Simple Scan

Bug #931496
Activity log

Activity log for bug #931496

Date	Who	What changed	Old value	New value	Message
2012-02-13 15:32:13	Stef Walter	bug			added bug
2012-02-13 15:32:13	Stef Walter	attachment added		Fixes the problem https://bugs.launchpad.net/bugs/931496/+attachment/2736110/+files/fix-crash-on-pdf-save.patch
2012-02-13 16:01:02	Michael Nagel	simple-scan: importance	Undecided	High
2012-02-13 16:01:10	Michael Nagel	simple-scan: assignee		Robert Ancell (robert-ancell)
2012-02-15 22:29:25	Robert Ancell	simple-scan: status	New	Incomplete
2012-02-16 18:25:37	bojo42	bug			added subscriber bojo42
2012-02-29 15:19:26	Stef Walter	attachment added		debug-printfs.patch https://bugs.launchpad.net/simple-scan/+bug/931496/+attachment/2794022/+files/debug-printfs.patch
2012-03-17 01:40:48	Robert Ancell	simple-scan: status	Incomplete	Fix Committed
2012-03-17 01:46:26	Robert Ancell	simple-scan: status	Fix Committed	Fix Released
2012-06-05 08:22:00	Michael Nagel	description	When saving a PDF memory corruption occurs and simple scan crashes in random code (for me in the deflate functionality). Checked this using clean bzr checkout. BTW, I would have patched this much earlier if simple-scan was version control system that I was familiar with (like git) :S Can be verified with valgrind: WARNING : scanner.vala:1204: Scan completed with 2250 lines, expected 2250 lines ==8804== Thread 1: ==8804== Invalid write of size 1 ==8804== at 0x40FCFA: book_save_pdf (book.c:1826) ==8804== by 0x411F20: book_save (book.c:2533) ==8804== by 0x44372F: simple_scan_save_document (ui.c:1638) ==8804== by 0x447230: save_file_button_clicked_cb (ui.c:3002) ==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85) ==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774) ==8804== by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302) ==8804== by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033) ==8804== by 0x66C7507: g_signal_emit_by_name (gsignal.c:3127) ==8804== by 0x4F14CBC: button_clicked (gtktoolbutton.c:881) ==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85) ==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774) ==8804== Address 0x2102c5c8 is 0 bytes after a block of size 711,000 alloc'd ==8804== at 0x4A05BB4: calloc (vg_replace_malloc.c:467) ==8804== by 0x6947193: standard_calloc (gmem.c:104) ==8804== by 0x6947225: g_malloc0 (gmem.c:189) ==8804== by 0x69474E2: g_malloc0_n (gmem.c:385) ==8804== by 0x40F889: book_save_pdf (book.c:1674) ==8804== by 0x411F20: book_save (book.c:2533) ==8804== by 0x44372F: simple_scan_save_document (ui.c:1638) ==8804== by 0x447230: save_file_button_clicked_cb (ui.c:3002) ==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85) ==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774) ==8804== by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302) ==8804== by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033) ==8804== ==8804== Invalid read of size 1 ==8804== at 0x40FD0C: book_save_pdf (book.c:1827) ==8804== by 0x411F20: book_save (book.c:2533) ==8804== by 0x44372F: simple_scan_save_document (ui.c:1638) ==8804== by 0x447230: save_file_button_clicked_cb (ui.c:3002) ==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85) ==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774) ==8804== by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302) ==8804== by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033) ==8804== by 0x66C7507: g_signal_emit_by_name (gsignal.c:3127) ==8804== by 0x4F14CBC: button_clicked (gtktoolbutton.c:881) ==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85) ==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774) ==8804== Address 0x2102c5c8 is 0 bytes after a block of size 711,000 alloc'd ==8804== at 0x4A05BB4: calloc (vg_replace_malloc.c:467) ==8804== by 0x6947193: standard_calloc (gmem.c:104) ==8804== by 0x6947225: g_malloc0 (gmem.c:189) ==8804== by 0x69474E2: g_malloc0_n (gmem.c:385) ==8804== by 0x40F889: book_save_pdf (book.c:1674) ==8804== by 0x411F20: book_save (book.c:2533) ==8804== by 0x44372F: simple_scan_save_document (ui.c:1638) ==8804== by 0x447230: save_file_button_clicked_cb (ui.c:3002) ==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85) ==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774) ==8804== by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302) ==8804== by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033) ==8804== The problem is that due to a integer rounding error, one byte less is allocated in the image buffer than there should be. I don't understand the code completely, so this patch should be verified by the original author of the code. Attached.	SOLUTION ***************************** This was one of the most prominent bugs in Simple Scan for a long time. It has been fixed in Simple Scan 3.3.92 *************************** When saving a PDF memory corruption occurs and simple scan crashes in random code (for me in the deflate functionality). Checked this using clean bzr checkout. BTW, I would have patched this much earlier if simple-scan was version control system that I was familiar with (like git) :S Can be verified with valgrind: WARNING **: scanner.vala:1204: Scan completed with 2250 lines, expected 2250 lines ==8804== Thread 1: ==8804== Invalid write of size 1 ==8804== at 0x40FCFA: book_save_pdf (book.c:1826) ==8804== by 0x411F20: book_save (book.c:2533) ==8804== by 0x44372F: simple_scan_save_document (ui.c:1638) ==8804== by 0x447230: save_file_button_clicked_cb (ui.c:3002) ==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85) ==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774) ==8804== by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302) ==8804== by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033) ==8804== by 0x66C7507: g_signal_emit_by_name (gsignal.c:3127) ==8804== by 0x4F14CBC: button_clicked (gtktoolbutton.c:881) ==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85) ==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774) ==8804== Address 0x2102c5c8 is 0 bytes after a block of size 711,000 alloc'd ==8804== at 0x4A05BB4: calloc (vg_replace_malloc.c:467) ==8804== by 0x6947193: standard_calloc (gmem.c:104) ==8804== by 0x6947225: g_malloc0 (gmem.c:189) ==8804== by 0x69474E2: g_malloc0_n (gmem.c:385) ==8804== by 0x40F889: book_save_pdf (book.c:1674) ==8804== by 0x411F20: book_save (book.c:2533) ==8804== by 0x44372F: simple_scan_save_document (ui.c:1638) ==8804== by 0x447230: save_file_button_clicked_cb (ui.c:3002) ==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85) ==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774) ==8804== by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302) ==8804== by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033) ==8804== ==8804== Invalid read of size 1 ==8804== at 0x40FD0C: book_save_pdf (book.c:1827) ==8804== by 0x411F20: book_save (book.c:2533) ==8804== by 0x44372F: simple_scan_save_document (ui.c:1638) ==8804== by 0x447230: save_file_button_clicked_cb (ui.c:3002) ==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85) ==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774) ==8804== by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302) ==8804== by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033) ==8804== by 0x66C7507: g_signal_emit_by_name (gsignal.c:3127) ==8804== by 0x4F14CBC: button_clicked (gtktoolbutton.c:881) ==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85) ==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774) ==8804== Address 0x2102c5c8 is 0 bytes after a block of size 711,000 alloc'd ==8804== at 0x4A05BB4: calloc (vg_replace_malloc.c:467) ==8804== by 0x6947193: standard_calloc (gmem.c:104) ==8804== by 0x6947225: g_malloc0 (gmem.c:189) ==8804== by 0x69474E2: g_malloc0_n (gmem.c:385) ==8804== by 0x40F889: book_save_pdf (book.c:1674) ==8804== by 0x411F20: book_save (book.c:2533) ==8804== by 0x44372F: simple_scan_save_document (ui.c:1638) ==8804== by 0x447230: save_file_button_clicked_cb (ui.c:3002) ==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85) ==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774) ==8804== by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302) ==8804== by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033) ==8804== The problem is that due to a integer rounding error, one byte less is allocated in the image buffer than there should be. I don't understand the code completely, so this patch should be verified by the original author of the code. Attached.
2012-06-05 08:22:38	Michael Nagel	description	SOLUTION ***************************** This was one of the most prominent bugs in Simple Scan for a long time. It has been fixed in Simple Scan 3.3.92 *************************** When saving a PDF memory corruption occurs and simple scan crashes in random code (for me in the deflate functionality). Checked this using clean bzr checkout. BTW, I would have patched this much earlier if simple-scan was version control system that I was familiar with (like git) :S Can be verified with valgrind: WARNING **: scanner.vala:1204: Scan completed with 2250 lines, expected 2250 lines ==8804== Thread 1: ==8804== Invalid write of size 1 ==8804== at 0x40FCFA: book_save_pdf (book.c:1826) ==8804== by 0x411F20: book_save (book.c:2533) ==8804== by 0x44372F: simple_scan_save_document (ui.c:1638) ==8804== by 0x447230: save_file_button_clicked_cb (ui.c:3002) ==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85) ==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774) ==8804== by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302) ==8804== by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033) ==8804== by 0x66C7507: g_signal_emit_by_name (gsignal.c:3127) ==8804== by 0x4F14CBC: button_clicked (gtktoolbutton.c:881) ==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85) ==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774) ==8804== Address 0x2102c5c8 is 0 bytes after a block of size 711,000 alloc'd ==8804== at 0x4A05BB4: calloc (vg_replace_malloc.c:467) ==8804== by 0x6947193: standard_calloc (gmem.c:104) ==8804== by 0x6947225: g_malloc0 (gmem.c:189) ==8804== by 0x69474E2: g_malloc0_n (gmem.c:385) ==8804== by 0x40F889: book_save_pdf (book.c:1674) ==8804== by 0x411F20: book_save (book.c:2533) ==8804== by 0x44372F: simple_scan_save_document (ui.c:1638) ==8804== by 0x447230: save_file_button_clicked_cb (ui.c:3002) ==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85) ==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774) ==8804== by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302) ==8804== by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033) ==8804== ==8804== Invalid read of size 1 ==8804== at 0x40FD0C: book_save_pdf (book.c:1827) ==8804== by 0x411F20: book_save (book.c:2533) ==8804== by 0x44372F: simple_scan_save_document (ui.c:1638) ==8804== by 0x447230: save_file_button_clicked_cb (ui.c:3002) ==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85) ==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774) ==8804== by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302) ==8804== by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033) ==8804== by 0x66C7507: g_signal_emit_by_name (gsignal.c:3127) ==8804== by 0x4F14CBC: button_clicked (gtktoolbutton.c:881) ==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85) ==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774) ==8804== Address 0x2102c5c8 is 0 bytes after a block of size 711,000 alloc'd ==8804== at 0x4A05BB4: calloc (vg_replace_malloc.c:467) ==8804== by 0x6947193: standard_calloc (gmem.c:104) ==8804== by 0x6947225: g_malloc0 (gmem.c:189) ==8804== by 0x69474E2: g_malloc0_n (gmem.c:385) ==8804== by 0x40F889: book_save_pdf (book.c:1674) ==8804== by 0x411F20: book_save (book.c:2533) ==8804== by 0x44372F: simple_scan_save_document (ui.c:1638) ==8804== by 0x447230: save_file_button_clicked_cb (ui.c:3002) ==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85) ==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774) ==8804== by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302) ==8804== by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033) ==8804== The problem is that due to a integer rounding error, one byte less is allocated in the image buffer than there should be. I don't understand the code completely, so this patch should be verified by the original author of the code. Attached.	SOLUTION ***************************** This was one of the most prominent bugs in Simple Scan for a long time. It has been fixed in Simple Scan 3.3.92 Upgrade to Simple Scan 3.3.92, older versions are still affected but will not be fixed. *************************** When saving a PDF memory corruption occurs and simple scan crashes in random code (for me in the deflate functionality). Checked this using clean bzr checkout. BTW, I would have patched this much earlier if simple-scan was version control system that I was familiar with (like git) :S Can be verified with valgrind: WARNING **: scanner.vala:1204: Scan completed with 2250 lines, expected 2250 lines ==8804== Thread 1: ==8804== Invalid write of size 1 ==8804== at 0x40FCFA: book_save_pdf (book.c:1826) ==8804== by 0x411F20: book_save (book.c:2533) ==8804== by 0x44372F: simple_scan_save_document (ui.c:1638) ==8804== by 0x447230: save_file_button_clicked_cb (ui.c:3002) ==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85) ==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774) ==8804== by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302) ==8804== by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033) ==8804== by 0x66C7507: g_signal_emit_by_name (gsignal.c:3127) ==8804== by 0x4F14CBC: button_clicked (gtktoolbutton.c:881) ==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85) ==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774) ==8804== Address 0x2102c5c8 is 0 bytes after a block of size 711,000 alloc'd ==8804== at 0x4A05BB4: calloc (vg_replace_malloc.c:467) ==8804== by 0x6947193: standard_calloc (gmem.c:104) ==8804== by 0x6947225: g_malloc0 (gmem.c:189) ==8804== by 0x69474E2: g_malloc0_n (gmem.c:385) ==8804== by 0x40F889: book_save_pdf (book.c:1674) ==8804== by 0x411F20: book_save (book.c:2533) ==8804== by 0x44372F: simple_scan_save_document (ui.c:1638) ==8804== by 0x447230: save_file_button_clicked_cb (ui.c:3002) ==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85) ==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774) ==8804== by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302) ==8804== by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033) ==8804== ==8804== Invalid read of size 1 ==8804== at 0x40FD0C: book_save_pdf (book.c:1827) ==8804== by 0x411F20: book_save (book.c:2533) ==8804== by 0x44372F: simple_scan_save_document (ui.c:1638) ==8804== by 0x447230: save_file_button_clicked_cb (ui.c:3002) ==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85) ==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774) ==8804== by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302) ==8804== by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033) ==8804== by 0x66C7507: g_signal_emit_by_name (gsignal.c:3127) ==8804== by 0x4F14CBC: button_clicked (gtktoolbutton.c:881) ==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85) ==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774) ==8804== Address 0x2102c5c8 is 0 bytes after a block of size 711,000 alloc'd ==8804== at 0x4A05BB4: calloc (vg_replace_malloc.c:467) ==8804== by 0x6947193: standard_calloc (gmem.c:104) ==8804== by 0x6947225: g_malloc0 (gmem.c:189) ==8804== by 0x69474E2: g_malloc0_n (gmem.c:385) ==8804== by 0x40F889: book_save_pdf (book.c:1674) ==8804== by 0x411F20: book_save (book.c:2533) ==8804== by 0x44372F: simple_scan_save_document (ui.c:1638) ==8804== by 0x447230: save_file_button_clicked_cb (ui.c:3002) ==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85) ==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774) ==8804== by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302) ==8804== by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033) ==8804== The problem is that due to a integer rounding error, one byte less is allocated in the image buffer than there should be. I don't understand the code completely, so this patch should be verified by the original author of the code. Attached.