[go: up one dir, main page]

Eraser tool operating on LPE item crashes

Summary:

Crash trying to use eraser tool an a rect with LPE Tiling effect.

Steps to reproduce:

  • open Inkscape
  • draw rectangle
  • apply Tiling LPE
  • activate eraser tool
  • draw over the rect

What happened?

heap-use-after-free

What should have happened?

Sample attachments:

==30285==ERROR: AddressSanitizer: heap-use-after-free on address 0x000136736700 at pc 0x000109289260 bp 0x00016bc7c1d0 sp 0x00016bc7c1c8
READ of size 8 at 0x000136736700 thread T0
    #0 0x10928925c in Inkscape::UI::Tools::EraserTool::_booleanErase(Inkscape::UI::Tools::EraseTarget, bool) eraser-tool.cpp:793
    #1 0x1092868c8 in Inkscape::UI::Tools::EraserTool::_cutErase(Inkscape::UI::Tools::EraseTarget, bool) eraser-tool.cpp:670
    #2 0x109282170 in Inkscape::UI::Tools::EraserTool::_doWork() eraser-tool.cpp:633
    #3 0x10927c75c in Inkscape::UI::Tools::EraserTool::root_handler(Inkscape::CanvasEvent const&) eraser-tool.cpp:346
    #4 0x1093aee14 in Inkscape::UI::Tools::ToolBase::tool_root_handler(Inkscape::CanvasEvent const&) tool-base.cpp:1282
    #5 0x109daf820 in sp_desktop_root_handler(Inkscape::CanvasEvent const&, SPDesktop*) desktop-events.cpp:81
    #6 0x1085acdd8 in sigc::internal::signal_emit1<bool, Inkscape::CanvasEvent const&, sigc::nil>::emit(sigc::internal::signal_impl*, Inkscape::CanvasEvent const&) signal.h:948
    #7 0x109996374 in Inkscape::UI::Widget::CanvasPrivate::emit_event(Inkscape::CanvasEvent&) canvas.cpp:1451
    #8 0x109997040 in Inkscape::UI::Widget::CanvasPrivate::process_event(Inkscape::CanvasEvent&) canvas.cpp:1230
    #9 0x109968788 in Inkscape::UI::Widget::Canvas::on_button_released(Gtk::GestureMultiPress const&, int, double, double) canvas.cpp:1018

Freed by:

0x000136736700 is located 128 bytes inside of 1056-byte region [0x000136736680,0x000136736aa0)
freed by thread T0 here:
    #0 0x107579bcc in wrap__ZdlPv+0x74 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x61bcc)
    #1 0x108e5081c in SPObject::deleteObject(bool, bool) sp-object.cpp:519
    #2 0x108ddbb68 in sp_lpe_item_cleanup_original_path_recursive(SPLPEItem*, bool, bool, bool) sp-lpe-item.cpp:591
    #3 0x108ddcb04 in SPLPEItem::removeAllPathEffects(bool, bool) sp-lpe-item.cpp:780
    #4 0x109f3af10 in Inkscape::ObjectSet::removeLPESRecursive(bool) selection-chemistry.cpp:2959
    #5 0x109288af0 in Inkscape::UI::Tools::EraserTool::_booleanErase(Inkscape::UI::Tools::EraseTarget, bool) eraser-tool.cpp:791
    #6 0x1092868c8 in Inkscape::UI::Tools::EraserTool::_cutErase(Inkscape::UI::Tools::EraseTarget, bool) eraser-tool.cpp:670
    #7 0x109282170 in Inkscape::UI::Tools::EraserTool::_doWork() eraser-tool.cpp:633
    #8 0x10927c75c in Inkscape::UI::Tools::EraserTool::root_handler(Inkscape::CanvasEvent const&) eraser-tool.cpp:346
    #9 0x1093aee14 in Inkscape::UI::Tools::ToolBase::tool_root_handler(Inkscape::CanvasEvent const&) tool-base.cpp:1282
    #10 0x109daf820 in sp_desktop_root_handler(Inkscape::CanvasEvent const&, SPDesktop*) desktop-events.cpp:81
    #11 0x1085acdd8 in sigc::internal::signal_emit1<bool, Inkscape::CanvasEvent const&, sigc::nil>::emit(sigc::internal::signal_impl*, Inkscape::CanvasEvent const&) signal.h:948
    #12 0x109996374 in Inkscape::UI::Widget::CanvasPrivate::emit_event(Inkscape::CanvasEvent&) canvas.cpp:1451
    #13 0x109997040 in Inkscape::UI::Widget::CanvasPrivate::process_event(Inkscape::CanvasEvent&) canvas.cpp:1230
    #14 0x109968788 in Inkscape::UI::Widget::Canvas::on_button_released(Gtk::GestureMultiPress const&, int, double, double) canvas.cpp:1018

Version info

Inkscape 1.4-dev (ab1558a000, 2024-03-09, custom)

This bug may or may not be related to other eraser incidents reported here, but it is always reproducible, so easier to diagnose.