Menu

#187 SEGV on read_arcobject()

fig2dev
pending
nobody
None
2025-04-10
2025-01-20
liuchenyifan
No

version: fig2dev Version 3.2.9a
system: ubuntu22.04

use this command to reproduce: fig2dev -L pict2e ./poc

message from valgrind:
==3013082== Memcheck, a memory error detector
==3013082== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==3013082== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info
==3013082== Command: ./fig2dev -L pict2e ./bug_SEGV2
==3013082==
==3013082== Conditional jump or move depends on uninitialised value(s)
==3013082== at 0x13A0F7: read_arcobject (read1_3.c:177)
==3013082== by 0x13B0B7: read_1_3_objects (read1_3.c:118)
==3013082== by 0x14DFD6: readfp_fig (read.c:154)
==3013082== by 0x15248F: read_fig (read.c:124)
==3013082== by 0x118B1A: main (fig2dev.c:469)
==3013082==
==3013082== Conditional jump or move depends on uninitialised value(s)
==3013082== at 0x13A18A: read_arcobject (read1_3.c:177)
==3013082== by 0x13B0B7: read_1_3_objects (read1_3.c:118)
==3013082== by 0x14DFD6: readfp_fig (read.c:154)
==3013082== by 0x15248F: read_fig (read.c:124)
==3013082== by 0x118B1A: main (fig2dev.c:469)
==3013082==
\unitlength947257sp% 3946.9 sp = (1/1200) in
\begin{picture}(8,8)%(0,0)
\ifx\allinethickness\undefined
\def\XFigeepicthickness#1{\relax}
\else
\let\XFigeepicthickness\allinethickness
\fi
==3013082== Conditional jump or move depends on uninitialised value(s)
==3013082== at 0x1D5663: genpict2e_arc (genpict2e.c:2413)
==3013082== by 0x119683: gendev_objects (fig2dev.c:1038)
==3013082== by 0x119683: main (fig2dev.c:538)
==3013082==
==3013082== Conditional jump or move depends on uninitialised value(s)
==3013082== at 0x1D5DB0: genpict2e_arc (genpict2e.c:2451)
==3013082== by 0x119683: gendev_objects (fig2dev.c:1038)
==3013082== by 0x119683: main (fig2dev.c:538)
==3013082==
==3013082== Conditional jump or move depends on uninitialised value(s)
==3013082== at 0x1C9388: set_fillcolor (genpict2e.c:448)
==3013082== by 0x1D6CB5: genpict2e_arc (genpict2e.c:2452)
==3013082== by 0x119683: gendev_objects (fig2dev.c:1038)
==3013082== by 0x119683: main (fig2dev.c:538)
==3013082==
==3013082== Conditional jump or move depends on uninitialised value(s)
==3013082== at 0x1C93CB: set_fillcolor (genpict2e.c:452)
==3013082== by 0x1D6CB5: genpict2e_arc (genpict2e.c:2452)
==3013082== by 0x119683: gendev_objects (fig2dev.c:1038)
==3013082== by 0x119683: main (fig2dev.c:538)
==3013082==
==3013082== Conditional jump or move depends on uninitialised value(s)
==3013082== at 0x1C987B: set_fillcolor (genpict2e.c:464)
==3013082== by 0x1D6CB5: genpict2e_arc (genpict2e.c:2452)
==3013082== by 0x119683: gendev_objects (fig2dev.c:1038)
==3013082== by 0x119683: main (fig2dev.c:538)
==3013082==
==3013082== Conditional jump or move depends on uninitialised value(s)
==3013082== at 0x1C993B: set_fillcolor (genpict2e.c:479)
==3013082== by 0x1D6CB5: genpict2e_arc (genpict2e.c:2452)
==3013082== by 0x119683: gendev_objects (fig2dev.c:1038)
==3013082== by 0x119683: main (fig2dev.c:538)
==3013082==
==3013082== Conditional jump or move depends on uninitialised value(s)
==3013082== at 0x1C9BD6: set_fillcolor (genpict2e.c:487)
==3013082== by 0x1D6CB5: genpict2e_arc (genpict2e.c:2452)
==3013082== by 0x119683: gendev_objects (fig2dev.c:1038)
==3013082== by 0x119683: main (fig2dev.c:538)
==3013082==
==3013082== Conditional jump or move depends on uninitialised value(s)
==3013082== at 0x1CA145: set_fillcolor (genpict2e.c:488)
==3013082== by 0x1D6CB5: genpict2e_arc (genpict2e.c:2452)
==3013082== by 0x119683: gendev_objects (fig2dev.c:1038)
==3013082== by 0x119683: main (fig2dev.c:538)
==3013082==
{\color{white}
\circlearc[1]{4}{4}{1}{360}{90}\closepath\fillpath
==3013082== Invalid read of size 4
==3013082== at 0x1D4674: put_patternarc (genpict2e.c:2306)
==3013082== by 0x1D6EE4: genpict2e_arc (genpict2e.c:2473)
==3013082== by 0x119683: gendev_objects (fig2dev.c:1038)
==3013082== by 0x119683: main (fig2dev.c:538)
==3013082== Address 0x4 is not stack'd, malloc'd or (recently) free'd
==3013082==
==3013082==
==3013082== Process terminating with default action of signal 11 (SIGSEGV)
==3013082== Access not within mapped region at address 0x4
==3013082== at 0x1D4674: put_patternarc (genpict2e.c:2306)
==3013082== by 0x1D6EE4: genpict2e_arc (genpict2e.c:2473)
==3013082== by 0x119683: gendev_objects (fig2dev.c:1038)
==3013082== by 0x119683: main (fig2dev.c:538)
==3013082== If you believe this happened as a result of a stack
==3013082== overflow in your program's main thread (unlikely but
==3013082== possible), you can try to increase the size of the
==3013082== main thread stack using the --main-stacksize= flag.
==3013082== The main thread stack size used in this run was 8388608.
==3013082==
==3013082== HEAP SUMMARY:
==3013082== in use at exit: 5,435 bytes in 24 blocks
==3013082== total heap usage: 28 allocs, 4 frees, 12,408 bytes allocated
==3013082==
==3013082== LEAK SUMMARY:
==3013082== definitely lost: 128 bytes in 1 blocks
==3013082== indirectly lost: 16 bytes in 1 blocks
==3013082== possibly lost: 0 bytes in 0 blocks
==3013082== still reachable: 5,291 bytes in 22 blocks
==3013082== suppressed: 0 bytes in 0 blocks
==3013082== Rerun with --leak-check=full to see details of leaked memory
==3013082==
==3013082== Use --track-origins=yes to see where uninitialised values come from
==3013082== For lists of detected and suppressed errors, rerun with: -s
==3013082== ERROR SUMMARY: 11 errors from 11 contexts (suppressed: 0 from 0)
Segmentation fault

1 Attachments
bug_SEGV2

Discussion

  • liuchenyifan

    liuchenyifan - 2025-01-20

    use this command to reproduce: valgrind fig2dev -L pict2e ./poc

     

  • tkl

    tkl - 2025-04-10

    The issue was suppressed with commit [1e5515], and really resolved with [c4465e].

     

    Related

    Commit: [1e5515]
    Commit: [c4465e]

  • tkl

    tkl - 2025-04-10
    • status: open --> pending
     

Log in to post a comment.