[pkg-GD-devel] Bug#709050: mscgen: fails to build with current libgd2
Colin Watson
cjwatson at ubuntu.com
Sat Jun 1 21:57:40 UTC 2013
Control: reassign -1 libgd3 2.1.0~rc1-1
Control: affects -1 mscgen
Control: tag -1 patch
Control: user ubuntu-devel at lists.ubuntu.com
Control: usertags -1 ubuntu-patch
On Thu, May 23, 2013 at 06:56:01PM +0200, Ondřej Surý wrote:
> were you able to discover something? I don't see anything in gd, but I did
> study it very hard.
This is relevant (from 'make check VALGRIND=valgrind' with a libgd built
with debugging symbols):
testinput0.msc
==31147== Memcheck, a memory error detector
==31147== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==31147== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==31147== Command: ../src/mscgen -T png -i ../../test/testinput0.msc -o testinput0.msc.png
==31147==
==31147== Invalid write of size 4
==31147== at 0x4098400: fontFetch (gdft.c:1490)
==31147== by 0x40979C0: gdCacheGet (gdcache.c:125)
==31147== by 0x4098910: gdImageStringFTEx (gdft.c:890)
==31147== by 0x40FC934: (below main) (libc-start.c:260)
==31147== Address 0x4706c0c is 4 bytes before a block of size 16 free'd
==31147== at 0x402AC08: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==31147== by 0x43E6E1A: FcPatternDestroy (in /usr/lib/i386-linux-gnu/libfontconfig.so.1.7.0)
==31147== by 0x4098350: fontFetch (gdft.c:1472)
==31147== by 0x40979C0: gdCacheGet (gdcache.c:125)
==31147== by 0x4098910: gdImageStringFTEx (gdft.c:890)
==31147== by 0x40FC934: (below main) (libc-start.c:260)
==31147==
==31147== Syscall param open(filename) points to uninitialised byte(s)
==31147== at 0x41C2773: __open_nocancel (syscall-template.S:81)
==31147== by 0x433A103: FT_Stream_Open (in /usr/lib/i386-linux-gnu/libfreetype.so.6.10.0)
==31147== by 0x4340CE6: FT_Stream_New (in /usr/lib/i386-linux-gnu/libfreetype.so.6.10.0)
==31147== by 0x4342EE6: FT_Open_Face (in /usr/lib/i386-linux-gnu/libfreetype.so.6.10.0)
==31147== by 0x4706B47: ???
==31147== Address 0x482c927 is 47 bytes inside a block of size 48 alloc'd
==31147== at 0x40299A8: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==31147== by 0x409A16A: gdMalloc (gdhelpers.c:73)
==31147== by 0x40983D2: fontFetch (gdft.c:1485)
==31147== by 0x40979C0: gdCacheGet (gdcache.c:125)
==31147== by 0x4098910: gdImageStringFTEx (gdft.c:890)
==31147== by 0x40FC934: (below main) (libc-start.c:260)
==31147==
==31147== Conditional jump or move depends on uninitialised value(s)
==31147== at 0x402F93C: strstr (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==31147== by 0x40982CC: fontFetch (gdft.c:512)
==31147== by 0x40979C0: gdCacheGet (gdcache.c:125)
==31147== by 0x4098910: gdImageStringFTEx (gdft.c:890)
==31147== by 0x40FC934: (below main) (libc-start.c:260)
==31147==
==31147== Conditional jump or move depends on uninitialised value(s)
==31147== at 0x402F93C: strstr (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==31147== by 0x40984B6: fontFetch (gdft.c:513)
==31147== by 0x40979C0: gdCacheGet (gdcache.c:125)
==31147== by 0x4098910: gdImageStringFTEx (gdft.c:890)
==31147== by 0x40FC934: (below main) (libc-start.c:260)
==31147==
==31147==
==31147== HEAP SUMMARY:
==31147== in use at exit: 97,032 bytes in 1,728 blocks
==31147== total heap usage: 4,464 allocs, 2,736 frees, 2,116,808 bytes allocated
==31147==
==31147== LEAK SUMMARY:
==31147== definitely lost: 128 bytes in 1 blocks
==31147== indirectly lost: 20 bytes in 1 blocks
==31147== possibly lost: 0 bytes in 0 blocks
==31147== still reachable: 96,884 bytes in 1,726 blocks
==31147== suppressed: 0 bytes in 0 blocks
==31147== Rerun with --leak-check=full to see details of leaked memory
==31147==
==31147== For counts of detected and suppressed errors, rerun with: -v
==31147== Use --track-origins=yes to see where uninitialised values come from
==31147== ERROR SUMMARY: 4 errors from 4 contexts (suppressed: 0 from 0)
I read the relevant line of code several times before I spotted the
mistake - it's an easy one to miss. Patch follows.
* Add missing pointer dereference in font_pattern (closes: #709050).
diff -Nru libgd2-2.1.0~rc1/debian/patches/font-pattern-pointer-deref.patch libgd2-2.1.0~rc1/debian/patches/font-pattern-pointer-deref.patch
--- libgd2-2.1.0~rc1/debian/patches/font-pattern-pointer-deref.patch 1970-01-01 01:00:00.000000000 +0100
+++ libgd2-2.1.0~rc1/debian/patches/font-pattern-pointer-deref.patch 2013-06-01 22:51:52.000000000 +0100
@@ -0,0 +1,18 @@
+Description: Add missing pointer dereference in font_pattern
+Author: Colin Watson <cjwatson at ubuntu.com>
+Bug-Debian: http://bugs.debian.org/709050
+Last-Update: 2013-06-01
+
+Index: b/src/gdft.c
+===================================================================
+--- a/src/gdft.c
++++ b/src/gdft.c
+@@ -1487,7 +1487,7 @@
+ return "could not alloc font path";
+ }
+ strncpy(*fontpath, (const char *)file, file_len);
+- fontpath[file_len] = 0;
++ (*fontpath)[file_len] = 0;
+ }
+ FcPatternDestroy(font);
+
diff -Nru libgd2-2.1.0~rc1/debian/patches/series libgd2-2.1.0~rc1/debian/patches/series
--- libgd2-2.1.0~rc1/debian/patches/series 2013-05-24 08:10:58.000000000 +0100
+++ libgd2-2.1.0~rc1/debian/patches/series 2013-06-01 22:39:37.000000000 +0100
@@ -1 +1,2 @@
gdlib-config-uses-pkgconfig.patch
+font-pattern-pointer-deref.patch
Thanks,
--
Colin Watson [cjwatson at ubuntu.com]
More information about the pkg-GD-devel
mailing list