Thanks to visit codestin.com
Credit goes to github.com

Skip to content

sw_engine: memory violation on dropshadow effect #3764

New issue
New issue
Closed
Closed
sw_engine: memory violation on dropshadow effect#3764
Assignees
hermet
Labels
cpuSoftware render backendshowstopperCritical issues
Milestone
1.0
@hermet

Description

@hermet
hermet
opened on Aug 30, 2025
struct UserExample : tvgexam::Example
{
    tvg::Scene* scene1 = nullptr;

    bool content(tvg::Canvas* canvas, uint32_t w, uint32_t h) override
    {
        //background
        auto bg = tvg::Shape::gen();
        bg->appendRect(0, 0, w, h);
        bg->fill(255, 255, 255);
        canvas->push(bg);

        float pw, ph;

        //Prepare a scene for post effects
        {
            scene1 = tvg::Scene::gen();

            auto picture = tvg::Picture::gen();
            picture->load(TEST_DIR"/tiger.svg");
            scene1->push(picture);
            canvas->push(scene1);
        }

        return true;
    }

    bool update(tvg::Canvas* canvas, uint32_t elapsed) override
    {
        auto progress = tvgexam::progress(elapsed, 2.5f, true);   //2.5 seconds

        //Clear the previously applied effects
        scene1->push(tvg::SceneEffect::ClearAll);
        //Apply DropShadow post effect (r, g, b, a, angle, distance, sigma of blurness, quality)
        scene1->push(tvg::SceneEffect::DropShadow, 128, 128, 128, 200, 1.0, 5.0, 2.0, 60);

        canvas->update();

        return true;
    }
};

=================================================================
==6202==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x52e000022040 at pc 0x7f515ad2558f bp 0x7ffe1066bd50 sp 0x7ffe1066bd40
READ of size 4 at 0x52e000022040 thread T0
    #0 0x7f515ad2558e in cRasterTranslucentPixels<unsigned int> ../src/renderer/sw_engine/tvgSwRasterC.h:34
    #1 0x7f515ad2558e in rasterTranslucentPixel32(unsigned int*, unsigned int*, unsigned int, unsigned char) ../src/renderer/sw_engine/tvgSwRaster.cpp:1429
    #2 0x7f515acf964f in _dropShadowShift ../src/renderer/sw_engine/tvgSwPostEffect.cpp:341
    #3 0x7f515ad026e9 in effectDropShadow(SwCompositor*, SwSurface**, tvg::RenderEffectDropShadow const*, bool) ../src/renderer/sw_engine/tvgSwPostEffect.cpp:457
    #4 0x7f515ada8e83 in tvg::SwRenderer::render(tvg::RenderCompositor*, tvg::RenderEffect const*, bool) ../src/renderer/sw_engine/tvgSwRenderer.cpp:814
    #5 0x7f515ac21d33 in SceneImpl::render(tvg::RenderMethod*) ../src/renderer/tvgScene.h:185
    #6 0x7f515abc54bb in tvg::Paint::Impl::render(tvg::RenderMethod*) ../src/renderer/tvgPaint.cpp:191
    #7 0x7f515ac217a2 in SceneImpl::render(tvg::RenderMethod*) ../src/renderer/tvgScene.h:176
    #8 0x7f515abc54bb in tvg::Paint::Impl::render(tvg::RenderMethod*) ../src/renderer/tvgPaint.cpp:191
    #9 0x7f515abaa342 in tvg::Canvas::Impl::draw(bool) ../src/renderer/tvgCanvas.h:107
    #10 0x7f515abaa342 in tvg::Canvas::draw(bool) ../src/renderer/tvgCanvas.cpp:51
    #11 0x55b1c3655f4c in tvgexam::Window::draw() ../examples/Example.h:185
    #12 0x55b1c3655f4c in tvgexam::Window::show() ../examples/Example.h:294
    #13 0x55b1c364698a in tvgexam::main(tvgexam::Example*, int, char**, bool, unsigned int, unsigned int, unsigned int, bool) ../examples/Example.h:596
    #14 0x55b1c3647c54 in main ../examples/EffectDropShadow.cpp:82
    #15 0x7f51593991c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #16 0x7f515939928a in __libc_start_main_impl ../csu/libc-start.c:360
    #17 0x55b1c3647cd4 in _start (/home/hermet/thorvg/build/examples/EffectDropShadow+0x32cd4) (BuildId: 453c99718ad30d8c046b9e7ce3dc874539c10985)

0x52e000022040 is located 0 bytes after 40000-byte region [0x52e000018400,0x52e000022040)
allocated by thread T0 here:
    #0 0x7f515c1009c7 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x7f515ada4272 in malloc<unsigned int*> ../src/renderer/tvgCommon.h:97
    #2 0x7f515ada4272 in tvg::SwRenderer::request(int, bool) ../src/renderer/sw_engine/tvgSwRenderer.cpp:644
    #3 0x7f515ada8bfb in tvg::SwRenderer::render(tvg::RenderCompositor*, tvg::RenderEffect const*, bool) ../src/renderer/sw_engine/tvgSwRenderer.cpp:810
    #4 0x7f515ac21d33 in SceneImpl::render(tvg::RenderMethod*) ../src/renderer/tvgScene.h:185
    #5 0x7f515abc54bb in tvg::Paint::Impl::render(tvg::RenderMethod*) ../src/renderer/tvgPaint.cpp:191
    #6 0x7f515ac217a2 in SceneImpl::render(tvg::RenderMethod*) ../src/renderer/tvgScene.h:176
    #7 0x7f515abc54bb in tvg::Paint::Impl::render(tvg::RenderMethod*) ../src/renderer/tvgPaint.cpp:191
    #8 0x7f515abaa342 in tvg::Canvas::Impl::draw(bool) ../src/renderer/tvgCanvas.h:107
    #9 0x7f515abaa342 in tvg::Canvas::draw(bool) ../src/renderer/tvgCanvas.cpp:51
    #10 0x55b1c3655f4c in tvgexam::Window::draw() ../examples/Example.h:185
    #11 0x55b1c3655f4c in tvgexam::Window::show() ../examples/Example.h:294
    #12 0x55b1c364698a in tvgexam::main(tvgexam::Example*, int, char**, bool, unsigned int, unsigned int, unsigned int, bool) ../examples/Example.h:596
    #13 0x55b1c3647c54 in main ../examples/EffectDropShadow.cpp:82
    #14 0x7f51593991c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #15 0x7f515939928a in __libc_start_main_impl ../csu/libc-start.c:360
    #16 0x55b1c3647cd4 in _start (/home/hermet/thorvg/build/examples/EffectDropShadow+0x32cd4) (BuildId: 453c99718ad30d8c046b9e7ce3dc874539c10985)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/renderer/sw_engine/tvgSwRasterC.h:34 in cRasterTranslucentPixels<unsigned int>
Shadow bytes around the buggy address:
  0x52e000021d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x52e000021e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x52e000021e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x52e000021f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x52e000021f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x52e000022000: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
  0x52e000022080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x52e000022100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x52e000022180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x52e000022200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x52e000022280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6202==ABORTING

Metadata

Metadata

Assignees

Labels

cpuSoftware render backendshowstopperCritical issues

Type

No type

Projects

ThorVG

Status

Done 1.0

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions