[cairo-bugs] [Bug 17212] New: cairo_surface_write_to_png_stream will segfault with >= libpng-1.2.30

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Tue Aug 19 14:50:08 PDT 2008


           Summary: cairo_surface_write_to_png_stream will segfault with
           Product: cairo
           Version: 1.7.5
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: critical
          Priority: medium
         Component: png functions
        AssignedTo: cworth at cworth.org
        ReportedBy: tetromino at gmail.com
         QAContact: cairo-bugs at cairographics.org

Created an attachment (id=18395)
 --> (http://bugs.freedesktop.org/attachment.cgi?id=18395)

Starting with libpng-1.2.30, in their infinite wisdom, the libpng developers
have changed the behavior of png_write_end(); now, it calls
png_ptr->output_flush_fn. In libpng-1.2.31, there will be a compile-time option
to turn this off this behavior, but it looks like the default setting will be
with the flush. See


Now, why is this such a problem for cairo?

In write_png(), cairo calls png_set_write_fn (png, closure, write_func, NULL);
That NULL results in png->output_flush_fn being set to png's default flush
function - which is a wrapper around fflush(closure). And when we call
png_write via png_surface_write_to_png(), that is perfectly OK - because
closure is a FILE pointer. But if we are calling write_png() from
cairo_surface_write_to_png_stream(), closure is now a struct
png_write_closure_t pointer, and calling fflush on it results in spectacular

Consequently, we must actually set a dummy output_flush_fn to avoid
segfaulting. See attachment for the patch that does so.

Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

More information about the cairo-bugs mailing list