svg -> Use animate(unsupported) element SVG_FILE_14094.svg -> Use animate(unsupported) element SVG_FILE_14095.svg -> Use animate(unsupported) element https://github.com/thorvg/thorvg/issues/2083
-
Refer to parent id. SVG_FILE_65171.svg SVG_FILE_65172.svg https://github.com/thorvg/thorvg/pull/2079
-
? SVG_FILE_78159.svg
New pack of broken files - brokenFiles.zip
After #2193, 8 broken files remain. I analyzed the problematic syntax for each file. In case 7 can be solved in the parser(maybe?). Except for case 8, most files have very large numbers and this affects the renderer. (https://github.com/thorvg/thorvg/issues/2084) I haven't found the reason for case 8 yet.
SVG_FILE_613_IDX_126_RAND_542991360928249598.svg - Big integer
10180904388427734
SVG_FILE_1971_IDX_124_RAND_2182145272924343310.svg - Big integer + missing <
...
15.40070811839823 7407382120062035 18.486573541085114
...
<svg version="1.1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100" >
<g>
<path d="M0 0 L10 10z" stroke="#000000" stroke-width="1" fill="none">/path>
</g>
</svg>
SVG_FILE_1971_IDX_186_RAND_10765676810121780829.svg - Big integer?????
1.79896984080597
SVG_FILE_7809_IDX_59_RAND_5480084644306733535.svg - Big integer
a64.23 64E23 0 0 1 16.23 15.08
SVG_FILE_23487_IDX_176_RAND_7999347118074300452.svg - Big integer
A 12.5E12.5 0 0 1 24.001953 22.408203
SVG_FILE_28825_IDX_158_RAND_4352887330970021713.svg - Big integer + missing <
...
d="M 39449624,477.20000 L 375.86075,444.92239"
...
<path
id="path1866"
d="M 326.69498,611.18976 L 289.42400,546.63454"
style="fill:none;fill-opacity:0.75000000;fill-rule:evenodd;stroke:#000000;stroke-width:0.12500000;marker-start:url(#Arrow1S);marker-mid:none;marker-end:url(#Arrow1L);" />
/g>
SVG_FILE_35755_IDX_138_RAND_12931002365468678706.svg - missing double quote
stroke="#000" stroke-miterlimit=10" pointer-events="stroke"
SVG_FILE_123165.svg - ????
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 223">
<path d="m553.51 336.88 14.3 0.2z" style="stroke:#ff0" transform="translate(-363 -125)"/>
</svg>
New pack, created from valid svg files - Fuzzer good files.zip Pack of manually created svg files(a lot of warnings about leak of 1 extremally large lottie file - BrokenFound.7z.zip
Direct leak of 448 byte(s) in 1 object(s) allocated from:
#0 0x7f1639eb4c38 in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:164
#1 0x7f1639d6ccce in _genSpan ../src/renderer/sw_engine/tvgSwRle.cpp:314
#2 0x7f1639d6fef6 in _sweep ../src/renderer/sw_engine/tvgSwRle.cpp:431
#3 0x7f1639d6fef6 in rleRender(SwRleData*, SwOutline const*, SwBBox const&, bool) ../src/renderer/sw_engine/tvgSwRle.cpp:991
#4 0x7f1639d715ba in shapeGenRle(SwShape*, tvg::RenderShape const*, bool) ../src/renderer/sw_engine/tvgSwShape.cpp:521
#5 0x7f1639d6b1ee in SwShapeTask::run(unsigned int) (/home/runner/work/SVG-regression-finder/SVG-regression-finder/thorvg/build/src/tools/svg2png/../../libthorvg.so.0+0x541ee)
#6 0x7f1639d4a44b in tvg::Task::operator()(unsigned int) ../src/renderer/tvgTaskScheduler.h:64
#7 0x7f1639d4a44b in tvg::TaskSchedulerImpl::run(unsigned int) ../src/renderer/tvgTaskScheduler.cpp:153
#8 0x7f1639ae62b2 (/lib/x86_64-linux-gnu/libstdc++.so.6+0xe62b2)
==180537==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x622000003000 at pc 0x7fa3e945499b bp 0x7fa3e4af90b0 sp 0x7fa3e4af90a0
READ of size 8 at 0x622000003000 thread T1
#0 0x7fa3e945499a in UPSCALE ../src/renderer/sw_engine/tvgSwRle.cpp:265
#1 0x7fa3e9457096 in _decomposeOutline ../src/renderer/sw_engine/tvgSwRle.cpp:741
#2 0x7fa3e9457096 in _genRle ../src/renderer/sw_engine/tvgSwRle.cpp:755
#3 0x7fa3e9457bf3 in rleRender(SwRleData*, SwOutline const*, SwBBox const&, bool) ../src/renderer/sw_engine/tvgSwRle.cpp:989
#4 0x7fa3e945d249 in shapeGenStrokeRle(SwShape*, tvg::RenderShape const*, tvg::Matrix const*, SwBBox const&, SwBBox&, SwMpool*, unsigned int) ../src/renderer/sw_engine/tvgSwShape.cpp:614
#5 0x7fa3e94533c2 in SwShapeTask::run(unsigned int) (/home/runner/work/SVG-regression-finder/SVG-regression-finder/thorvg/build/src/tools/svg2png/../../libthorvg.so.0+0x543c2)
#6 0x7fa3e943244b in tvg::Task::operator()(unsigned int) ../src/renderer/tvgTaskScheduler.h:64
#7 0x7fa3e943244b in tvg::TaskSchedulerImpl::run(unsigned int) ../src/renderer/tvgTaskScheduler.cpp:153
#8 0x7fa3e86e62b2 (/lib/x86_64-linux-gnu/libstdc++.so.6+0xe62b2)
#9 0x7fa3e8294ac2 (/lib/x86_64-linux-gnu/libc.so.6+0x94ac2)
#10 0x7fa3e832684f (/lib/x86_64-linux-gnu/libc.so.6+0x12684f)
=================================================================
==2030692==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x7f7246f6caa4 bp 0x7f7241ff7e80 sp 0x7f7241ff7e70 T2)
==2030692==The signal is caused by a READ memory access.
==2030692==Hint: this fault was caused by a dereference of a high value address (see register values below). Dissassemble the provided pc to learn which register was used.
#0 0x7f7246f6caa4 in _findCell ../src/renderer/sw_engine/tvgSwRle.cpp:443
#1 0x7f7246f6caa4 in _recordCell ../src/renderer/sw_engine/tvgSwRle.cpp:465
#2 0x7f7246f6d3eb in _setCell ../src/renderer/sw_engine/tvgSwRle.cpp:494
#3 0x7f7246f6e035 in _lineTo ../src/renderer/sw_engine/tvgSwRle.cpp:628
#4 0x7f7246f6ef26 in _decomposeOutline ../src/renderer/sw_engine/tvgSwRle.cpp:731
#5 0x7f7246f6ef26 in _genRle ../src/renderer/sw_engine/tvgSwRle.cpp:755
#6 0x7f7246f6fbf3 in rleRender(SwRleData*, SwOutline const*, SwBBox const&, bool) ../src/renderer/sw_engine/tvgSwRle.cpp:989
#7 0x7f7246f75249 in shapeGenStrokeRle(SwShape*, tvg::RenderShape const*, tvg::Matrix const*, SwBBox const&, SwBBox&, SwMpool*, unsigned int) ../src/renderer/sw_engine/tvgSwShape.cpp:614
#8 0x7f7246f6b3c2 in SwShapeTask::run(unsigned int) (/home/runner/work/SVG-regression-finder/SVG-regression-finder/thorvg/build/src/tools/svg2png/../../libthorvg.so.0+0x543c2)
#9 0x7f7246f4a44b in tvg::Task::operator()(unsigned int) ../src/renderer/tvgTaskScheduler.h:64
#10 0x7f7246f4a44b in tvg::TaskSchedulerImpl::run(unsigned int) ../src/renderer/tvgTaskScheduler.cpp:153
#11 0x7f7246ce62b2 (/lib/x86_64-linux-gnu/libstdc++.so.6+0xe62b2)
#12 0x7f7246894ac2 (/lib/x86_64-linux-gnu/libc.so.6+0x94ac2)
#13 0x7f724692684f (/lib/x86_64-linux-gnu/libc.so.6+0x12684f)
==583759==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 4294967296 byte(s) in 1 object(s) allocated from:
#0 0x7f22054b4887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x7f22053bacb1 in LottieLoader::open(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) ../src/loaders/lottie/tvgLottieLoader.cpp:213
#2 0x7f2205337b3c in LoaderMgr::loader(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool*) ../src/renderer/tvgLoader.cpp:323
#3 0x7f2205343377 in tvg::Picture::Impl::load(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) ../src/renderer/tvgPicture.h:152
#4 0x7f2205343377 in tvg::Picture::load(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) ../src/renderer/tvgPicture.cpp:175
#5 0x7f22053a508f in _imageBuildHelper ../src/loaders/svg/tvgSvgSceneBuilder.cpp:603
#6 0x7f22053a508f in _sceneBuildHelper ../src/loaders/svg/tvgSvgSceneBuilder.cpp:794
#7 0x7f22053a873a in svgSceneBuild(SvgLoaderData&, Box, float, float, AspectRatioAlign, AspectRatioMeetOrSlice, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, SvgViewFlag) ../src/loaders/svg/tvgSvgSceneBuilder.cpp:853
#8 0x7f220539bd87 in SvgLoader::run(unsigned int) ../src/loaders/svg/tvgSvgLoader.cpp:3717
#9 0x7f220539bd87 in SvgLoader::run(unsigned int) ../src/loaders/svg/tvgSvgLoader.cpp:3689
#10 0x7f2205392f4b in SvgLoader::header() ../src/loaders/svg/tvgSvgLoader.cpp:3800
#11 0x7f220539b3ff in SvgLoader::open(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) ../src/loaders/svg/tvgSvgLoader.cpp:3847
#12 0x7f22053379c0 in LoaderMgr::loader(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool*) ../src/renderer/tvgLoader.cpp:307
#13 0x7f2205343377 in tvg::Picture::Impl::load(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) ../src/renderer/tvgPicture.h:152
#14 0x7f2205343377 in tvg::Picture::load(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) ../src/renderer/tvgPicture.cpp:175
#15 0x55808fd3e803 in Renderer::render(char const*, int, int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned int) ../src/tools/svg2png/svg2png.cpp:84
#16 0x55808fd3f42d in App::renderFile(char const*) ../src/tools/svg2png/svg2png.cpp:343
#17 0x55808fd402d2 in App::setup(int, char**) ../src/tools/svg2png/svg2png.cpp:265
#18 0x55808fd3cdab in main ../src/tools/svg2png/svg2png.cpp:414
#19 0x7f2204c29d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)