[pkg-GD-devel] Bug#709050: mscgen: fails to build with current libgd2

Colin Watson cjwatson at ubuntu.com
Sat Jun 1 21:57:40 UTC 2013 

Control: reassign -1 libgd3 2.1.0~rc1-1
Control: affects -1 mscgen
Control: tag -1 patch
Control: user ubuntu-devel at lists.ubuntu.com
Control: usertags -1 ubuntu-patch

On Thu, May 23, 2013 at 06:56:01PM +0200, Ondřej Surý wrote:
> were you able to discover something? I don't see anything in gd, but I did
> study it very hard.

This is relevant (from 'make check VALGRIND=valgrind' with a libgd built
with debugging symbols):

  testinput0.msc
  ==31147== Memcheck, a memory error detector
  ==31147== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
  ==31147== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
  ==31147== Command: ../src/mscgen -T png -i ../../test/testinput0.msc -o testinput0.msc.png
  ==31147==
  ==31147== Invalid write of size 4
  ==31147==    at 0x4098400: fontFetch (gdft.c:1490)
  ==31147==    by 0x40979C0: gdCacheGet (gdcache.c:125)
  ==31147==    by 0x4098910: gdImageStringFTEx (gdft.c:890)
  ==31147==    by 0x40FC934: (below main) (libc-start.c:260)
  ==31147==  Address 0x4706c0c is 4 bytes before a block of size 16 free'd
  ==31147==    at 0x402AC08: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
  ==31147==    by 0x43E6E1A: FcPatternDestroy (in /usr/lib/i386-linux-gnu/libfontconfig.so.1.7.0)
  ==31147==    by 0x4098350: fontFetch (gdft.c:1472)
  ==31147==    by 0x40979C0: gdCacheGet (gdcache.c:125)
  ==31147==    by 0x4098910: gdImageStringFTEx (gdft.c:890)
  ==31147==    by 0x40FC934: (below main) (libc-start.c:260)
  ==31147==
  ==31147== Syscall param open(filename) points to uninitialised byte(s)
  ==31147==    at 0x41C2773: __open_nocancel (syscall-template.S:81)
  ==31147==    by 0x433A103: FT_Stream_Open (in /usr/lib/i386-linux-gnu/libfreetype.so.6.10.0)
  ==31147==    by 0x4340CE6: FT_Stream_New (in /usr/lib/i386-linux-gnu/libfreetype.so.6.10.0)
  ==31147==    by 0x4342EE6: FT_Open_Face (in /usr/lib/i386-linux-gnu/libfreetype.so.6.10.0)
  ==31147==    by 0x4706B47: ???
  ==31147==  Address 0x482c927 is 47 bytes inside a block of size 48 alloc'd
  ==31147==    at 0x40299A8: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
  ==31147==    by 0x409A16A: gdMalloc (gdhelpers.c:73)
  ==31147==    by 0x40983D2: fontFetch (gdft.c:1485)
  ==31147==    by 0x40979C0: gdCacheGet (gdcache.c:125)
  ==31147==    by 0x4098910: gdImageStringFTEx (gdft.c:890)
  ==31147==    by 0x40FC934: (below main) (libc-start.c:260)
  ==31147==
  ==31147== Conditional jump or move depends on uninitialised value(s)
  ==31147==    at 0x402F93C: strstr (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
  ==31147==    by 0x40982CC: fontFetch (gdft.c:512)
  ==31147==    by 0x40979C0: gdCacheGet (gdcache.c:125)
  ==31147==    by 0x4098910: gdImageStringFTEx (gdft.c:890)
  ==31147==    by 0x40FC934: (below main) (libc-start.c:260)
  ==31147==
  ==31147== Conditional jump or move depends on uninitialised value(s)
  ==31147==    at 0x402F93C: strstr (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
  ==31147==    by 0x40984B6: fontFetch (gdft.c:513)
  ==31147==    by 0x40979C0: gdCacheGet (gdcache.c:125)
  ==31147==    by 0x4098910: gdImageStringFTEx (gdft.c:890)
  ==31147==    by 0x40FC934: (below main) (libc-start.c:260)
  ==31147==
  ==31147==
  ==31147== HEAP SUMMARY:
  ==31147==     in use at exit: 97,032 bytes in 1,728 blocks
  ==31147==   total heap usage: 4,464 allocs, 2,736 frees, 2,116,808 bytes allocated
  ==31147==
  ==31147== LEAK SUMMARY:
  ==31147==    definitely lost: 128 bytes in 1 blocks
  ==31147==    indirectly lost: 20 bytes in 1 blocks
  ==31147==      possibly lost: 0 bytes in 0 blocks
  ==31147==    still reachable: 96,884 bytes in 1,726 blocks
  ==31147==         suppressed: 0 bytes in 0 blocks
  ==31147== Rerun with --leak-check=full to see details of leaked memory
  ==31147==
  ==31147== For counts of detected and suppressed errors, rerun with: -v
  ==31147== Use --track-origins=yes to see where uninitialised values come from
  ==31147== ERROR SUMMARY: 4 errors from 4 contexts (suppressed: 0 from 0)

I read the relevant line of code several times before I spotted the
mistake - it's an easy one to miss.  Patch follows.

  * Add missing pointer dereference in font_pattern (closes: #709050).

diff -Nru libgd2-2.1.0~rc1/debian/patches/font-pattern-pointer-deref.patch libgd2-2.1.0~rc1/debian/patches/font-pattern-pointer-deref.patch
--- libgd2-2.1.0~rc1/debian/patches/font-pattern-pointer-deref.patch	1970-01-01 01:00:00.000000000 +0100
+++ libgd2-2.1.0~rc1/debian/patches/font-pattern-pointer-deref.patch	2013-06-01 22:51:52.000000000 +0100
@@ -0,0 +1,18 @@
+Description: Add missing pointer dereference in font_pattern
+Author: Colin Watson <cjwatson at ubuntu.com>
+Bug-Debian: http://bugs.debian.org/709050
+Last-Update: 2013-06-01
+
+Index: b/src/gdft.c
+===================================================================
+--- a/src/gdft.c
++++ b/src/gdft.c
+@@ -1487,7 +1487,7 @@
+ 			return "could not alloc font path";
+ 		}
+ 		strncpy(*fontpath, (const char *)file, file_len);
+-		fontpath[file_len] = 0;
++		(*fontpath)[file_len] = 0;
+ 	}
+ 	FcPatternDestroy(font);
+ 
diff -Nru libgd2-2.1.0~rc1/debian/patches/series libgd2-2.1.0~rc1/debian/patches/series
--- libgd2-2.1.0~rc1/debian/patches/series	2013-05-24 08:10:58.000000000 +0100
+++ libgd2-2.1.0~rc1/debian/patches/series	2013-06-01 22:39:37.000000000 +0100
@@ -1 +1,2 @@
 gdlib-config-uses-pkgconfig.patch
+font-pattern-pointer-deref.patch

Thanks,

-- 
Colin Watson                                       [cjwatson at ubuntu.com]

More information about the pkg-GD-devel mailing list