opening some png with media-gfx/xv-3.10a-r15 results in a corrupt stack Reproducible: Always Steps to Reproduce: 1. open /usr/share/icons/hicolor/16x16/apps/chromium-browser.png with xv Actual Results: *** glibc detected *** xv: free(): corrupted unsorted chunks: 0x0a03da50 *** ======= Backtrace: ========= /lib/libc.so.6(+0x6b4cf)[0xb73f94cf] /lib/libc.so.6(+0x6ce3b)[0xb73fae3b] /lib/libc.so.6(cfree+0x6e)[0xb73fe04e] /usr/lib/libpng14.so.14(png_free_default+0x2a)[0xb757cafb] /usr/lib/libpng14.so.14(png_free+0x58)[0xb757cac5] /usr/lib/libpng14.so.14(png_free_data+0xae)[0xb755d473] /usr/lib/libpng14.so.14(png_free_data+0xfd)[0xb755d4c2] /usr/lib/libpng14.so.14(+0x4aeb)[0xb755daeb] /usr/lib/libpng14.so.14(+0x16927)[0xb756f927] /usr/lib/libpng14.so.14(png_destroy_read_struct+0x9b)[0xb756f834] xv[0x80e5c88] xv[0x805635b] xv[0x805478c] xv[0x8056c57] xv[0x8056f4e] xv[0x804fb91] /lib/libc.so.6(__libc_start_main+0xe7)[0xb73a4e27] xv[0x804d3d1] ======= Memory map: ======== 08048000-0813c000 r-xp 00000000 08:02 1424465 /usr/bin/xv 0813c000-0813d000 r--p 000f3000 08:02 1424465 /usr/bin/xv 0813d000-08147000 rw-p 000f4000 08:02 1424465 /usr/bin/xv 08147000-082a1000 rw-p 00000000 00:00 0 0a02a000-0a06e000 rw-p 00000000 00:00 0 [heap] b71c9000-b71e2000 r-xp 00000000 08:02 1457974 /usr/lib/gcc/i686-pc-linux-gnu/4.5.2/libgcc_s.so.1 b71e2000-b71e3000 r--p 00018000 08:02 1457974 /usr/lib/gcc/i686-pc-linux-gnu/4.5.2/libgcc_s.so.1 b71e3000-b71e4000 rw-p 00019000 08:02 1457974 /usr/lib/gcc/i686-pc-linux-gnu/4.5.2/libgcc_s.so.1 b7200000-b7221000 rw-p 00000000 00:00 0 b7221000-b7300000 ---p 00000000 00:00 0 b730a000-b730e000 r-xp 00000000 08:02 1436873 /usr/lib/libXfixes.so.3.1.0 b730e000-b730f000 r--p 00003000 08:02 1436873 /usr/lib/libXfixes.so.3.1.0 b730f000-b7310000 rw-p 00004000 08:02 1436873 /usr/lib/libXfixes.so.3.1.0 b7310000-b7318000 r-xp 00000000 08:02 1427131 /usr/lib/libXrender.so.1.3.0 b7318000-b7319000 r--p 00007000 08:02 1427131 /usr/lib/libXrender.so.1.3.0 b7319000-b731a000 rw-p 00008000 08:02 1427131 /usr/lib/libXrender.so.1.3.0 b731a000-b7323000 r-xp 00000000 08:02 1427127 /usr/lib/libXcursor.so.1.0.2 b7323000-b7324000 r--p 00008000 08:02 1427127 /usr/lib/libXcursor.so.1.0.2 b7324000-b7325000 rw-p 00009000 08:02 1427127 /usr/lib/libXcursor.so.1.0.2 b7325000-b7327000 rw-p 00000000 00:00 0 b7327000-b732b000 r-xp 00000000 08:02 1428014 /usr/lib/libXdmcp.so.6.0.0 b732b000-b732c000 r--p 00003000 08:02 1428014 /usr/lib/libXdmcp.so.6.0.0 b732c000-b732d000 rw-p 00004000 08:02 1428014 /usr/lib/libXdmcp.so.6.0.0 b732d000-b732f000 r-xp 00000000 08:02 1424613 /usr/lib/libXau.so.6.0.0 b732f000-b7330000 r--p 00001000 08:02 1424613 /usr/lib/libXau.so.6.0.0 b7330000-b7331000 rw-p 00002000 08:02 1424613 /usr/lib/libXau.so.6.0.0 b7331000-b7347000 r-xp 00000000 08:02 1161264 /lib/libpthread-2.13.so b7347000-b7348000 r--p 00015000 08:02 1161264 /lib/libpthread-2.13.so b7348000-b7349000 rw-p 00016000 08:02 1161264 /lib/libpthread-2.13.so b7349000-b734b000 rw-p 00000000 00:00 0 b734b000-b736c000 r-xp 00000000 08:02 1433097 /usr/lib/liblzma.so.0.0.0 b736c000-b736d000 r--p 00020000 08:02 1433097 /usr/lib/liblzma.so.0.0.0 b736d000-b736e000 rw-p 00021000 08:02 1433097 /usr/lib/liblzma.so.0.0.0 b736e000-b736f000 rw-p 00000000 00:00 0 b736f000-b7371000 r-xp 00000000 08:02 1161753 /lib/libdl-2.13.so b7371000-b7372000 r--p 00001000 08:02 1161753 /lib/libdl-2.13.so b7372000-b7373000 rw-p 00002000 08:02 1161753 /lib/libdl-2.13.so b7373000-b738c000 r-xp 00000000 08:02 1424158 /usr/lib/libxcb.so.1.1.0 b738c000-b738d000 r--p 00019000 08:02 1424158 /usr/lib/libxcb.so.1.1.0 b738d000-b738e000 rw-p 0001a000 08:02 1424158 /usr/lib/libxcb.so.1.1.0 b738e000-b74e7000 r-xp 00000000 08:02 1161214 /lib/libc-2.13.so b74e7000-b74e9000 r--p 00159000 08:02 1161214 /lib/libc-2.13.so b74e9000-b74ea000 rw-p 0015b000 08:02 1161214 /lib/libc-2.13.so b74ea000-b74ed000 rw-p 00000000 00:00 0 b74ed000-b7554000 r-xp 00000000 08:02 1437886 /usr/lib/libtiff.so.5.0.4 b7554000-b7555000 ---p 00067000 08:02 1437886 /usr/lib/libtiff.so.5.0.4 b7555000-b7556000 r--p 00067000 08:02 1437886 /usr/lib/libtiff.so.5.0.4 b7556000-b7558000 rw-p 00068000 08:02 1437886 /usr/lib/libtiff.so.5.0.4 b7558000-b7559000 rw-p 00000000 00:00 0 b7559000-b7584000 r-xp 00000000 08:02 1427886 /usr/lib/libpng14.so.14.8.0 b7584000-b7585000 r--p 0002a000 08:02 1427886 /usr/lib/libpng14.so.14.8.0 b7585000-b7586000 rw-p 0002b000 08:02 1427886 /usr/lib/libpng14.so.14.8.0 b7586000-b7587000 rw-p 00000000 00:00 0 b7587000-b75bd000 r-xp 00000000 08:02 1428890 /usr/lib/libjpeg.so.8.3.0 b75bd000-b75be000 r--p 00035000 08:02 1428890 /usr/lib/libjpeg.so.8.3.0 b75be000-b75bf000 rw-p 00036000 08:02 1428890 /usr/lib/libjpeg.so.8.3.0 b75bf000-b75e3000 r-xp 00000000 08:02 1161521 /lib/libm-2.13.so b75e3000-b75e4000 r--p 00023000 08:02 1161521 /lib/libm-2.13.so b75e4000-b75e5000 rw-p 00024000 08:02 1161521 /lib/libm-2.13.so b75e5000-b7703000 r-xp 00000000 08:02 1426276 /usr/lib/libX11.so.6.3.0 b7703000-b7704000 r--p 0011e000 08:02 1426276 /usr/lib/libX11.so.6.3.0 b7704000-b7707000 rw-p 0011f000 08:02 1426276 /usr/lib/libX11.so.6.3.0 b7707000-b771a000 r-xp 00000000 08:02 2699914 /lib/libz.so.1.2.5 b771a000-b771b000 r--p 00012000 08:02 2699914 /lib/libz.so.1.2.5 b771b000-b771c000 rw-p 00013000 08:02 2699914 /lib/libz.so.1.2.5 b7737000-b7739000 rw-p 00000000 00:00 0 b7739000-b773a000 r-xp 00000000 00:00 0 [vdso] b773a000-b7756000 r-xp 00000000 08:02 1161280 /lib/ld-2.13.so b7756000-b7757000 r--p 0001b000 08:02 1161280 /lib/ld-2.13.so b7757000-b7758000 rw-p 0001c000 08:02 1161280 /lib/ld-2.13.so bffdb000-bfffd000 rw-p 00000000 00:00 0 [stack] Aborted Expected Results: the png should be shown properly i tried to recompile libpng with and without apng but the result stays the same.
Created attachment 280827 [details] emerge --info
Try to get a backtrace as indicated in: http://www.gentoo.org/proj/en/qa/backtraces.xml
Created attachment 280943 [details] backtrace
I seem to have the same problem here. It happenned on two different computers, both amd64. In both case, the png was DELETED. The first time i was so surprised i could not believe it. I've never seen that happened with xv in the last 15 years. Today it happened again. Here is the output: verdi phpmyadmin # xv ../phpmyadmin.old/themes/paradice/img/logo_left.png themes/pmahomme/img/logo_left.png *** glibc detected *** xv: munmap_chunk(): invalid pointer: 0x00000000014bb400 *** ======= Backtrace: ========= /lib64/libc.so.6(+0x714d5)[0x7f07259084d5] xv[0x40bfff] xv[0x40ccb9] xv[0x40faf6] /lib64/libc.so.6(__libc_start_main+0xfd)[0x7f07258b5cfd] xv[0x407309] and then: ls: cannot access themes/pmahomme/img/logo_left.png: No such file or directory This image is from phpMyAdmin-3.4.4-all-languages.tar.bz2, so i could get it again and see if the problem is reproducible. Well.. kind of : i still have a segfault, but the file is not deleted. Here is what i've done: ------------------------------------------------------------------------------ verdi phpmyadmin # cp /tmp/phpMyAdmin-3.4.4-all-languages/themes/pmahomme/img/logo_left.png cp: missing destination file operand after `/tmp/phpMyAdmin-3.4.4-all-languages/themes/pmahomme/img/logo_left.png' Try `cp --help' for more information. verdi phpmyadmin # cp /tmp/phpMyAdmin-3.4.4-all-languages/themes/pmahomme/img/logo_left.png themes/pmahomme/img/ verdi phpmyadmin # xv themes/pmahomme/img/logo_left.png *** glibc detected *** xv: munmap_chunk(): invalid pointer: 0x00000000021615d0 *** Segmentation fault verdi phpmyadmin # ls -l themes/pmahomme/img/logo_left.png -rw-r--r-- 1 root root 4970 Sep 4 19:03 themes/pmahomme/img/logo_left.png ------------------------------------------------------------------------------
One thing that may be important. I was connected to the server through ssh and x-forwarding. I've copied the image to my main computer, and i can open it with xv without any problem. BUT, my first original crash, with another image was on this same computer.. :/ So I'm not sure how far ssh/x-forwarding is involved.
(In reply to comment #4) > This image is from phpMyAdmin-3.4.4-all-languages.tar.bz2, so i could get it > again and see if the problem is reproducible. Well.. kind of : i still have a > segfault, but the file is not deleted. Here is what i've done: So the segfault (but not the file deletion) is reproducible, right? Could you tell me the exact gentoo version of xv that you have installed? Also, could you attach the image that causes the segfault?
I'm using media-gfx/xv-3.10a-r15 of course. What else ? This version has been the only one since at least may 2008...
Created attachment 285853 [details] This image makes xv crash on my system
(In reply to comment #7) > I'm using media-gfx/xv-3.10a-r15 of course. What else ? This version has been > the only one since at least may 2008... There was [temporarily] a new version in the tree to fix this, but it caused a new seg fault.
I am getting this exact crash reliably, and I am adding another png that demonstrates it. ssuominen, can you take a look at the trace and see if anything rings a bell?
Created attachment 294447 [details] Another png that causes crash
*** Bug 365765 has been marked as a duplicate of this bug. ***
ssuominen, just another ping on this one...
not sure of this bug, but due to lack of time, removing myself from CC list; sorry
i missed this at first for unexplicable reasons, bug #521142 contains a patch and explanation. I think all these crashes are due to improper handling of the iTXt chunk.
[master 7e8f9ee] media-gfx/xv: Fix png crashes (#521142 by Ian Schram)
I can confirm it crashes no more. Thanks !