LibreOffice slideshow aborts with stack smashing in cairo's composite_boxes
[I had originally filed this issue as private/embargoed https://bugzilla.redhat.com/show_bug.cgi?id=1888040 "LibreOffice slideshow aborts with stack smashing in cairo's composite_boxes" in Red Hat bugzilla, but the Red Hat security team and me now decided to better move it upstream here. @tcullum-rh from the Red Hat security team asks that you please give him viewing permissions on this issue.]crash.odp
On one Fedora 33 GNOME/Wayland machine with a 3840x2160 display and screen scale set to 175% (running cairo-1.16.0-9.fc33.x86_64 and pixman-0.40.0-2.fc33.x86_64), opening the attached crash.odp presentation in (any version of) LibreOffice and doing "Slide Show - Start from First Slide" (or pressing F5) aborts with
*** stack smashing detected ***: terminated
Thread 1 "soffice.bin" received signal SIGABRT, Aborted.
__GI_raise (sig=<optimized out>) at /usr/src/debug/glibc-2.32/sysdeps/unix/sysv/linux/raise.c:49
49 return ret;
(gdb) bt
#0 __GI_raise (sig=<optimized out>) at /usr/src/debug/glibc-2.32/sysdeps/unix/sysv/linux/raise.c:49
#1 0x00007ffff7cd18a4 in __GI_abort () at /usr/src/debug/glibc-2.32/stdlib/abort.c:79
#2 0x00007ffff7d2b127 in __libc_message (action=<optimized out>, fmt=<optimized out>) at /usr/src/debug/glibc-2.32/sysdeps/posix/libc_fatal.c:155
#3 0x00007ffff7dbc47a in __GI___fortify_fail (msg=0x7ffff7e3d91f "stack smashing detected") at /usr/src/debug/glibc-2.32/debug/fortify_fail.c:26
#4 0x00007ffff7dbc446 in __stack_chk_fail () at /usr/src/debug/glibc-2.32/debug/stack_chk_fail.c:24
#5 0x00007ffff0fd23f7 in composite_boxes (compositor=0x7ffff108a8c0 <spans>, extents=0x7fffffffc430, boxes=<optimized out>) at /usr/src/debug/cairo-1.16.0-9.fc33.x86_64/src/cairo-spans-compositor.c:745
#6 0xebebebebebebebeb in ()
#7 0xebebebebebebebeb in ()
#8 0xebebebebebebebeb in ()
#9 0xebebebebebebebeb in ()
#10 0xebebebebebebebeb in ()
#11 0xebebebebebebebeb in ()
#12 0xebebebebebebebeb in ()
#13 0xebebebebebebebeb in ()
#14 0xebebebebebebebeb in ()
#15 0xebebebebebebebeb in ()
#16 0xebebebebebebebeb in ()
#17 0xebebebebebebebeb in ()
#18 0xebebebebebebebeb in ()
#19 0xebebebebebebebeb in ()
#20 0xebebebebebebebeb in ()
#21 0xebebebebebebebeb in ()
#22 0xebebebebebebebeb in ()
#23 0xebebebebebebebeb in ()
#24 0xebebebebebebebeb in ()
#25 0xebebebebebebebeb in ()
#26 0xebebebebebebebeb in ()
#27 0xebebebebebebebeb in ()
#28 0xebebebebebebebeb in ()
#29 0xebebebebebebebeb in ()
#30 0xebebebebebebebeb in ()
#31 0xebebebebebebebeb in ()
#32 0xebebebebebebebeb in ()
#33 0xebebebebebebebeb in ()
#34 0xebebebebebebebeb in ()
#35 0xebebebebebebebeb in ()
#36 0xebebebebebebebeb in ()
#37 0xebebebebebebebeb in ()
#38 0xebebebebebebebeb in ()
#39 0xebebebebebebebeb in ()
#40 0xebebebebebebebeb in ()
#41 0xebebebebebebebeb in ()
#42 0x005aebebebebebeb in ()
#43 0x0000000300000000 in ()
#44 0x00007fffffffbd68 in ()
#45 0x00007fffffffbd60 in ()
#46 0x0100000000000000 in ()
#47 0x00007fffffffc010 in ()
#48 0x00007fffffffbd80 in ()
#49 0x00007fffffffbda0 in ()
#50 0x00007fffffffbdc0 in ()
#51 0x00007fffffffbde0 in ()
#52 0x00007ffff7d36600 in _int_malloc (av=0xebebebebebebebeb, bytes=24) at /usr/src/debug/glibc-2.32/malloc/malloc.c:3801
#53 0x0000000000000000 in ()
LibreOffice can be configured to use a bundled, built-from-source cairo-1.16.0.tar.xz instead of any system libcairo, and using that and building LibreOffice (recent master) with ASan, the above reproducer reveals
==1866574==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7feb53c3f040 at pc 0x0000002f4a4c bp 0x7ffc79a3a540 sp 0x7ffc79a39cf0
WRITE of size 4381 at 0x7feb53c3f040 thread T0
#0 in __asan_memset at ~/llvm/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:26:3 (instdir/program/soffice.bin +0x2f4a4b)
#1 in _inplace_src_spans at workdir/UnpackedTarball/cairo/src/cairo-image-compositor.c:2683:3 (instdir/program/libcairo.so.2 +0x6a8d2f)
#2 in generate_row at workdir/UnpackedTarball/cairo/src/cairo-rectangular-scan-converter.c:625:5 (instdir/program/libcairo.so.2 +0x8d6ac0)
#3 in generate_box at workdir/UnpackedTarball/cairo/src/cairo-rectangular-scan-converter.c:646:6 (instdir/program/libcairo.so.2 +0x8d1d04)
#4 in _cairo_rectangular_scan_converter_generate at workdir/UnpackedTarball/cairo/src/cairo-rectangular-scan-converter.c:673:9 (instdir/program/libcairo.so.2 +0x8d0ac8)
#5 in composite_boxes at workdir/UnpackedTarball/cairo/src/cairo-spans-compositor.c:741:11 (instdir/program/libcairo.so.2 +0x92cbd5)
#6 in clip_and_composite_boxes at workdir/UnpackedTarball/cairo/src/cairo-spans-compositor.c:887:14 (instdir/program/libcairo.so.2 +0x926686)
#7 in _cairo_spans_compositor_fill at workdir/UnpackedTarball/cairo/src/cairo-spans-compositor.c:1126:15 (instdir/program/libcairo.so.2 +0x922cd4)
#8 in _cairo_compositor_fill at workdir/UnpackedTarball/cairo/src/cairo-compositor.c:203:11 (instdir/program/libcairo.so.2 +0x5fc20c)
#9 in _cairo_image_surface_fill at workdir/UnpackedTarball/cairo/src/cairo-image-surface.c:994:12 (instdir/program/libcairo.so.2 +0x6ce26d)
#10 in _cairo_surface_fill at workdir/UnpackedTarball/cairo/src/cairo-surface.c:2422:14 (instdir/program/libcairo.so.2 +0x99bd3f)
#11 in _cairo_gstate_fill at workdir/UnpackedTarball/cairo/src/cairo-gstate.c:1312:15 (instdir/program/libcairo.so.2 +0x645daf)
#12 in _cairo_default_context_fill at workdir/UnpackedTarball/cairo/src/cairo-default-context.c:1055:14 (instdir/program/libcairo.so.2 +0x617f60)
#13 in cairo_fill at workdir/UnpackedTarball/cairo/src/cairo.c:2422:14 (instdir/program/libcairo.so.2 +0xa55bc0)
#14 in cairocanvas::doOperation(cairocanvas::Operation, _cairo*, com::sun::star::uno::Sequence<com::sun::star::rendering::Texture> const*, rtl::Reference<cairocanvas::SurfaceProvider> const&, basegfx::B2DRange const&) at canvas/source/cairo/cairo_canvashelper.cxx:530:29 (instdir/program/../program/libcairocanvaslo.so +0x339abc)
#15 in cairocanvas::doPolyPolygonImplementation(basegfx::B2DPolyPolygon const&, cairocanvas::Operation, _cairo*, com::sun::star::uno::Sequence<com::sun::star::rendering::Texture> const*, rtl::Reference<cairocanvas::SurfaceProvider> const&, com::sun::star::rendering::FillRule) at canvas/source/cairo/cairo_canvashelper.cxx:802:13 (instdir/program/../program/libcairocanvaslo.so +0x337713)
#16 in cairocanvas::CanvasHelper::doPolyPolygonPath(com::sun::star::uno::Reference<com::sun::star::rendering::XPolyPolygon2D> const&, cairocanvas::Operation, bool, com::sun::star::uno::Sequence<com::sun::star::rendering::Texture> const*) const at canvas/source/cairo/cairo_canvashelper.cxx:861:13 (instdir/program/../program/libcairocanvaslo.so +0x331511)
#17 in cairocanvas::CanvasHelper::fillTexturedPolyPolygon(com::sun::star::rendering::XCanvas const*, com::sun::star::uno::Reference<com::sun::star::rendering::XPolyPolygon2D> const&, com::sun::star::rendering::ViewState const&, com::sun::star::rendering::RenderState const&, com::sun::star::uno::Sequence<com::sun::star::rendering::Texture> const&) at canvas/source/cairo/cairo_canvashelper.cxx:1057:13 (instdir/program/../program/libcairocanvaslo.so +0x33ef22)
#18 in canvas::CanvasBase<cairocanvas::CanvasBitmapSpriteSurface_Base, cairocanvas::CanvasHelper, osl::Guard<osl::Mutex>, cppu::OWeakObject>::fillTexturedPolyPolygon(com::sun::star::uno::Reference<com::sun::star::rendering::XPolyPolygon2D> const&, com::sun::star::rendering::ViewState const&, com::sun::star::rendering::RenderState const&, com::sun::star::uno::Sequence<com::sun::star::rendering::Texture> const&) at canvas/inc/base/canvasbase.hxx:306:35 (instdir/program/../program/libcairocanvaslo.so +0x2ee91c)
#19 in non-virtual thunk to canvas::CanvasBase<cairocanvas::CanvasBitmapSpriteSurface_Base, cairocanvas::CanvasHelper, osl::Guard<osl::Mutex>, cppu::OWeakObject>::fillTexturedPolyPolygon(com::sun::star::uno::Reference<com::sun::star::rendering::XPolyPolygon2D> const&, com::sun::star::rendering::ViewState const&, com::sun::star::rendering::RenderState const&, com::sun::star::uno::Sequence<com::sun::star::rendering::Texture> const&) at canvas/inc/base/canvasbase.hxx (instdir/program/../program/libcairocanvaslo.so +0x2f6846)
#20 in cppcanvas::internal::(anonymous namespace)::TexturedPolyPolyAction::renderPrimitive(com::sun::star::uno::Reference<com::sun::star::rendering::XCachedPrimitive>&, basegfx::B2DHomMatrix const&) const at cppcanvas/source/mtfrenderer/polypolyaction.cxx:284:62 (instdir/program/libcppcanvaslo.so +0x320c4b)
#21 in cppcanvas::internal::CachedPrimitiveBase::render(basegfx::B2DHomMatrix const&) const at cppcanvas/source/mtfrenderer/cachedprimitivebase.cxx:76:20 (instdir/program/libcppcanvaslo.so +0x23b999)
#22 in cppcanvas::internal::(anonymous namespace)::ActionRenderer::operator()(cppcanvas::internal::ImplRenderer::MtfAction const&) at cppcanvas/source/mtfrenderer/implrenderer.cxx:2636:48 (instdir/program/libcppcanvaslo.so +0x296443)
#23 in cppcanvas::internal::(anonymous namespace)::ActionRenderer std::for_each<__gnu_debug::_Safe_iterator<__gnu_cxx::__normal_iterator<cppcanvas::internal::ImplRenderer::MtfAction const*, std::__cxx1998::vector<cppcanvas::internal::ImplRenderer::MtfAction, std::allocator<cppcanvas::internal::ImplRenderer::MtfAction> > >, std::__debug::vector<cppcanvas::internal::ImplRenderer::MtfAction, std::allocator<cppcanvas::internal::ImplRenderer::MtfAction> >, std::random_access_iterator_tag>, cppcanvas::internal::(anonymous namespace)::ActionRenderer>(__gnu_debug::_Safe_iterator<__gnu_cxx::__normal_iterator<cppcanvas::internal::ImplRenderer::MtfAction const*, std::__cxx1998::vector<cppcanvas::internal::ImplRenderer::MtfAction, std::allocator<cppcanvas::internal::ImplRenderer::MtfAction> > >, std::__debug::vector<cppcanvas::internal::ImplRenderer::MtfAction, std::allocator<cppcanvas::internal::ImplRenderer::MtfAction> >, std::random_access_iterator_tag>, __gnu_debug::_Safe_iterator<__gnu_cxx::__normal_iterator<cppcanvas::internal::ImplRenderer::MtfAction const*, std::__cxx1998::vector<cppcanvas::internal::ImplRenderer::MtfAction, std::allocator<cppcanvas::internal::ImplRenderer::MtfAction> > >, std::__debug::vector<cppcanvas::internal::ImplRenderer::MtfAction, std::allocator<cppcanvas::internal::ImplRenderer::MtfAction> >, std::random_access_iterator_tag>, cppcanvas::internal::(anonymous namespace)::ActionRenderer) at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/11.0.0/../../../../include/c++/11.0.0/bits/stl_algo.h:3817:2 (instdir/program/libcppcanvaslo.so +0x2947ff)
#24 in cppcanvas::internal::ImplRenderer::draw() const at cppcanvas/source/mtfrenderer/implrenderer.cxx:3067:24 (instdir/program/libcppcanvaslo.so +0x2940ba)
#25 in slideshow::internal::ViewBackgroundShape::prefetch(std::shared_ptr<cppcanvas::Canvas> const&, std::shared_ptr<GDIMetaFile> const&) const at slideshow/source/engine/shapes/viewbackgroundshape.cxx:114:28 (instdir/program/../program/libslideshowlo.so +0x2488460)
#26 in slideshow::internal::ViewBackgroundShape::render(std::shared_ptr<GDIMetaFile> const&) const at slideshow/source/engine/shapes/viewbackgroundshape.cxx:148:18 (instdir/program/../program/libslideshowlo.so +0x248a98d)
#27 in slideshow::internal::(anonymous namespace)::BackgroundShape::addViewLayer(std::shared_ptr<slideshow::internal::ViewLayer> const&, bool) at slideshow/source/engine/shapes/backgroundshape.cxx:175:38 (instdir/program/../program/libslideshowlo.so +0x2277802)
#28 in slideshow::internal::LayerManager::renderTo(std::shared_ptr<cppcanvas::Canvas> const&) const at slideshow/source/engine/slide/layermanager.cxx:628:35 (instdir/program/../program/libslideshowlo.so +0x252d256)
#29 in slideshow::internal::(anonymous namespace)::SlideImpl::createCurrentSlideBitmap(std::shared_ptr<slideshow::internal::UnoView> const&, basegfx::B2IVector const&) const at slideshow/source/engine/slide/slideimpl.cxx:696:21 (instdir/program/../program/libslideshowlo.so +0x27194f7)
#30 in slideshow::internal::(anonymous namespace)::SlideImpl::getCurrentSlideBitmap(std::shared_ptr<slideshow::internal::UnoView> const&) const at slideshow/source/engine/slide/slideimpl.cxx:582:19 (instdir/program/../program/libslideshowlo.so +0x2707502)
#31 in slideshow::internal::(anonymous namespace)::slideRenderer(slideshow::internal::(anonymous namespace)::SlideImpl const*, std::shared_ptr<slideshow::internal::UnoView> const&) at slideshow/source/engine/slide/slideimpl.cxx:269:51 (instdir/program/../program/libslideshowlo.so +0x27131b0)
#32 in slideshow::internal::(anonymous namespace)::SlideImpl::show(bool) at slideshow/source/engine/slide/slideimpl.cxx:441:13 (instdir/program/../program/libslideshowlo.so +0x2702a9f)
#33 in (anonymous namespace)::SlideShowImpl::notifySlideTransitionEnded(bool) at slideshow/source/engine/slideshowimpl.cxx:2112:25 (instdir/program/../program/libslideshowlo.so +0x267d0a0)
#34 in (anonymous namespace)::SlideShowImpl::displaySlide(com::sun::star::uno::Reference<com::sun::star::drawing::XDrawPage> const&, com::sun::star::uno::Reference<com::sun::star::drawing::XDrawPagesSupplier> const&, com::sun::star::uno::Reference<com::sun::star::animations::XAnimationNode> const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&)::$_3::operator()() const at slideshow/source/engine/slideshowimpl.cxx:1156:21 (instdir/program/../program/libslideshowlo.so +0x269129c)
#35 in void std::__invoke_impl<void, (anonymous namespace)::SlideShowImpl::displaySlide(com::sun::star::uno::Reference<com::sun::star::drawing::XDrawPage> const&, com::sun::star::uno::Reference<com::sun::star::drawing::XDrawPagesSupplier> const&, com::sun::star::uno::Reference<com::sun::star::animations::XAnimationNode> const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&)::$_3&>(std::__invoke_other, (anonymous namespace)::SlideShowImpl::displaySlide(com::sun::star::uno::Reference<com::sun::star::drawing::XDrawPage> const&, com::sun::star::uno::Reference<com::sun::star::drawing::XDrawPagesSupplier> const&, com::sun::star::uno::Reference<com::sun::star::animations::XAnimationNode> const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&)::$_3&) at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/11.0.0/../../../../include/c++/11.0.0/bits/invoke.h:60:14 (instdir/program/../program/libslideshowlo.so +0x269113c)
#36 in std::enable_if<is_invocable_r_v<void, (anonymous namespace)::SlideShowImpl::displaySlide(com::sun::star::uno::Reference<com::sun::star::drawing::XDrawPage> const&, com::sun::star::uno::Reference<com::sun::star::drawing::XDrawPagesSupplier> const&, com::sun::star::uno::Reference<com::sun::star::animations::XAnimationNode> const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&)::$_3&>, void>::type std::__invoke_r<void, (anonymous namespace)::SlideShowImpl::displaySlide(com::sun::star::uno::Reference<com::sun::star::drawing::XDrawPage> const&, com::sun::star::uno::Reference<com::sun::star::drawing::XDrawPagesSupplier> const&, com::sun::star::uno::Reference<com::sun::star::animations::XAnimationNode> const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&)::$_3&>((anonymous namespace)::SlideShowImpl::displaySlide(com::sun::star::uno::Reference<com::sun::star::drawing::XDrawPage> const&, com::sun::star::uno::Reference<com::sun::star::drawing::XDrawPagesSupplier> const&, com::sun::star::uno::Reference<com::sun::star::animations::XAnimationNode> const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&)::$_3&) at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/11.0.0/../../../../include/c++/11.0.0/bits/invoke.h:110:2 (instdir/program/../program/libslideshowlo.so +0x2690fcc)
#37 in std::_Function_handler<void (), (anonymous namespace)::SlideShowImpl::displaySlide(com::sun::star::uno::Reference<com::sun::star::drawing::XDrawPage> const&, com::sun::star::uno::Reference<com::sun::star::drawing::XDrawPagesSupplier> const&, com::sun::star::uno::Reference<com::sun::star::animations::XAnimationNode> const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&)::$_3>::_M_invoke(std::_Any_data const&) at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/11.0.0/../../../../include/c++/11.0.0/bits/std_function.h:291:9 (instdir/program/../program/libslideshowlo.so +0x2690bdc)
#38 in std::function<void ()>::operator()() const at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/11.0.0/../../../../include/c++/11.0.0/bits/std_function.h:535:9 (instdir/program/../program/libslideshowlo.so +0x1efc011)
#39 in slideshow::internal::Delay::fire() at slideshow/source/engine/delayevent.cxx:31:9 (instdir/program/../program/libslideshowlo.so +0x1efb848)
#40 in slideshow::internal::EventQueue::process_(bool) at slideshow/source/engine/eventqueue.cxx:208:39 (instdir/program/../program/libslideshowlo.so +0x2158b94)
#41 in slideshow::internal::EventQueue::process() at slideshow/source/engine/eventqueue.cxx:152:13 (instdir/program/../program/libslideshowlo.so +0x215adfa)
#42 in (anonymous namespace)::SlideShowImpl::update(double&) at slideshow/source/engine/slideshowimpl.cxx:1969:26 (instdir/program/../program/libslideshowlo.so +0x264c04a)
#43 in sd::SlideshowImpl::updateSlideShow() at sd/source/ui/slideshow/slideshowimpl.cxx:1673:21 (instdir/program/../program/libsdlo.so +0x5a9bdfe)
#44 in sd::SlideshowImpl::updateHdl(Timer*) at sd/source/ui/slideshow/slideshowimpl.cxx:1658:5 (instdir/program/../program/libsdlo.so +0x5a9b854)
#45 in sd::SlideshowImpl::LinkStubupdateHdl(void*, Timer*) at sd/source/ui/slideshow/slideshowimpl.cxx:1656:1 (instdir/program/../program/libsdlo.so +0x5a59188)
#46 in Link<Timer*, void>::Call(Timer*) const at include/tools/link.hxx:111:45 (instdir/program/libvcllo.so +0x9f2f4bd)
#47 in Timer::Invoke() at vcl/source/app/timer.cxx:75:21 (instdir/program/libvcllo.so +0x9f2eaac)
#48 in Scheduler::ProcessTaskScheduling() at vcl/source/app/scheduler.cxx:486:20 (instdir/program/libvcllo.so +0x9d925ff)
#49 in Scheduler::CallbackTaskScheduling() at vcl/source/app/scheduler.cxx:288:5 (instdir/program/libvcllo.so +0x9d8c930)
#50 in SalTimer::CallCallback() at vcl/inc/saltimer.hxx:54:13 (instdir/program/libvclplug_gtk3lo.so +0x10bfd83)
#51 in sal_gtk_timeout_dispatch(_GSource*, int (*)(void*), void*) at vcl/unx/gtk3/gtk3gtkdata.cxx:633:45 (instdir/program/libvclplug_gtk3lo.so +0x10bbf6d)
#52 in g_main_dispatch at ../glib/gmain.c:3325:28 (/lib64/libglib-2.0.so.0 +0x51ff6)
#53 in g_main_context_dispatch at ../glib/gmain.c:4016:7 (/lib64/libglib-2.0.so.0 +0x51ff6)
#54 in g_main_context_iterate.constprop.0 at ../glib/gmain.c:4092:5 (/lib64/libglib-2.0.so.0 +0xa2b87)
#55 in g_main_context_iteration at ../glib/gmain.c:4157:12 (/lib64/libglib-2.0.so.0 +0x4f41e)
#56 in GtkSalData::Yield(bool, bool) at vcl/unx/gtk3/gtk3gtkdata.cxx:382:31 (instdir/program/libvclplug_gtk3lo.so +0x10b48c6)
#57 in GtkInstance::DoYield(bool, bool) at vcl/unx/gtk3/gtk3gtkinst.cxx:387:29 (instdir/program/libvclplug_gtk3lo.so +0x10cc56d)
#58 in ImplYield(bool, bool) at vcl/source/app/svapp.cxx:446:48 (instdir/program/libvcllo.so +0x9e7d767)
#59 in Application::Yield() at vcl/source/app/svapp.cxx:510:5 (instdir/program/libvcllo.so +0x9e7c9f7)
#60 in Application::Execute() at vcl/source/app/svapp.cxx:425:9 (instdir/program/libvcllo.so +0x9e7c669)
#61 in desktop::Desktop::Main() at desktop/source/app/app.cxx:1590:13 (instdir/program/libsofficeapp.so +0x8c097e)
#62 in ImplSVMain() at vcl/source/app/svmain.cxx:196:35 (instdir/program/libvcllo.so +0x9f19178)
#63 in SVMain() at vcl/source/app/svmain.cxx:228:12 (instdir/program/libvcllo.so +0x9f22470)
#64 in soffice_main at desktop/source/app/sofficemain.cxx:98:12 (instdir/program/libsofficeapp.so +0xa9329b)
#65 in sal_main at desktop/source/app/main.c:48:15 (instdir/program/soffice.bin +0x32e12c)
#66 in main at desktop/source/app/main.c:47:1 (instdir/program/soffice.bin +0x32e106)
#67 in __libc_start_main at /usr/src/debug/glibc-2.32/csu/../csu/libc-start.c:314:16 (/lib64/libc.so.6 +0x281a1)
#68 in _start at <null> (instdir/program/soffice.bin +0x250dbd)
Address 0x7feb53c3f040 is located in stack of thread T0 at offset 4160 in frame
#0 in composite_boxes at workdir/UnpackedTarball/cairo/src/cairo-spans-compositor.c:712 (instdir/program/libcairo.so.2 +0x92c45f)
This frame has 3 object(s):
[32, 4160) 'renderer' (line 713)
[4416, 6544) 'converter' (line 714) <== Memory access at offset 4160 partially underflows this variable
[6672, 6688) 'box' (line 717) <== Memory access at offset 4160 partially underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ~/llvm/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:26:3 in __asan_memset
Shadow bytes around the buggy address:
0x0ffdea77fdb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffdea77fdc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffdea77fdd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffdea77fde0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffdea77fdf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ffdea77fe00: 00 00 00 00 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2
0x0ffdea77fe10: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
0x0ffdea77fe20: f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00
0x0ffdea77fe30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffdea77fe40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffdea77fe50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
The failure is fixed, at least for this specific scenario, when changing
diff --git a/src/cairo-spans-compositor-private.h b/src/cairo-spans-compositor-private.h
index 0babebd26..8336f8090 100644
--- a/src/cairo-spans-compositor-private.h
+++ b/src/cairo-spans-compositor-private.h
@@ -46,7 +46,7 @@ CAIRO_BEGIN_DECLS
typedef struct _cairo_abstract_span_renderer {
cairo_span_renderer_t base;
- char data[4096];
+ char data[8192];
} cairo_abstract_span_renderer_t;
struct cairo_spans_compositor {
That 4096 had been changed from 2048 with c986a731 "image: Enable inplace compositing with opacities for general routines", but apparently without giving any rationale for that particular change, or any idication that the relevant code should provably not overflow that data array.