Bug#505436: graphviz: Segmentation fault in make_regular_edge() in dotsplines.c:1448

Wed, 12 Nov 2008 02:45:39 -0800 

Package: graphviz
Version: 2.20.2-3
Severity: important


Running the followinf command causes a segfault in dot:

dot -Tps -v -Gnslimit=0.1 patata5.dot

I've recompiled the Debian package without optimization and with
debugging turned on. Gdb gives the following backtrace:

#0  0xb7ce0c33 in make_regular_edge (sp=0xbfddc094, P=0x9777b30, 
edges=0x8c1f4c8, ind=3505, cnt=1, et=8) at dotsplines.c:1448
#1  0xb7cdcba2 in _dot_splines (g=0x88e68a8, normalize=1) at dotsplines.c:396
#2  0xb7cdcdac in dot_splines (g=0x88e68a8) at dotsplines.c:448
#3  0xb7cd25ce in dot_layout (g=0x88e68a8) at dotinit.c:212
#4  0xb7f366dd in gvLayoutJobs (gvc=0x88d97b0, g=0x88e68a8) at gvlayout.c:69
#5  0x08048a3f in main (argc=5, argv=0xbfddc384) at dot.c:180

Running the command inside valgrind causes a read error:

==9030== Invalid read of size 4
==9030==    at 0x46D9C33: make_regular_edge (dotsplines.c:1448)
==9030==    by 0x46D5BA1: _dot_splines (dotsplines.c:396)
==9030==    by 0x46D5DAB: dot_splines (dotsplines.c:448)
==9030==    by 0x46CB5CD: dot_layout (dotinit.c:212)
==9030==    by 0x405D6DC: gvLayoutJobs (gvlayout.c:69)
==9030==    by 0x8048A3E: main (dot.c:180)
==9030==  Address 0x36c is not stack'd, malloc'd or (recently) free'd

The relevant code lines are:

1447                for (i = 0; i < pn; i++)
1448                    points[pointn++] = ps[i];

At the time it crashes ps=0x318, pointn=1153 and i=10. Looks like the
points array is not big enough and is overlapping the memory used for
storing the address of ps:

(gdb) print &ps
$3 = (point **) 0xbeb06128
(gdb) print &points[pointn-1]
$4 = (point *) 0xbeb06124

BTW, sizeof(point)=8, so the previous iteration actually overwrites the
ps variable.


-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages graphviz depends on:
ii  libc6                  2.7-16            GNU C Library: Shared libraries
ii  libexpat1              2.0.1-4           XML parsing C library - runtime li
ii  libgd2-noxpm           2.0.36~rc1~dfsg-3 GD Graphics Library version 2 (wit
ii  libgraphviz4           2.20.2-3          rich set of graph drawing tools
ii  libx11-6               2:1.1.5-2         X11 client-side library
ii  libxaw7                2:1.0.4-2         X11 Athena Widget library
hi  libxmu6                2:1.0.4-1         X11 miscellaneous utility library
hi  libxt6                 1:1.0.5-3         X11 toolkit intrinsics library

Versions of packages graphviz recommends:
ii  ttf-liberation                1.04.92-1  Free fonts with the same metrics a

Versions of packages graphviz suggests:
ii  graphviz-doc  2.20.2-3                   additional documentation for graph
ii  gsfonts       1:8.11+urwcyr1.0.7~pre44-3 Fonts for the Ghostscript interpre

-- no debconf information

Attachment: patata5.dot.gz
Description: GNU Zip compressed data

Reply via email to