2012-02-13 15:32:13 |
Stef Walter |
bug |
|
|
added bug |
2012-02-13 15:32:13 |
Stef Walter |
attachment added |
|
Fixes the problem https://bugs.launchpad.net/bugs/931496/+attachment/2736110/+files/fix-crash-on-pdf-save.patch |
|
2012-02-13 16:01:02 |
Michael Nagel |
simple-scan: importance |
Undecided |
High |
|
2012-02-13 16:01:10 |
Michael Nagel |
simple-scan: assignee |
|
Robert Ancell (robert-ancell) |
|
2012-02-15 22:29:25 |
Robert Ancell |
simple-scan: status |
New |
Incomplete |
|
2012-02-16 18:25:37 |
bojo42 |
bug |
|
|
added subscriber bojo42 |
2012-02-29 15:19:26 |
Stef Walter |
attachment added |
|
debug-printfs.patch https://bugs.launchpad.net/simple-scan/+bug/931496/+attachment/2794022/+files/debug-printfs.patch |
|
2012-03-17 01:40:48 |
Robert Ancell |
simple-scan: status |
Incomplete |
Fix Committed |
|
2012-03-17 01:46:26 |
Robert Ancell |
simple-scan: status |
Fix Committed |
Fix Released |
|
2012-06-05 08:22:00 |
Michael Nagel |
description |
When saving a PDF memory corruption occurs and simple scan crashes in random code (for me in the deflate functionality). Checked this using clean bzr checkout. BTW, I would have patched this much earlier if simple-scan was version control system that I was familiar with (like git) :S
Can be verified with valgrind:
** WARNING **: scanner.vala:1204: Scan completed with 2250 lines, expected 2250 lines
==8804== Thread 1:
==8804== Invalid write of size 1
==8804== at 0x40FCFA: book_save_pdf (book.c:1826)
==8804== by 0x411F20: book_save (book.c:2533)
==8804== by 0x44372F: simple_scan_save_document (ui.c:1638)
==8804== by 0x447230: save_file_button_clicked_cb (ui.c:3002)
==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774)
==8804== by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302)
==8804== by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033)
==8804== by 0x66C7507: g_signal_emit_by_name (gsignal.c:3127)
==8804== by 0x4F14CBC: button_clicked (gtktoolbutton.c:881)
==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774)
==8804== Address 0x2102c5c8 is 0 bytes after a block of size 711,000 alloc'd
==8804== at 0x4A05BB4: calloc (vg_replace_malloc.c:467)
==8804== by 0x6947193: standard_calloc (gmem.c:104)
==8804== by 0x6947225: g_malloc0 (gmem.c:189)
==8804== by 0x69474E2: g_malloc0_n (gmem.c:385)
==8804== by 0x40F889: book_save_pdf (book.c:1674)
==8804== by 0x411F20: book_save (book.c:2533)
==8804== by 0x44372F: simple_scan_save_document (ui.c:1638)
==8804== by 0x447230: save_file_button_clicked_cb (ui.c:3002)
==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774)
==8804== by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302)
==8804== by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033)
==8804==
==8804== Invalid read of size 1
==8804== at 0x40FD0C: book_save_pdf (book.c:1827)
==8804== by 0x411F20: book_save (book.c:2533)
==8804== by 0x44372F: simple_scan_save_document (ui.c:1638)
==8804== by 0x447230: save_file_button_clicked_cb (ui.c:3002)
==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774)
==8804== by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302)
==8804== by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033)
==8804== by 0x66C7507: g_signal_emit_by_name (gsignal.c:3127)
==8804== by 0x4F14CBC: button_clicked (gtktoolbutton.c:881)
==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774)
==8804== Address 0x2102c5c8 is 0 bytes after a block of size 711,000 alloc'd
==8804== at 0x4A05BB4: calloc (vg_replace_malloc.c:467)
==8804== by 0x6947193: standard_calloc (gmem.c:104)
==8804== by 0x6947225: g_malloc0 (gmem.c:189)
==8804== by 0x69474E2: g_malloc0_n (gmem.c:385)
==8804== by 0x40F889: book_save_pdf (book.c:1674)
==8804== by 0x411F20: book_save (book.c:2533)
==8804== by 0x44372F: simple_scan_save_document (ui.c:1638)
==8804== by 0x447230: save_file_button_clicked_cb (ui.c:3002)
==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774)
==8804== by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302)
==8804== by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033)
==8804==
The problem is that due to a integer rounding error, one byte less is allocated in the image buffer than there should be. I don't understand the code completely, so this patch should be verified by the original author of the code. Attached. |
SOLUTION
*******************************
This was one of the most prominent bugs in Simple Scan for a long time.
It has been fixed in Simple Scan 3.3.92
*******************************
When saving a PDF memory corruption occurs and simple scan crashes in random code (for me in the deflate functionality). Checked this using clean bzr checkout. BTW, I would have patched this much earlier if simple-scan was version control system that I was familiar with (like git) :S
Can be verified with valgrind:
** WARNING **: scanner.vala:1204: Scan completed with 2250 lines, expected 2250 lines
==8804== Thread 1:
==8804== Invalid write of size 1
==8804== at 0x40FCFA: book_save_pdf (book.c:1826)
==8804== by 0x411F20: book_save (book.c:2533)
==8804== by 0x44372F: simple_scan_save_document (ui.c:1638)
==8804== by 0x447230: save_file_button_clicked_cb (ui.c:3002)
==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774)
==8804== by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302)
==8804== by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033)
==8804== by 0x66C7507: g_signal_emit_by_name (gsignal.c:3127)
==8804== by 0x4F14CBC: button_clicked (gtktoolbutton.c:881)
==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774)
==8804== Address 0x2102c5c8 is 0 bytes after a block of size 711,000 alloc'd
==8804== at 0x4A05BB4: calloc (vg_replace_malloc.c:467)
==8804== by 0x6947193: standard_calloc (gmem.c:104)
==8804== by 0x6947225: g_malloc0 (gmem.c:189)
==8804== by 0x69474E2: g_malloc0_n (gmem.c:385)
==8804== by 0x40F889: book_save_pdf (book.c:1674)
==8804== by 0x411F20: book_save (book.c:2533)
==8804== by 0x44372F: simple_scan_save_document (ui.c:1638)
==8804== by 0x447230: save_file_button_clicked_cb (ui.c:3002)
==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774)
==8804== by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302)
==8804== by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033)
==8804==
==8804== Invalid read of size 1
==8804== at 0x40FD0C: book_save_pdf (book.c:1827)
==8804== by 0x411F20: book_save (book.c:2533)
==8804== by 0x44372F: simple_scan_save_document (ui.c:1638)
==8804== by 0x447230: save_file_button_clicked_cb (ui.c:3002)
==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774)
==8804== by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302)
==8804== by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033)
==8804== by 0x66C7507: g_signal_emit_by_name (gsignal.c:3127)
==8804== by 0x4F14CBC: button_clicked (gtktoolbutton.c:881)
==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774)
==8804== Address 0x2102c5c8 is 0 bytes after a block of size 711,000 alloc'd
==8804== at 0x4A05BB4: calloc (vg_replace_malloc.c:467)
==8804== by 0x6947193: standard_calloc (gmem.c:104)
==8804== by 0x6947225: g_malloc0 (gmem.c:189)
==8804== by 0x69474E2: g_malloc0_n (gmem.c:385)
==8804== by 0x40F889: book_save_pdf (book.c:1674)
==8804== by 0x411F20: book_save (book.c:2533)
==8804== by 0x44372F: simple_scan_save_document (ui.c:1638)
==8804== by 0x447230: save_file_button_clicked_cb (ui.c:3002)
==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774)
==8804== by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302)
==8804== by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033)
==8804==
The problem is that due to a integer rounding error, one byte less is allocated in the image buffer than there should be. I don't understand the code completely, so this patch should be verified by the original author of the code. Attached. |
|
2012-06-05 08:22:38 |
Michael Nagel |
description |
SOLUTION
*******************************
This was one of the most prominent bugs in Simple Scan for a long time.
It has been fixed in Simple Scan 3.3.92
*******************************
When saving a PDF memory corruption occurs and simple scan crashes in random code (for me in the deflate functionality). Checked this using clean bzr checkout. BTW, I would have patched this much earlier if simple-scan was version control system that I was familiar with (like git) :S
Can be verified with valgrind:
** WARNING **: scanner.vala:1204: Scan completed with 2250 lines, expected 2250 lines
==8804== Thread 1:
==8804== Invalid write of size 1
==8804== at 0x40FCFA: book_save_pdf (book.c:1826)
==8804== by 0x411F20: book_save (book.c:2533)
==8804== by 0x44372F: simple_scan_save_document (ui.c:1638)
==8804== by 0x447230: save_file_button_clicked_cb (ui.c:3002)
==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774)
==8804== by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302)
==8804== by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033)
==8804== by 0x66C7507: g_signal_emit_by_name (gsignal.c:3127)
==8804== by 0x4F14CBC: button_clicked (gtktoolbutton.c:881)
==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774)
==8804== Address 0x2102c5c8 is 0 bytes after a block of size 711,000 alloc'd
==8804== at 0x4A05BB4: calloc (vg_replace_malloc.c:467)
==8804== by 0x6947193: standard_calloc (gmem.c:104)
==8804== by 0x6947225: g_malloc0 (gmem.c:189)
==8804== by 0x69474E2: g_malloc0_n (gmem.c:385)
==8804== by 0x40F889: book_save_pdf (book.c:1674)
==8804== by 0x411F20: book_save (book.c:2533)
==8804== by 0x44372F: simple_scan_save_document (ui.c:1638)
==8804== by 0x447230: save_file_button_clicked_cb (ui.c:3002)
==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774)
==8804== by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302)
==8804== by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033)
==8804==
==8804== Invalid read of size 1
==8804== at 0x40FD0C: book_save_pdf (book.c:1827)
==8804== by 0x411F20: book_save (book.c:2533)
==8804== by 0x44372F: simple_scan_save_document (ui.c:1638)
==8804== by 0x447230: save_file_button_clicked_cb (ui.c:3002)
==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774)
==8804== by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302)
==8804== by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033)
==8804== by 0x66C7507: g_signal_emit_by_name (gsignal.c:3127)
==8804== by 0x4F14CBC: button_clicked (gtktoolbutton.c:881)
==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774)
==8804== Address 0x2102c5c8 is 0 bytes after a block of size 711,000 alloc'd
==8804== at 0x4A05BB4: calloc (vg_replace_malloc.c:467)
==8804== by 0x6947193: standard_calloc (gmem.c:104)
==8804== by 0x6947225: g_malloc0 (gmem.c:189)
==8804== by 0x69474E2: g_malloc0_n (gmem.c:385)
==8804== by 0x40F889: book_save_pdf (book.c:1674)
==8804== by 0x411F20: book_save (book.c:2533)
==8804== by 0x44372F: simple_scan_save_document (ui.c:1638)
==8804== by 0x447230: save_file_button_clicked_cb (ui.c:3002)
==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774)
==8804== by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302)
==8804== by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033)
==8804==
The problem is that due to a integer rounding error, one byte less is allocated in the image buffer than there should be. I don't understand the code completely, so this patch should be verified by the original author of the code. Attached. |
SOLUTION
*******************************
This was one of the most prominent bugs in Simple Scan for a long time.
It has been fixed in Simple Scan 3.3.92
Upgrade to Simple Scan 3.3.92, older versions are still affected but will not be fixed.
*******************************
When saving a PDF memory corruption occurs and simple scan crashes in random code (for me in the deflate functionality). Checked this using clean bzr checkout. BTW, I would have patched this much earlier if simple-scan was version control system that I was familiar with (like git) :S
Can be verified with valgrind:
** WARNING **: scanner.vala:1204: Scan completed with 2250 lines, expected 2250 lines
==8804== Thread 1:
==8804== Invalid write of size 1
==8804== at 0x40FCFA: book_save_pdf (book.c:1826)
==8804== by 0x411F20: book_save (book.c:2533)
==8804== by 0x44372F: simple_scan_save_document (ui.c:1638)
==8804== by 0x447230: save_file_button_clicked_cb (ui.c:3002)
==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774)
==8804== by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302)
==8804== by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033)
==8804== by 0x66C7507: g_signal_emit_by_name (gsignal.c:3127)
==8804== by 0x4F14CBC: button_clicked (gtktoolbutton.c:881)
==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774)
==8804== Address 0x2102c5c8 is 0 bytes after a block of size 711,000 alloc'd
==8804== at 0x4A05BB4: calloc (vg_replace_malloc.c:467)
==8804== by 0x6947193: standard_calloc (gmem.c:104)
==8804== by 0x6947225: g_malloc0 (gmem.c:189)
==8804== by 0x69474E2: g_malloc0_n (gmem.c:385)
==8804== by 0x40F889: book_save_pdf (book.c:1674)
==8804== by 0x411F20: book_save (book.c:2533)
==8804== by 0x44372F: simple_scan_save_document (ui.c:1638)
==8804== by 0x447230: save_file_button_clicked_cb (ui.c:3002)
==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774)
==8804== by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302)
==8804== by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033)
==8804==
==8804== Invalid read of size 1
==8804== at 0x40FD0C: book_save_pdf (book.c:1827)
==8804== by 0x411F20: book_save (book.c:2533)
==8804== by 0x44372F: simple_scan_save_document (ui.c:1638)
==8804== by 0x447230: save_file_button_clicked_cb (ui.c:3002)
==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774)
==8804== by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302)
==8804== by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033)
==8804== by 0x66C7507: g_signal_emit_by_name (gsignal.c:3127)
==8804== by 0x4F14CBC: button_clicked (gtktoolbutton.c:881)
==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774)
==8804== Address 0x2102c5c8 is 0 bytes after a block of size 711,000 alloc'd
==8804== at 0x4A05BB4: calloc (vg_replace_malloc.c:467)
==8804== by 0x6947193: standard_calloc (gmem.c:104)
==8804== by 0x6947225: g_malloc0 (gmem.c:189)
==8804== by 0x69474E2: g_malloc0_n (gmem.c:385)
==8804== by 0x40F889: book_save_pdf (book.c:1674)
==8804== by 0x411F20: book_save (book.c:2533)
==8804== by 0x44372F: simple_scan_save_document (ui.c:1638)
==8804== by 0x447230: save_file_button_clicked_cb (ui.c:3002)
==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774)
==8804== by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302)
==8804== by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033)
==8804==
The problem is that due to a integer rounding error, one byte less is allocated in the image buffer than there should be. I don't understand the code completely, so this patch should be verified by the original author of the code. Attached. |
|