Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1060497 - [abrt] xcf-pixbuf-loader > geeqie: memcpy(): geeqie killed by SIGSEGV
Summary: [abrt] xcf-pixbuf-loader > geeqie: memcpy(): geeqie killed by SIGSEGV
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: xcf-pixbuf-loader
Version: 24
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Yaakov Selkowitz
QA Contact: Fedora Extras Quality Assurance
URL: https://retrace.fedoraproject.org/faf...
Whiteboard: abrt_hash:fc75734bf8c5b8e8d5f845f34e4...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-02-02 03:36 UTC by aten
Modified: 2017-08-08 11:45 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-08 11:45:05 UTC


Attachments (Terms of Use)
File: backtrace (deleted)
2014-02-02 03:36 UTC, aten
no flags Details
File: cgroup (deleted)
2014-02-02 03:36 UTC, aten
no flags Details
File: core_backtrace (deleted)
2014-02-02 03:36 UTC, aten
no flags Details
File: dso_list (deleted)
2014-02-02 03:36 UTC, aten
no flags Details
File: environ (deleted)
2014-02-02 03:36 UTC, aten
no flags Details
File: exploitable (deleted)
2014-02-02 03:36 UTC, aten
no flags Details
File: limits (deleted)
2014-02-02 03:36 UTC, aten
no flags Details
File: maps (deleted)
2014-02-02 03:37 UTC, aten
no flags Details
File: open_fds (deleted)
2014-02-02 03:37 UTC, aten
no flags Details
File: proc_pid_status (deleted)
2014-02-02 03:37 UTC, aten
no flags Details
File: var_log_messages (deleted)
2014-02-02 03:37 UTC, aten
no flags Details

Description aten 2014-02-02 03:36:41 UTC
Description of problem:
just browsing some photos

Version-Release number of selected component:
geeqie-1.1-13.fc20

Additional info:
reporter:       libreport-2.1.11
backtrace_rating: 4
cmdline:        geeqie --blank
crash_function: memcpy
executable:     /usr/bin/geeqie
kernel:         3.12.8-300.fc20.x86_64
runlevel:       N 5
type:           CCpp
uid:            1001

Truncated backtrace:
Thread no. 1 (10 frames)
 #0 memcpy at ../sysdeps/x86_64/memcpy.S:72
 #1 _IO_file_xsgetn at fileops.c:1382
 #2 _IO_fread at iofread.c:42
 #3 fread at /usr/include/bits/stdio2.h:295
 #4 rle_decode at io-xcf.c:179
 #5 xcf_image_load_real at io-xcf.c:1145
 #6 xcf_image_stop_load at io-xcf.c:1459
 #7 gdk_pixbuf_loader_close at gdk-pixbuf-loader.c:834
 #8 image_loader_stop_loader at image-load.c:528
 #9 image_loader_begin at image-load.c:635

Comment 1 aten 2014-02-02 03:36:46 UTC
Created attachment 858171 [details]
File: backtrace

Comment 2 aten 2014-02-02 03:36:48 UTC
Created attachment 858172 [details]
File: cgroup

Comment 3 aten 2014-02-02 03:36:50 UTC
Created attachment 858173 [details]
File: core_backtrace

Comment 4 aten 2014-02-02 03:36:52 UTC
Created attachment 858174 [details]
File: dso_list

Comment 5 aten 2014-02-02 03:36:54 UTC
Created attachment 858175 [details]
File: environ

Comment 6 aten 2014-02-02 03:36:56 UTC
Created attachment 858176 [details]
File: exploitable

Comment 7 aten 2014-02-02 03:36:57 UTC
Created attachment 858177 [details]
File: limits

Comment 8 aten 2014-02-02 03:37:01 UTC
Created attachment 858178 [details]
File: maps

Comment 9 aten 2014-02-02 03:37:03 UTC
Created attachment 858179 [details]
File: open_fds

Comment 10 aten 2014-02-02 03:37:05 UTC
Created attachment 858180 [details]
File: proc_pid_status

Comment 11 aten 2014-02-02 03:37:06 UTC
Created attachment 858181 [details]
File: var_log_messages

Comment 12 Michael Schwendt 2014-02-02 09:53:57 UTC
> just browsing some photos

Please describe the problem more carefully. Does it crash reproducibly when browsing the same photo(s)?

The backtrace ends in xcf-pixbuf-loader space, which is outside Geeqie and in a package not installed by default for Fedora's GNOME desktop. Since Geeqie uses gdk-pixbuf2 and its loaders for a long time, that is reason to believe that there is a bug in this special xcf-pixbuf-loader.

Comment 13 Michael Schwendt 2014-02-02 13:22:56 UTC
> at io-xcf.c:179

>        pixels_count = 44
>        channels = 1920103026

At least the channels variable here seems to be uninitialized due to unsafe C programming (switch-case without default) and the local array "ch" depending on that channels value: 

   156  
   157  void
   158  rle_decode (FILE *f, gchar *ptr, int count, int type)
   159  {
   160          int channels;
   161          switch (type) {
   162                  case LAYERTYPE_RGB : channels = 3; break;
   163                  case LAYERTYPE_RGBA: channels = 4; break;
   164                  case LAYERTYPE_GRAYSCALE: channels = 1; break;
   165                  case LAYERTYPE_GRAYSCALEA: channels = 2; break;
   166                  case LAYERTYPE_INDEXED: channels = 1; break;
   167                  case LAYERTYPE_INDEXEDA: channels = 2; break;
   168          }
   169  
   170          guchar opcode;
   171          guchar buffer[3];
   172          guchar ch[channels][count];
   173          int channel;
   174  
   175          //un-rle
   176          for (channel = 0; channel < channels; channel++) {
   177                  int pixels_count = 0;
   178                  while (pixels_count < count) {
   179                          fread (&opcode, sizeof(guchar), 1, f);

Comment 14 aten 2014-02-03 01:23:31 UTC
(In reply to Michael Schwendt from comment #12)
> > just browsing some photos
> 
> Please describe the problem more carefully. Does it crash reproducibly when
> browsing the same photo(s)?
> 
Michael, I wish I could help you more. I did encounter similar crash again, at least one more time, while browsing photos. Not sure if this was the same folder though, but  it would not let me to submit the bug again. I'll try to run geeqie through my pictures again later to see if I can catch a correlation.


> The backtrace ends in xcf-pixbuf-loader space, which is outside Geeqie and
> in a package not installed by default for Fedora's GNOME desktop. Since
> Geeqie uses gdk-pixbuf2 and its loaders for a long time, that is reason to
> believe that there is a bug in this special xcf-pixbuf-loader.

Well, I'm running it in XFCE4, so that is possibly the reason for this special loader, but I'm pretty sure I installed all xfce4-* packages from F20 repos. How do I find which package doth the loader belong to?

Comment 15 Michael Schwendt 2014-02-07 14:49:07 UTC
xcf has nothing to do with XFCE. It is for displaying .xcf files from the GIMP. 

Another image viewer that uses this loader from the same xcf-pixbuf-loader package is Eye of GNOME (eog).

If you could revisit your .xcf files, that may lead to finding one that triggers the crash. Unfortunately, if my theory from comment 13 is true, loading files in a specific order may be necessary to reproduce the problem.

Upstream has been notified about this problem.

Comment 16 aten 2014-02-15 16:04:23 UTC
ok, wa(In reply to Michael Schwendt from comment #15)
> If you could revisit your .xcf files, that may lead to finding one that
> triggers the crash. Unfortunately, if my theory from comment 13 is true,
> loading files in a specific order may be necessary to reproduce the problem.
> 
> Upstream has been notified about this problem.

ok, I was able to repeat the crash and I think I know the .xcf files in specific directory, which trigger it. I also have another 340MB of coredump and logs from the latest crash, in case somebody cares.

Comment 17 aten 2014-12-28 11:20:32 UTC
crashed again. abrt said this is the same problem. 

This itme it happened when I tried to quit geeqie through hotkey combination Ctrl+Q, while it was in the process of rendering big .xcf file (~180 MB).

Comment 19 Fedora End Of Life 2015-05-29 10:46:24 UTC
This message is a reminder that Fedora 20 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 20. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '20'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 20 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 20 Fedora End Of Life 2015-06-29 14:55:53 UTC
Fedora 20 changed to end-of-life (EOL) status on 2015-06-23. Fedora 20 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 21 Matthew Miller 2015-07-21 15:03:32 UTC
Since upstream maintenance seems stalled, I'm considering simply blacklisting xcf support in Geeqie. Any strong opinions on that?

Comment 22 Jan Kurik 2016-02-24 13:14:16 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase

Comment 23 Fedora Admin XMLRPC Client 2016-09-15 15:31:08 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 24 Fedora Admin XMLRPC Client 2016-09-19 20:56:07 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 25 Yaakov Selkowitz 2016-09-19 23:24:16 UTC
Just adopted this package.  Given the age of this bug, could anyone who saw this before please try again with the following:

https://bodhi.fedoraproject.org/updates/FEDORA-2016-2eef90d329

Comment 26 Michael Schwendt 2016-09-20 00:50:34 UTC
1) Do I understand you correctly that you haven't patched the program and still hope that it will fix the problems despite being unchanged?

2) Have you read the comments in the tickets?
Such as: https://lists.fedoraproject.org/pipermail/devel/2014-November/204608.html

Comment 27 Yaakov Selkowitz 2016-09-20 04:42:45 UTC
The test release is a new git snapshot, so it's not unchanged.

Comment 28 Michael Schwendt 2016-09-20 16:59:43 UTC
> 0.0.1-18.20120530gitb037c59.fc24
           ^^^^^^^^
https://fedoraproject.org/wiki/Packaging:Versioning#Snapshot_packages

Comment 29 Yaakov Selkowitz 2016-09-20 17:27:45 UTC
Yes, the upstream code was last updated in 2012, but that is still a newer snapshot then what was previously available.

If you were able to reproduce this issue previously, I would appreciate retesting with the aforementioned NVR in updates-testing.  If that doesn't fix it -- which it may or may not -- then I'll a reproducer in order to be able to debug this.

Comment 30 Michael Schwendt 2016-09-20 18:38:29 UTC
You are supposed to enter the date of when you checked out the snapshot, not  estimate the date of the source code files.

That would have avoided the confusion.

Looking at the diff, I see added supported for bzip2 compression and something crude/preliminary/FIXME-flagged to reject unexpectedly high property values, but no direct fix for comment 13 (uninitialized variable) or the other bug 1144090 comment 14 (div by zero).

As I see it, the code would need to add much more input data checking to avoid the corner-cases that causes crashes.

Comment 31 Yaakov Selkowitz 2016-09-20 19:25:03 UTC
Unfortunately the previous release wasn't properly versioned, otherwise the update from 2010-something to 2012 would have made this obvious.

Again, what I need now is a reproducer for either or both bugs, which I don't see.  Without that, there's really nothing more I can do here.

Comment 32 Michael Schwendt 2016-09-21 19:15:55 UTC
> Unfortunately the previous release wasn't properly versioned, 

Your one isn't either, and it's the one that causes the confusion.


> Again, what I need now is a reproducer for either or both bugs, which
> I don't see.  Without that, there's really nothing more I can do here.

https://lists.fedoraproject.org/pipermail/devel/2014-November/204608.html

and

https://fedoraproject.org/wiki/Package_maintainer_responsibilities#Deal_with_reported_bugs_in_a_timely_manner

If upstream development has stopped and you don't patch the code yourself to add safety checks, you're stuck with broken software that is able to take down programs that depend on it. Note that crashes based on damaged or deliberately modified input data are security vulnerabilities.

Comment 33 Yaakov Selkowitz 2016-09-21 20:52:14 UTC
(In reply to Michael Schwendt from comment #32)
> > Again, what I need now is a reproducer for either or both bugs, which
> > I don't see.  Without that, there's really nothing more I can do here.
> 
> https://lists.fedoraproject.org/pipermail/devel/2014-November/204608.html
> https://fedoraproject.org/wiki/Package_maintainer_responsibilities#Deal_with_reported_bugs_in_a_timely_manner

Neither of which point to the reproducer I requested.

Comment 34 Fedora End Of Life 2017-07-25 18:38:00 UTC
This message is a reminder that Fedora 24 is nearing its end of life.
Approximately 2 (two) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 24. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '24'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 24 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

Comment 35 Fedora End Of Life 2017-08-08 11:45:05 UTC
Fedora 24 changed to end-of-life (EOL) status on 2017-08-08. Fedora 24 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.