Bug 651820

Summary:	media-tv/kodi-9999 with media-libs/giflib-5.1.4-r1 - segmentation fault in TexturePacker in DGifDecompressLine () from /usr/lib64/libgif.so.7
Product:	Gentoo Linux	Reporter:	Steffen Hau <steffen>
Component:	Current packages	Assignee:	Sebastian Pipping <sping>
Status:	RESOLVED FIXED
Severity:	normal	CC:	sping, vapier
Priority:	Normal
Version:	unspecified
Hardware:	AMD64
OS:	Linux
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=637636 https://bugs.gentoo.org/show_bug.cgi?id=677956
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	kodi-999-build.log.xz Patch a) rename local reallocarray, rename export Patch b) drop local reallocarray, rely on glibc Patch c) drop export, rename implementation, add internal prototype Better patch

Description Steffen Hau 2018-03-28 14:48:04 UTC

Created attachment 525844 [details]
kodi-999-build.log.xz

The patch for giflib to solve bug 637438 causes a segfault of TexturePacker in compilation phase of media-tv/kodi-9999.

/usr/bin/cmake -E make_directory /home/gentoo/tmp/portage/media-tv/kodi-9999/work/kodi-9999_build/addons/skin.estouchy/media
build/texturepacker/TexturePacker -input /home/gentoo/tmp/portage/media-tv/kodi-9999/work/kodi-9999/addons/skin.estouchy/media -output /home/gentoo/tmp/portage/media-tv/kodi-9999/work/kodi-9999_build/addons/skin.estouchy/media/Textures.xbt -dupecheck
[snip]
This is a PNG - lets load it via libpng...
slider_nofocus.png
    frame    0 (delay:   0)                         ARGB   (5,20 @ 400 bytes)
This is a GIF - lets load it via libgif...
make[2]: *** [CMakeFiles/pack-skins.dir/build.make:1162: addons/skin.estouchy/media/Textures.xbt] Segmentation fault (core dumped)
make[2]: *** Deleting file 'addons/skin.estouchy/media/Textures.xbt'


Here's the backtrace:
(gdb) bt 
#0  0x00007f5d4357928d in DGifDecompressLine () from /usr/lib64/libgif.so.7
#1  0x00007f5d4357d158 in DGifGetLine () from /usr/lib64/libgif.so.7
#2  0x00007f5d4357dbbb in DGifSlurp () from /usr/lib64/libgif.so.7
#3  0x000055f6be77a730 in GIFDecoder::LoadFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, DecodedFrames&) ()
#4  0x000055f6be774351 in main ()

Downgrading giflib to 5.1.4 without the patch does not reveal the segfault. Looking at the patch I can't see what may cause this. Looking at the output of nm -D /usr/lib64/libgif.so of 5.1.4 and 5.1.4-r1 the only difference (aside of adresses) is the absence of reallocarray.


Portage 2.3.24 (python 3.6.4-final-0, default/linux/amd64/17.1/systemd, gcc-7.3.0, glibc-2.26-r6, 4.15.12-HAUIHAU x86_64)
=================================================================
System uname: Linux-4.15.12-HAUIHAU-x86_64-Intel-R-_Core-TM-_i3-4330_CPU_@_3.50GHz-with-gentoo-2.4.1
KiB Mem:     7814496 total,   2941696 free
KiB Swap:    8388604 total,   8189948 free
Timestamp of repository gentoo: Wed, 28 Mar 2018 07:00:01 +0000
Head commit of repository gentoo: 08a8ce2c90c51150d7211870008c7faf6cedb6bb
sh bash 4.4_p19
ld GNU gold (Gentoo 2.30 p1 2.30.0) 1.15
app-shells/bash:          4.4_p19::gentoo
dev-java/java-config:     2.2.0-r4::gentoo
dev-lang/perl:            5.26.1-r2::gentoo
dev-lang/python:          2.7.14-r1::gentoo, 3.6.4::gentoo
dev-util/cmake:           3.10.3::gentoo
dev-util/pkgconfig:       0.29.2::gentoo
sys-apps/baselayout:      2.4.1-r2::gentoo
sys-apps/sandbox:         2.13::gentoo
sys-devel/autoconf:       2.13::gentoo, 2.69-r4::gentoo
sys-devel/automake:       1.16.1-r1::gentoo
sys-devel/binutils:       2.30::gentoo
sys-devel/gcc:            7.3.0-r1::gentoo
sys-devel/gcc-config:     1.9.1::gentoo
sys-devel/libtool:        2.4.6-r5::gentoo
sys-devel/make:           4.2.1-r3::gentoo
sys-kernel/linux-headers: 4.15::gentoo (virtual/os-headers)
sys-libs/glibc:           2.26-r6::gentoo
Repositories:

gentoo
    location: /usr/portage
    sync-type: rsync
    sync-uri: rsync://rsync.gentoo.org/gentoo-portage
    priority: -1000
    sync-rsync-extra-opts: 
    sync-rsync-verify-metamanifest: no

hauihau
    location: /usr/local/portage/hauihau
    masters: gentoo
    priority: 0

ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O3 -pipe -flto=5 -fuse-linker-plugin"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=native -O3 -pipe -flto=5 -fuse-linker-plugin -fno-delete-null-pointer-checks -flifetime-dse=1"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--autounmask=n --keep-going=y --quiet-build=y --quiet-fail=y --with-bdeps=y --changed-deps-report=n"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fakeroot fixlafiles merge-sync metadata-transfer multilib-strict news parallel-fetch parallel-install preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="de_DE.utf8"
LC_ALL="de_DE.utf8"
LDFLAGS="-march=native -O3 -pipe -flto=5 -fuse-linker-plugin -Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu -Wl,--gc-sections -Wl,--icf=safe"
LINGUAS="de"
MAKEOPTS="-j5"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/home/gentoo/tmp/"
USE="X a52 aac aalib acl alsa amd64 avx avx2 bash-completion berkdb bluray branding bzip2 cairo caps cdda cddb cdparanoia cdr cli cracklib crypt curl cxx dbus dga dri dts dv dvd egl encode exif ffmpeg flac fontconfig fortran ftp gd gdbm gif gmp gstreamer iconv icu imagemagick imlib ipv6 jpeg jpeg2k lame libcaca libnotify libsamplerate lzma lzo mad matroska mmx mmxext mng modules mp3 mpeg mtp multilib musepack ncurses nls nptl nsplugin ogg openal opengl openmp pam pcre pdf png policykit pulseaudio qt5 quicktime readline seccomp sndfile spell sse sse2 sse3 sse4 sse4_1 sse4_2 ssl ssse3 svg syslog systemd tcpd theora threads tiff truetype udev unicode usb v4l vaapi vcd vim-syntax vorbis wavpack wayland webkit x264 xattr xcb xcomposite xinerama xml xmp xorg xosd xpm xv xvid zlib" ABI_X86="64" ALSA_CARDS="hda-intel" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx avx2 f16c fma3 mmx mmxext pclmul popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="efi-64" INPUT_DEVICES="libinput" KERNEL="linux" L10N="de" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6 php7-0" POSTGRES_TARGETS="postgres9_5" PYTHON_SINGLE_TARGET="python3_6" PYTHON_TARGETS="python3_6" QEMU_SOFTMMU_TARGETS="i386 x86_64" QEMU_USER_TARGETS="i386 x86_64" RUBY_TARGETS="ruby25" USERLAND="GNU" VIDEO_CARDS="intel i965" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 1 Greg Turner 2018-03-29 06:16:44 UTC

same here, including the giflib version dependency thing.

According to coredumpctl gdb, it's trying to write "Line" into some unallocated place in memory.

Pretty strongly suggests that there is some kind of problem with the -r1 patch in giflib, or else with gcc.  I tried -O1 and disabling sandbox with the same result so... it's probably something to do with the patch, or with some kind of inter-library alloc/free asymmetry, or similar bug to the giflib bug that also needs patching in kodi.

too busy to screw around with it atm, maybe this weekend if I can find some time.  perhaps a job for valgrind.

Comment 2 Craig Andrews gentoo-dev

2018-03-30 17:00:29 UTC

sping, can you help us out here?

This appears to be a regression caused by https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=010e1c17d6268e0747b362d3ba81f1e17d9b9f9d

Comment 3 Sebastian Pipping gentoo-dev

2018-03-30 19:38:55 UTC

Created attachment 526172 [details, diff]
Patch a) rename local reallocarray, rename export

I'll need your help with testing.  There's two ways that could work:

  a) rename local reallocarray, keep using it, keep the export but with a
     new name

  b) drop local reallocarray and the export, rely on reallocarray from glibc

I'll attach patches for both to try in place of the current giflib-5.1.4-reallocarray-export.patch applied by 5.1.4-r1.

So here's the patch for (a), will be followed by (b) in a second.

Comment 4 Sebastian Pipping gentoo-dev

2018-03-30 19:39:39 UTC

Created attachment 526174 [details, diff]
Patch b) drop local reallocarray, rely on glibc

Comment 5 Steffen Hau 2018-03-30 20:07:19 UTC

Hi Sebastian,

I applied your patches separately to giflib-5.1.4 and can confirm that TexturePacker doesn't segfault with any of the two patches. Any Idea why the original patch causes the segfault?

Comment 6 Sebastian Pipping gentoo-dev

2018-03-30 21:06:39 UTC

Created attachment 526178 [details, diff]
Patch c) drop export, rename implementation, add internal prototype

(In reply to Steffen Hau from comment #5)
> I applied your patches separately to giflib-5.1.4 and can confirm that
> TexturePacker doesn't segfault with any of the two patches.

Cool, thank you!


> Any Idea why the
> original patch causes the segfault?

My guess is the lack of a prototype for function openbsd_reallocarray.  There are warnings for it and it seems that without the prototype, the return type is assumed int which takes fewer bytes than a pointer in 64 bit architectures:

dgif_lib.c:399:27: warning: implicit declaration of function 'openbsd_reallocarray' [-Wimplicit-function-declaration]
             (SavedImage *)openbsd_reallocarray(GifFile->SavedImages,
                           ^                                                                                                                                                                  
dgif_lib.c:399:13: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]                                                                                            
             (SavedImage *)openbsd_reallocarray(GifFile->SavedImages,
             ^                                                         

I have made a patch (c) to verify that assumption if you're curious as well.


I still wonder what patch to go with, best.  I worry that (b) may not work well with some non-glibc libc implementations.  I'm unsure if symbols in .so files are also addressed by number or just by name.  If there's a chance for by number, then (a) may be the safest?  Help! :)

Comment 7 Sebastian Pipping gentoo-dev

2018-03-30 21:07:18 UTC

vapier, any ideas?

Comment 8 Sebastian Pipping gentoo-dev

2018-03-31 15:33:39 UTC

I'll go with a) for a start in a minute.  We can still switch to b) or c).

Comment 9 Larry the Git Cow gentoo-dev

2018-03-31 15:35:51 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=563462332a85910db21a6308523177ff9c80afc8

commit 563462332a85910db21a6308523177ff9c80afc8
Author:     Sebastian Pipping <sping@gentoo.org>
AuthorDate: 2018-03-31 15:33:26 +0000
Commit:     Sebastian Pipping <sping@gentoo.org>
CommitDate: 2018-03-31 15:35:01 +0000

    media-libs/giflib: Fix 5.1.4-r1 segfaults
    
    Bug: https://bugs.gentoo.org/651820
    Package-Manager: Portage-2.3.26, Repoman-2.3.7

 .../files/giflib-5.1.4-reallocarray-export.patch   | 23 +++++++++++-----------
 ...flib-5.1.4-r1.ebuild => giflib-5.1.4-r2.ebuild} |  0
 2 files changed, 11 insertions(+), 12 deletions(-)}

Comment 10 Arfrever Frehtes Taifersar Arahesis 2018-04-01 02:59:19 UTC

(In reply to Sebastian Pipping from comment #6)
> I still wonder what patch to go with, best.  I worry that (b) may not work
> well with some non-glibc libc implementations.

reallocarray() was introduced in glibc 2.26:
https://sourceware.org/ml/libc-alpha/2017-08/msg00010.html

Comment 11 Arfrever Frehtes Taifersar Arahesis 2018-04-01 02:59:32 UTC

Created attachment 526226 [details, diff]
Better patch

This better patch results in:
- configure checks if reallocarray() function is available in C standard library.
- If reallocarray() is available, libgif.so.7.0.0 uses it.
- If reallocarray() is not available, the implementation from openbsd-reallocarray.c is used and the symbol in libgif.so.7.0.0 is named "openbsd_reallocarray".

With this approach, if giflib is firstly built with glibc <2.26 without reallocarray() and next glibc is updated to a version >=2.26 with reallocarray() but giflib is not rebuilt, there will be no symbol collisions.

Comment 12 Sebastian Pipping gentoo-dev

2018-04-01 15:26:01 UTC

Looks pretty good to me.  Since that is more of an upstreamable patch now, please take it upstream for review at https://sourceforge.net/p/giflib/bugs/110/ .  Thanks!

Comment 13 Craig Andrews gentoo-dev

2018-04-06 18:35:23 UTC

Assigning to sping since the issues with media-libs/giflib, not kodi.

Thanks!

Comment 14 Sebastian Pipping gentoo-dev

2018-04-06 20:30:35 UTC

To my understanding the issue is fixed in Gentoo.  Closing.

Comment 15 Arfrever Frehtes Taifersar Arahesis 2019-02-14 04:11:21 UTC

(In reply to Arfrever Frehtes Taifersar Arahesis from comment #11)
> Created attachment 526226 [details, diff] [details, diff]
> Better patch
> 
> This better patch results in:
> - configure checks if reallocarray() function is available in C standard
> library.
> - If reallocarray() is available, libgif.so.7.0.0 uses it.
> - If reallocarray() is not available, the implementation from
> openbsd-reallocarray.c is used and the symbol in libgif.so.7.0.0 is named
> "openbsd_reallocarray".


https://sourceforge.net/p/giflib/code/ci/95785572710fa6cdb6755b65293dea69f4ad1f61/