[Pkg-dia-team] Bug#758166: dia: Invalid arc in .dia crashes amd64 (but not i386)
Sander Brandenburg
sander.brandenburg at gmail.com
Thu Aug 14 22:12:00 UTC 2014
Package: dia
Version: 0.97.2-8
Severity: normal
Tags: patch
-- System Information:
Debian Release: 7.6
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.11.0-19-generic (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C)
Shell: /bin/sh linked to /bin/dash
Versions of packages dia depends on:
ii dia-common 0.97.2-8
ii dia-libs 0.97.2-8
ii libart-2.0-2 2.3.21-2
ii libatk1.0-0 2.4.0-2
ii libc6 2.13-38+deb7u2
ii libcairo2 1.12.2-3
ii libfontconfig1 2.9.0-7.1
ii libfreetype6 2.4.9-1.1
ii libgdk-pixbuf2.0-0 2.26.1-1
ii libglib2.0-0 2.33.12+really2.32.4-5
ii libgtk2.0-0 2.24.10-2
ii libpango1.0-0 1.30.0-1
ii libpng12-0 1.2.49-1
ii libxml2 2.8.0+dfsg1-7+nmu3
ii zlib1g 1:1.2.7.dfsg-13
Versions of packages dia recommends:
ii gsfonts-x11 0.22
dia suggests no packages.
-- no debconf information
On a wheezy i386 I ended up with the following arc definition:
which originated from the following arc:
<dia:object type="Standard - Arc" version="0" id="O1">
<dia:attribute name="obj_pos">
<dia:point val="4.27503,56.9797"/>
</dia:attribute>
<dia:attribute name="obj_bb">
<dia:rectangle val="4.22385,56.6055;17.8294,57.0309"/>
</dia:attribute>
<dia:attribute name="conn_endpoints">
<dia:point val="4.27503,56.9797"/>
<dia:point val="17.7782,56.6567"/>
</dia:attribute>
<dia:attribute name="curve_distance">
<dia:real val="0"/>
</dia:attribute>
<dia:connections>
<dia:connection handle="1" to="O0" connection="3"/>
</dia:connections>
</dia:object>
(note curve_distance is 0). This makes dia instances on amd64 platforms crash, but not on i386 platforms:
curve_distance == 0 causes center and radius members to contain +/- inf.
This eventually creates a segfault at:
#0 text_get_line_width (text=0x85292a0, line_no=-2147483648) at ../../lib/text.c:126
in the indexing of lines:
126 return text_line_get_width(text->lines[line_no]);
(which get multiplied by 4, shifting off all bits off line_no on the i386 platform, but wreaking havoc on amd64)
The fix consist of overriding the supposedly illegal value of 0 to 0.01. I've never modified the dia file
directly - I don't know how that 0 ended up there. Possibly it's a rounding issue at serialization?
Index: dia-0.97.2/objects/standard/arc.c
===================================================================
--- dia-0.97.2.orig/objects/standard/arc.c 2014-08-14 18:57:31.000000000 +0000
+++ dia-0.97.2/objects/standard/arc.c 2014-08-14 22:05:56.234221798 +0000
@@ -878,7 +878,7 @@
arc->curve_distance = 0.1;
attr = object_find_attribute(obj_node, "curve_distance");
if (attr != NULL)
- arc->curve_distance = data_real(attribute_first_data(attr));
+ arc->curve_distance = MAX(0.01, data_real(attribute_first_data(attr)));
arc->line_width = 0.1;
attr = object_find_attribute(obj_node, PROP_STDNAME_LINE_WIDTH);
-------------- next part --------------
A non-text attachment was scrubbed...
Name: crashdia.dia
Type: application/x-gzip
Size: 640 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-dia-team/attachments/20140814/123ae0a7/attachment.bin>
More information about the Pkg-dia-team
mailing list