Comment 14 for bug 555238

I can still see the bug. For me it is easy to reproduce by performing the following steps:
1) copy the file 2010_05_10__00_00_00_61Z__SDO_AIA_AIA_193.jp2 posted
  by Keith Hughitt into an empty directory
2) ask nautilus to display this directory.

Here is a stack trace, obtained using gdb:

#0 0x00007fffd6af391c in jpc_qmfb_join_colgrp (a=0x7fffc7fff010, numrows=2048, stride=4096, parity=0) at jpc_qmfb.c:786
#1 0x00007fffd6af6ad4 in jpc_ns_synthesize (a=0x7fffc7fff010, xstart=<optimized out>, ystart=<optimized out>, width=2048, height=2048, stride=4096) at jpc_qmfb.c:3131
#2 0x00007fffd6b00df7 in jpc_tsfb_synthesize2 (tsfb=0x7fffd00041c0, a=0x7fffc7fff010, xstart=0, ystart=0, width=2048, height=2048, stride=4096, numlvls=6) at jpc_tsfb.c:170
#3 0x00007fffd6b00da0 in jpc_tsfb_synthesize2 (tsfb=0x7fffd00041c0, a=0x7fffc7fff010, xstart=0, ystart=0, width=4096, height=4096, stride=4096, numlvls=7) at jpc_tsfb.c:161
#4 0x00007fffd6b00e50 in jpc_tsfb_synthesize (tsfb=<optimized out>, a=<optimized out>) at jpc_tsfb.c:154
#5 0x00007fffd6ae9f84 in jpc_dec_tiledecode (dec=0x7fffd00032c0, tile=0x7fffd00030e0) at jpc_dec.c:1065
#6 0x00007fffd6aec301 in jpc_dec_process_sod (dec=0x7fffd00032c0, ms=0x0) at jpc_dec.c:620
#7 0x00007fffd6aeb6ad in jpc_dec_decode (dec=0x7fffd00032c0) at jpc_dec.c:390
#8 jpc_decode (in=<optimized out>, optstr=<optimized out>) at jpc_dec.c:254
#9 0x00007fffd6ae4b48 in jp2_decode (in=0x7fffd0017460, optstr=0x0) at jp2_dec.c:215
#10 0x00007fffd6ad941c in jas_image_decode (in=0x7fffd0017460, fmt=<optimized out>, optstr=0x0) at jas_image.c:372
#11 0x00007fffd73a0e0d in ?? () from /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0//2.10.0/loaders/libpixbufloader-jasper.so
#12 0x00007ffff5f470f1 in gdk_pixbuf_loader_close () from /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0
#13 0x00007ffff77ad02a in ?? () from /usr/lib/libgnome-desktop-3.so.2
#14 0x00007ffff77ad66c in gnome_desktop_thumbnail_factory_generate_thumbnail () from /usr/lib/libgnome-desktop-3.so.2
#15 0x00000000004db08b in thumbnail_thread_start (data=<optimized out>) at nautilus-thumbnails.c:726
#16 0x00007ffff4b4befc in start_thread (arg=0x7fffd75c3700) at pthread_create.c:304
#17 0x00007ffff3a7f59d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112

The line where nautilus crashes is the assignment to *dstptr2
in the inner loop of the following code block from jpc_qmfb.c:

        /* Save the samples from the lowpass channel. */
        n = hstartcol;
        srcptr = &a[0];
        dstptr = buf;
        while (n-- > 0) {
                dstptr2 = dstptr;
                srcptr2 = srcptr;
                for (i = 0; i < JPC_QMFB_COLGRPSIZE; ++i) {
                        *dstptr2 = *srcptr2;
                        ++dstptr2;
                        ++srcptr2;
                }
                srcptr += stride;
                dstptr += JPC_QMFB_COLGRPSIZE;
        }

Maybe the destination buffer is too small and this is just a buffer
overflow?

I hope this helps,
Jochen