Segfault on _pygi_marshal_to_py_array()

From: Adrian Pardini <listas tangopardo com ar>
To: python-hackers-list gnome org
Subject: Segfault on _pygi_marshal_to_py_array()
Date: Sun, 3 Nov 2013 14:39:19 -0200

Hi all, I'm tracing an issue with Clutter.Stage.read_pixels().

The annotation for that function is:

"""
      <method name="read_pixels" c:identifier="clutter_stage_read_pixels">
        <doc xml:space="preserve">Makes a screenshot of the stage in
RGBA 8bit data, returns a
linear buffer with @width * 4 as rowstride.

The alpha data contained in the returned buffer is driver-dependent,
and not guaranteed to hold any sensible value.</doc>
        <return-value transfer-ownership="full">
          <doc xml:space="preserve">a pointer to newly allocated
memory with the buffer or %NULL if the read failed. Use g_free() on
the returned data to release the resources it has allocated.</doc>
          <array zero-terminated="0" c:type="guchar*">
            <type name="guint8" c:type="guchar"/>
          </array>
        </return-value>
        <parameters>
          <instance-parameter name="stage" transfer-ownership="none">
            <doc xml:space="preserve">A #ClutterStage</doc>
            <type name="Stage" c:type="ClutterStage*"/>
          </instance-parameter>
          <parameter name="x" transfer-ownership="none">
            <doc xml:space="preserve">x coordinate of the first pixel
that is read from stage</doc>
            <type name="gint" c:type="gint"/>
          </parameter>
          <parameter name="y" transfer-ownership="none">
            <doc xml:space="preserve">y coordinate of the first pixel
that is read from stage</doc>
            <type name="gint" c:type="gint"/>
          </parameter>
          <parameter name="width" transfer-ownership="none">
            <doc xml:space="preserve">Width dimention of pixels to be
read, or -1 for the entire stage width</doc>
            <type name="gint" c:type="gint"/>
          </parameter>
          <parameter name="height" transfer-ownership="none">
            <doc xml:space="preserve">Height dimention of pixels to be
read, or -1 for the entire stage height</doc>
            <type name="gint" c:type="gint"/>
          </parameter>
        </parameters>
      </method>
"""

My version of pygobject is 3.10.0. Inside _pygi_marshal_to_py_array() I have:

seq_cache:
    fixed_size = -1
    is_zero_terminated = 0
    len_arg_index = -1

In line 308 of gi/pygi-marshal-to-py.c we do:
    GIArgument *len_arg = state->args[seq_cache->len_arg_index];

len_arg then points to an invalid location and so the following call
to gi_argument_to_gsize() segfaults.

Besides checking that len_arg_index is a valid value the annotation
should be fixed and I'm not sure about how to do that. The size in
bytes can be computed as 4*(width-x)*(height-y) so perhaps making
another function that wraps the original and also returns the size is
the way to go. I'll bring that discussion to the clutter list but I'd
like to hear your opinions.

Best regards.

Follow-Ups:
- Re: Segfault on _pygi_marshal_to_py_array()
  - From: Simon Feltman

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]