Comment 10 for bug 960967

Tom Gall (tom-gall) wrote :

Ok so looking into this. When the app crashed, is not from libjpeg-turbo8 instead it's from http://bazaar.launchpad.net/~vcs-imports/eog/trunk/view/head:/jpegutils/transupp-8a.c which is a file that was copied some years back from the libjpeg project.

Why this app has internal copies of these files instead of just making use of the same routines which are also provided by libjpeg-turbo is for others to answer.

Running eog in gdb looking at _save_jpeg_as_jpeg in the eog code

 jpeg_stdio_src (&srcinfo, input_file);

 /* Enable saving of extra markers that we want to copy */
 jcopy_markers_setup (&srcinfo, JCOPYOPT_DEFAULT);

 /* Read file header */
 (void) jpeg_read_header (&srcinfo, TRUE);

 /* Any space needed by a transform option must be requested before
  * jpeg_read_coefficients so that memory allocation will be done right.
  */
 jtransform_request_workspace (&srcinfo, &transformoption);

 /* Read source file as DCT coefficients */
 src_coef_arrays = jpeg_read_coefficients (&srcinfo);

 /* Initialize destination compression parameters from source values */
 jpeg_copy_critical_parameters (&srcinfo, &dstinfo);

 /* Adjust destination parameters if required by transform options;
  * also find out which set of coefficient arrays will hold the output.
  */

--- FINE
 dst_coef_arrays = jtransform_adjust_parameters (&srcinfo,
       &dstinfo,
       src_coef_arrays,
       &transformoption);

--- NOT FINE
 /* Specify data destination for compression */
 jpeg_stdio_dest (&dstinfo, output_file);

 /* Start compressor (note no image data is actually written here) */
 jpeg_write_coefficients (&dstinfo, dst_coef_arrays);

by jpeg_stdio_dest, in dstinfo the jpeg_width and jpeg_height portions of the structure have garbage in them. And just after the jpeg_copy_critical_parameters those fields are fine.

debug continues. Theory at this point, the old and copied jtransform_adjust_parameters might contain the bug.