[cairo-bugs] [Bug 17212] New: cairo_surface_write_to_png_stream will segfault with >= libpng-1.2.30

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Tue Aug 19 14:50:08 PDT 2008 

http://bugs.freedesktop.org/show_bug.cgi?id=17212

           Summary: cairo_surface_write_to_png_stream will segfault with
                    >=libpng-1.2.30
           Product: cairo
           Version: 1.7.5
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: critical
          Priority: medium
         Component: png functions
        AssignedTo: cworth at cworth.org
        ReportedBy: tetromino at gmail.com
         QAContact: cairo-bugs at cairographics.org


Created an attachment (id=18395)
 --> (http://bugs.freedesktop.org/attachment.cgi?id=18395)
cairo-1.6.4-flush-png.patch

Starting with libpng-1.2.30, in their infinite wisdom, the libpng developers
have changed the behavior of png_write_end(); now, it calls
png_ptr->output_flush_fn. In libpng-1.2.31, there will be a compile-time option
to turn this off this behavior, but it looks like the default setting will be
with the flush. See

http://sourceforge.net/mailarchive/forum.php?thread_name=4ab4bbae0808190908y47c2f133w4fd3630f1e54b0fd%40mail.gmail.com&forum_name=png-mng-implement
and
http://sourceforge.net/mailarchive/forum.php?thread_name=e56ccc8f0808191245l318cef05mbed7a09ebb875c87%40mail.gmail.com&forum_name=png-mng-implement

Now, why is this such a problem for cairo?

In write_png(), cairo calls png_set_write_fn (png, closure, write_func, NULL);
That NULL results in png->output_flush_fn being set to png's default flush
function - which is a wrapper around fflush(closure). And when we call
png_write via png_surface_write_to_png(), that is perfectly OK - because
closure is a FILE pointer. But if we are calling write_png() from
cairo_surface_write_to_png_stream(), closure is now a struct
png_write_closure_t pointer, and calling fflush on it results in spectacular
segfaults.

Consequently, we must actually set a dummy output_flush_fn to avoid
segfaulting. See attachment for the patch that does so.


-- 
Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

More information about the cairo-bugs mailing list