librsvg crashes with SIGSEGV when opening broken SVG file

StacktraceTop:
 rsvg_paint_server_parse (inherit=0x8efd674, defs=0x8d655e0,
 rsvg_parse_style_pair (ctx=<value optimized out>,
 rsvg_parse_style (ctx=0x8ee1418, state=0x8efd600,
 rsvg_parse_style_attrs (ctx=0x8ee1418, state=0x8efd600,
 rsvg_node_group_set_atts (self=0x8a89e40, ctx=0x8ee1418,

Additional information: the issue also occurs when trying to open other files than the zip file mentioned and it also happens when I wait until Nautilus is ready before double-clicking on a file.

More additional info: when logging out after the crash, a window appears advising that the file manager is not responding and asking whether I want to log out anywyay. Forcing the logout and logging back in again does not seem to resolve the problem: Nautilus either hangs or crashes when double-cliking on a file in the Downloads directory. Other directories seem to be unaffected by the problem.

Some more additional info: restarting the computer doesn't seem to solve the problem. Nautilus now hangs whenever I try to do any action in the Downloads directory (open file, delete file, etc.)

that's a librsvg crash, could you attach the svgs to the report? thanks.

@Pedro: if I open that folder using Firefox to upload the file, it crashes Firefox in the same way (presumably because the open file dialog uses the same widget). Is there a command line way to attach a file?

could you compress those maybe and then attach it? it's crashing at a svg so it's just a matter to compress the folder.

@Pedro: please find attached an archive containing all the SVG files present in my Downloads folder.

After some investigation, it appears that this is due to a very broken SVG file. The library should be robust enough to deal with that. I created a test case in Vala that reproduces the problem with minimum amount of code. In order to build and run this test case, do the following (you will need the Vala compiler for this):

tar zxvf test-608026.tgz
valac -g --pkg librsvg-2.0 test-608026.vala
./test-608026

And after running the test case in gdb, here is the patch to librsvg that resolves the issue. It adds a test for NULL pointer in rsvg_paint_server_parse.

@Brian: should I forward the bug and patch upstream?

> should I forward the bug and patch upstream?

Thank you for your work there, that would be useful yes

This bug was fixed in the package librsvg - 2.26.3-2ubuntu1

---------------
librsvg (2.26.3-2ubuntu1) maverick; urgency=low

  * debian/patches/no_null_crash.patch:
    - don't crash on corrupted images, thanks Bruno Girin (lp: #608026)
 -- Sebastien Bacher <email address hidden> Tue, 10 Aug 2010 16:59:03 +0200

Forwarded the bug and patch upstream.

I would suggest an SRU for Lucid to fix this bug there as well.

Impact of the bug:
Browsing a directory that contains an SVG file with empty style attributes causes the application to crash. This happens with Nautilus or any application that uses the GTK open file dialog (e.g. Firefox). So this can potentially affect a large number of users.

How the bug has been addressed:
The patch is trivial and adds a check for NULL to the line in rsvg_paint_server_parse that checks the validity of input parameters.

Detailed instruction on how to test this bug are in comment #12.

The potential for regression is very low as the only added code is a sanity check of input parameters.

Thanks for your interest Bruno, would be nice to have upstream reviewing the change before having it applied to the stable serie though

@Sebastien: I agree with you, it would be nice. I just updated the upstream bug to make it more obvious that there's a patch attached to it so hopefully upstream will pick it up.

I just upgraded to Maverick beta and the bug has come back because Maverick now uses version 2.31 of librsvg so the patch needs to be applied to that new version.

Could be fixed by http://git.gnome.org/browse/librsvg/commit/?id=197a8fe3b15d01893ab0d1cd64e23dfeb7ca75a9

bug #701820 could be a similar issue

Since apparently this regressed back into maverick it would be nice to know the status of this ticket for oneiric, affected or not?

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".