376211 – media-gfx/xv-3.10a-r16 segfaults on some pngs

Bug 376211 - media-gfx/xv-3.10a-r16 segfaults on some pngs

Summary: media-gfx/xv-3.10a-r16 segfaults on some pngs

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	x86 Linux

Importance:	Normal normal (vote)
Assignee:	No maintainer - Look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers if you want to take care of it

URL:
Whiteboard:
Keywords:	NeedPatch

Duplicates (1):	365765 (view as bug list)
Depends on:
Blocks:

Reported:	2011-07-24 13:24 UTC by Boris Petersen
Modified:	2015-11-08 13:01 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
emerge --info (info.txt,5.76 KB, text/plain) 2011-07-24 13:25 UTC, Boris Petersen	Details
backtrace (xv_bt.txt,6.44 KB, text/plain) 2011-07-25 16:32 UTC, Boris Petersen	Details
This image makes xv crash on my system (make-xv-crash.png,4.85 KB, image/png) 2011-09-08 13:12 UTC, Thomas Capricelli	Details
Another png that causes crash (bad_png.png,54.99 KB, image/png) 2011-12-01 18:00 UTC, Joe Peterson (RETIRED)	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Boris Petersen 2011-07-24 13:24:28 UTC

opening some png with media-gfx/xv-3.10a-r15 results in a corrupt stack

Reproducible: Always

Steps to Reproduce:
1. open /usr/share/icons/hicolor/16x16/apps/chromium-browser.png with xv
Actual Results:  
*** glibc detected *** xv: free(): corrupted unsorted chunks: 0x0a03da50 ***
======= Backtrace: =========
/lib/libc.so.6(+0x6b4cf)[0xb73f94cf]
/lib/libc.so.6(+0x6ce3b)[0xb73fae3b]
/lib/libc.so.6(cfree+0x6e)[0xb73fe04e]
/usr/lib/libpng14.so.14(png_free_default+0x2a)[0xb757cafb]
/usr/lib/libpng14.so.14(png_free+0x58)[0xb757cac5]
/usr/lib/libpng14.so.14(png_free_data+0xae)[0xb755d473]
/usr/lib/libpng14.so.14(png_free_data+0xfd)[0xb755d4c2]
/usr/lib/libpng14.so.14(+0x4aeb)[0xb755daeb]
/usr/lib/libpng14.so.14(+0x16927)[0xb756f927]
/usr/lib/libpng14.so.14(png_destroy_read_struct+0x9b)[0xb756f834]
xv[0x80e5c88]
xv[0x805635b]
xv[0x805478c]
xv[0x8056c57]
xv[0x8056f4e]
xv[0x804fb91]
/lib/libc.so.6(__libc_start_main+0xe7)[0xb73a4e27]
xv[0x804d3d1]
======= Memory map: ========
08048000-0813c000 r-xp 00000000 08:02 1424465    /usr/bin/xv
0813c000-0813d000 r--p 000f3000 08:02 1424465    /usr/bin/xv
0813d000-08147000 rw-p 000f4000 08:02 1424465    /usr/bin/xv
08147000-082a1000 rw-p 00000000 00:00 0 
0a02a000-0a06e000 rw-p 00000000 00:00 0          [heap]
b71c9000-b71e2000 r-xp 00000000 08:02 1457974    /usr/lib/gcc/i686-pc-linux-gnu/4.5.2/libgcc_s.so.1
b71e2000-b71e3000 r--p 00018000 08:02 1457974    /usr/lib/gcc/i686-pc-linux-gnu/4.5.2/libgcc_s.so.1
b71e3000-b71e4000 rw-p 00019000 08:02 1457974    /usr/lib/gcc/i686-pc-linux-gnu/4.5.2/libgcc_s.so.1
b7200000-b7221000 rw-p 00000000 00:00 0 
b7221000-b7300000 ---p 00000000 00:00 0 
b730a000-b730e000 r-xp 00000000 08:02 1436873    /usr/lib/libXfixes.so.3.1.0
b730e000-b730f000 r--p 00003000 08:02 1436873    /usr/lib/libXfixes.so.3.1.0
b730f000-b7310000 rw-p 00004000 08:02 1436873    /usr/lib/libXfixes.so.3.1.0
b7310000-b7318000 r-xp 00000000 08:02 1427131    /usr/lib/libXrender.so.1.3.0
b7318000-b7319000 r--p 00007000 08:02 1427131    /usr/lib/libXrender.so.1.3.0
b7319000-b731a000 rw-p 00008000 08:02 1427131    /usr/lib/libXrender.so.1.3.0
b731a000-b7323000 r-xp 00000000 08:02 1427127    /usr/lib/libXcursor.so.1.0.2
b7323000-b7324000 r--p 00008000 08:02 1427127    /usr/lib/libXcursor.so.1.0.2
b7324000-b7325000 rw-p 00009000 08:02 1427127    /usr/lib/libXcursor.so.1.0.2
b7325000-b7327000 rw-p 00000000 00:00 0 
b7327000-b732b000 r-xp 00000000 08:02 1428014    /usr/lib/libXdmcp.so.6.0.0
b732b000-b732c000 r--p 00003000 08:02 1428014    /usr/lib/libXdmcp.so.6.0.0
b732c000-b732d000 rw-p 00004000 08:02 1428014    /usr/lib/libXdmcp.so.6.0.0
b732d000-b732f000 r-xp 00000000 08:02 1424613    /usr/lib/libXau.so.6.0.0
b732f000-b7330000 r--p 00001000 08:02 1424613    /usr/lib/libXau.so.6.0.0
b7330000-b7331000 rw-p 00002000 08:02 1424613    /usr/lib/libXau.so.6.0.0
b7331000-b7347000 r-xp 00000000 08:02 1161264    /lib/libpthread-2.13.so
b7347000-b7348000 r--p 00015000 08:02 1161264    /lib/libpthread-2.13.so
b7348000-b7349000 rw-p 00016000 08:02 1161264    /lib/libpthread-2.13.so
b7349000-b734b000 rw-p 00000000 00:00 0 
b734b000-b736c000 r-xp 00000000 08:02 1433097    /usr/lib/liblzma.so.0.0.0
b736c000-b736d000 r--p 00020000 08:02 1433097    /usr/lib/liblzma.so.0.0.0
b736d000-b736e000 rw-p 00021000 08:02 1433097    /usr/lib/liblzma.so.0.0.0
b736e000-b736f000 rw-p 00000000 00:00 0 
b736f000-b7371000 r-xp 00000000 08:02 1161753    /lib/libdl-2.13.so
b7371000-b7372000 r--p 00001000 08:02 1161753    /lib/libdl-2.13.so
b7372000-b7373000 rw-p 00002000 08:02 1161753    /lib/libdl-2.13.so
b7373000-b738c000 r-xp 00000000 08:02 1424158    /usr/lib/libxcb.so.1.1.0
b738c000-b738d000 r--p 00019000 08:02 1424158    /usr/lib/libxcb.so.1.1.0
b738d000-b738e000 rw-p 0001a000 08:02 1424158    /usr/lib/libxcb.so.1.1.0
b738e000-b74e7000 r-xp 00000000 08:02 1161214    /lib/libc-2.13.so
b74e7000-b74e9000 r--p 00159000 08:02 1161214    /lib/libc-2.13.so
b74e9000-b74ea000 rw-p 0015b000 08:02 1161214    /lib/libc-2.13.so
b74ea000-b74ed000 rw-p 00000000 00:00 0 
b74ed000-b7554000 r-xp 00000000 08:02 1437886    /usr/lib/libtiff.so.5.0.4
b7554000-b7555000 ---p 00067000 08:02 1437886    /usr/lib/libtiff.so.5.0.4
b7555000-b7556000 r--p 00067000 08:02 1437886    /usr/lib/libtiff.so.5.0.4
b7556000-b7558000 rw-p 00068000 08:02 1437886    /usr/lib/libtiff.so.5.0.4
b7558000-b7559000 rw-p 00000000 00:00 0 
b7559000-b7584000 r-xp 00000000 08:02 1427886    /usr/lib/libpng14.so.14.8.0
b7584000-b7585000 r--p 0002a000 08:02 1427886    /usr/lib/libpng14.so.14.8.0
b7585000-b7586000 rw-p 0002b000 08:02 1427886    /usr/lib/libpng14.so.14.8.0
b7586000-b7587000 rw-p 00000000 00:00 0 
b7587000-b75bd000 r-xp 00000000 08:02 1428890    /usr/lib/libjpeg.so.8.3.0
b75bd000-b75be000 r--p 00035000 08:02 1428890    /usr/lib/libjpeg.so.8.3.0
b75be000-b75bf000 rw-p 00036000 08:02 1428890    /usr/lib/libjpeg.so.8.3.0
b75bf000-b75e3000 r-xp 00000000 08:02 1161521    /lib/libm-2.13.so
b75e3000-b75e4000 r--p 00023000 08:02 1161521    /lib/libm-2.13.so
b75e4000-b75e5000 rw-p 00024000 08:02 1161521    /lib/libm-2.13.so
b75e5000-b7703000 r-xp 00000000 08:02 1426276    /usr/lib/libX11.so.6.3.0
b7703000-b7704000 r--p 0011e000 08:02 1426276    /usr/lib/libX11.so.6.3.0
b7704000-b7707000 rw-p 0011f000 08:02 1426276    /usr/lib/libX11.so.6.3.0
b7707000-b771a000 r-xp 00000000 08:02 2699914    /lib/libz.so.1.2.5
b771a000-b771b000 r--p 00012000 08:02 2699914    /lib/libz.so.1.2.5
b771b000-b771c000 rw-p 00013000 08:02 2699914    /lib/libz.so.1.2.5
b7737000-b7739000 rw-p 00000000 00:00 0 
b7739000-b773a000 r-xp 00000000 00:00 0          [vdso]
b773a000-b7756000 r-xp 00000000 08:02 1161280    /lib/ld-2.13.so
b7756000-b7757000 r--p 0001b000 08:02 1161280    /lib/ld-2.13.so
b7757000-b7758000 rw-p 0001c000 08:02 1161280    /lib/ld-2.13.so
bffdb000-bfffd000 rw-p 00000000 00:00 0          [stack]
Aborted

Expected Results:  
the png should be shown properly

i tried to recompile libpng with and without apng but the result stays the same.

Comment 1 Boris Petersen 2011-07-24 13:25:48 UTC

Created attachment 280827 [details]
emerge --info

Comment 2 Pacho Ramos gentoo-dev

2011-07-25 16:09:24 UTC

Try to get a backtrace as indicated in:
http://www.gentoo.org/proj/en/qa/backtraces.xml

Comment 3 Boris Petersen 2011-07-25 16:32:15 UTC

Created attachment 280943 [details]
backtrace

Comment 4 Thomas Capricelli 2011-09-04 17:04:48 UTC

I seem to have the same problem here. It happenned on two different computers, both amd64. In both case, the png was DELETED. The first time i was so surprised i could not believe it. I've never seen that happened with xv in the last 15 years. Today it happened again. Here is the output:

verdi phpmyadmin # xv ../phpmyadmin.old/themes/paradice/img/logo_left.png themes/pmahomme/img/logo_left.png 
*** glibc detected *** xv: munmap_chunk(): invalid pointer: 0x00000000014bb400 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x714d5)[0x7f07259084d5]
xv[0x40bfff]
xv[0x40ccb9]
xv[0x40faf6]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x7f07258b5cfd]
xv[0x407309]

and then:
ls: cannot access themes/pmahomme/img/logo_left.png: No such file or directory

This image is from phpMyAdmin-3.4.4-all-languages.tar.bz2, so i could get it again and see if the problem is reproducible. Well.. kind of : i still have a segfault, but the file is not deleted. Here is what i've done:

------------------------------------------------------------------------------
verdi phpmyadmin # cp /tmp/phpMyAdmin-3.4.4-all-languages/themes/pmahomme/img/logo_left.png 
cp: missing destination file operand after `/tmp/phpMyAdmin-3.4.4-all-languages/themes/pmahomme/img/logo_left.png'
Try `cp --help' for more information.
verdi phpmyadmin # cp /tmp/phpMyAdmin-3.4.4-all-languages/themes/pmahomme/img/logo_left.png  themes/pmahomme/img/
verdi phpmyadmin # xv themes/pmahomme/img/logo_left.png 
*** glibc detected *** xv: munmap_chunk(): invalid pointer: 0x00000000021615d0 ***
Segmentation fault
verdi phpmyadmin # ls -l  themes/pmahomme/img/logo_left.png 
-rw-r--r-- 1 root root 4970 Sep  4 19:03 themes/pmahomme/img/logo_left.png
------------------------------------------------------------------------------

Comment 5 Thomas Capricelli 2011-09-04 17:06:23 UTC

One thing that may be important. I was connected to the server through ssh and x-forwarding. I've copied the image to my main computer, and i can open it with xv without any problem.

BUT, my first original crash, with another image was on this same computer.. :/ So I'm not sure how far ssh/x-forwarding is involved.

Comment 6 Joe Peterson (RETIRED) gentoo-dev

2011-09-08 12:39:56 UTC

(In reply to comment #4)
> This image is from phpMyAdmin-3.4.4-all-languages.tar.bz2, so i could get it
> again and see if the problem is reproducible. Well.. kind of : i still have a
> segfault, but the file is not deleted. Here is what i've done:

So the segfault (but not the file deletion) is reproducible, right?  Could you tell me the exact gentoo version of xv that you have installed?

Also, could you attach the image that causes the segfault?

Comment 7 Thomas Capricelli 2011-09-08 13:11:29 UTC

I'm using media-gfx/xv-3.10a-r15 of course. What else ? This version has been the only one since at least may 2008...

Comment 8 Thomas Capricelli 2011-09-08 13:12:20 UTC

Created attachment 285853 [details]
This image makes xv crash on my system

Comment 9 Joe Peterson (RETIRED) gentoo-dev

2011-09-08 13:22:18 UTC

(In reply to comment #7)
> I'm using media-gfx/xv-3.10a-r15 of course. What else ? This version has been
> the only one since at least may 2008...

There was [temporarily] a new version in the tree to fix this, but it caused a new seg fault.

Comment 10 Joe Peterson (RETIRED) gentoo-dev

2011-12-01 17:58:58 UTC

I am getting this exact crash reliably, and I am adding another png that demonstrates it.  ssuominen, can you take a look at the trace and see if anything rings a bell?

Comment 11 Joe Peterson (RETIRED) gentoo-dev

2011-12-01 18:00:24 UTC

Created attachment 294447 [details]
Another png that causes crash

Comment 12 Joe Peterson (RETIRED) gentoo-dev

2011-12-01 18:06:16 UTC

*** Bug 365765 has been marked as a duplicate of this bug. ***

Comment 13 Joe Peterson (RETIRED) gentoo-dev

2012-06-25 00:25:24 UTC

ssuominen, just another ping on this one...

Comment 14 Samuli Suominen (RETIRED) gentoo-dev

2012-07-05 14:49:17 UTC

not sure of this bug, but due to lack of time, removing myself from CC list; sorry

Comment 15 Ian Schram 2014-09-16 16:07:35 UTC

i missed this at first for unexplicable reasons, bug #521142 contains a patch and explanation. I think all these crashes are due to improper handling of the iTXt chunk.

Comment 16 Pacho Ramos gentoo-dev

2015-11-08 11:05:02 UTC

[master 7e8f9ee] media-gfx/xv: Fix png crashes (#521142 by Ian Schram)

Comment 17 Thomas Capricelli 2015-11-08 13:01:08 UTC

I can confirm it crashes no more. Thanks !