[go: up one dir, main page]

Crash on markers with gradient or mesh fill

Summary:

Inkscape 1.3-dev crashes on opening "Fill and Stroke" dialog if a marker has gradient or mesh fill and only fill; if stroke of a marker is gradient or mesh then there's no crash.

Inkscape 1.2.2 doesn't crash.

Steps to reproduce:

  • open Inkscape 1.3-dev
  • draw a rectangle
  • apply gradient or mesh fill to it
  • convert object to marker: Object -> Objects to Marker
  • open "Fill and Stroke"
  • crash

What happened?

Crash due to memory segmentation violation (segfault).

backtrace.txt

In the backtrace, the most interesting frame IMO is the frame no. 3, the MarkerComboBox::create_marker_image() method. I have tried to debug with only a hint of success.

In the function, XML elements required for rendering a marker are copied from some source document to some _sandbox document. Then, if an element has url( in its fill CSS property then a linked element element is copied too. If that linked element is SPGradient and it has href attribute, then the href element s copied too.

So, the crash happens when this href element is being gathered and it turns out that the SPObject *linkObj casted to SPGradient has nullptr in its linkObj->ref field. Then this null pointer is dereferenced in the frame no. 0, the chase_hrefs() with the p2 = p2->ref->getObject(); line without checking. But even you check and return nullptr from chase_hrefs(), its caller, the SPGradient::getVector() will return this and then in the frame no. 3 linkObj->repr field is requesed with the SPObject::getRepr() method and that repr field also turns out to be nullptr.

In the MarkerComboBox::create_marker_image() there is some magic with the _sandbox and objects deletion which I don't understand. Probably something is not being deleted properly. I don't know.

I have tried to check for nullptr in the chase_hrefs() (if (p2->ref == nullptr) { return nullptr; }) and in the MarkerComboBox::create_marker_image() (if (vector && vector->getRepr()) ...) but then in the "Fill and Stroke" dialog a marker is rendered only for the "start marker" combo and even you try to assign it to an object nothing will be shown on the canvas.

Link to current MarkerComboBox::create_marker_image(): https://gitlab.com/inkscape/inkscape/-/blob/master/src/ui/widget/marker-combo-box.cpp#L793

I have not compared 1.3 and 1.2.2 sources in detail, but at first glance there are no significant changes in affected files.

Version info

Inkscape 1.3-dev on Linux