I can still see the bug. For me it is easy to reproduce by performing the following steps:
1) copy the file 2010_05_10__00_00_00_61Z__SDO_AIA_AIA_193.jp2 posted
by Keith Hughitt into an empty directory
2) ask nautilus to display this directory.
Here is a stack trace, obtained using gdb:
#0 0x00007fffd6af391c in jpc_qmfb_join_colgrp (a=0x7fffc7fff010, numrows=2048, stride=4096, parity=0) at jpc_qmfb.c:786
#1 0x00007fffd6af6ad4 in jpc_ns_synthesize (a=0x7fffc7fff010, xstart=<optimized out>, ystart=<optimized out>, width=2048, height=2048, stride=4096) at jpc_qmfb.c:3131
#2 0x00007fffd6b00df7 in jpc_tsfb_synthesize2 (tsfb=0x7fffd00041c0, a=0x7fffc7fff010, xstart=0, ystart=0, width=2048, height=2048, stride=4096, numlvls=6) at jpc_tsfb.c:170
#3 0x00007fffd6b00da0 in jpc_tsfb_synthesize2 (tsfb=0x7fffd00041c0, a=0x7fffc7fff010, xstart=0, ystart=0, width=4096, height=4096, stride=4096, numlvls=7) at jpc_tsfb.c:161
#4 0x00007fffd6b00e50 in jpc_tsfb_synthesize (tsfb=<optimized out>, a=<optimized out>) at jpc_tsfb.c:154
#5 0x00007fffd6ae9f84 in jpc_dec_tiledecode (dec=0x7fffd00032c0, tile=0x7fffd00030e0) at jpc_dec.c:1065
#6 0x00007fffd6aec301 in jpc_dec_process_sod (dec=0x7fffd00032c0, ms=0x0) at jpc_dec.c:620
#7 0x00007fffd6aeb6ad in jpc_dec_decode (dec=0x7fffd00032c0) at jpc_dec.c:390
#8 jpc_decode (in=<optimized out>, optstr=<optimized out>) at jpc_dec.c:254
#9 0x00007fffd6ae4b48 in jp2_decode (in=0x7fffd0017460, optstr=0x0) at jp2_dec.c:215
#10 0x00007fffd6ad941c in jas_image_decode (in=0x7fffd0017460, fmt=<optimized out>, optstr=0x0) at jas_image.c:372
#11 0x00007fffd73a0e0d in ?? () from /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0//2.10.0/loaders/libpixbufloader-jasper.so
#12 0x00007ffff5f470f1 in gdk_pixbuf_loader_close () from /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0
#13 0x00007ffff77ad02a in ?? () from /usr/lib/libgnome-desktop-3.so.2
#14 0x00007ffff77ad66c in gnome_desktop_thumbnail_factory_generate_thumbnail () from /usr/lib/libgnome-desktop-3.so.2
#15 0x00000000004db08b in thumbnail_thread_start (data=<optimized out>) at nautilus-thumbnails.c:726
#16 0x00007ffff4b4befc in start_thread (arg=0x7fffd75c3700) at pthread_create.c:304
#17 0x00007ffff3a7f59d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
The line where nautilus crashes is the assignment to *dstptr2
in the inner loop of the following code block from jpc_qmfb.c:
/* Save the samples from the lowpass channel. */
n = hstartcol;
srcptr = &a[0];
dstptr = buf;
while (n-- > 0) { dstptr2 = dstptr; srcptr2 = srcptr;
for (i = 0; i < JPC_QMFB_COLGRPSIZE; ++i) { *dstptr2 = *srcptr2; ++dstptr2; ++srcptr2;
} srcptr += stride; dstptr += JPC_QMFB_COLGRPSIZE;
}
Maybe the destination buffer is too small and this is just a buffer
overflow?
I can still see the bug. For me it is easy to reproduce by performing the following steps: 10__00_ 00_00_61Z_ _SDO_AIA_ AIA_193. jp2 posted
1) copy the file 2010_05_
by Keith Hughitt into an empty directory
2) ask nautilus to display this directory.
Here is a stack trace, obtained using gdb:
#0 0x00007fffd6af391c in jpc_qmfb_ join_colgrp (a=0x7fffc7fff010, numrows=2048, stride=4096, parity=0) at jpc_qmfb.c:786 synthesize2 (tsfb=0x7fffd00 041c0, a=0x7fffc7fff010, xstart=0, ystart=0, width=2048, height=2048, stride=4096, numlvls=6) at jpc_tsfb.c:170 synthesize2 (tsfb=0x7fffd00 041c0, a=0x7fffc7fff010, xstart=0, ystart=0, width=4096, height=4096, stride=4096, numlvls=7) at jpc_tsfb.c:161 32c0, tile=0x7fffd000 30e0) at jpc_dec.c:1065 32c0, ms=0x0) at jpc_dec.c:620 32c0) at jpc_dec.c:390 x86_64- linux-gnu/ gdk-pixbuf- 2.0//2. 10.0/loaders/ libpixbufloader -jasper. so loader_ close () from /usr/lib/ x86_64- linux-gnu/ libgdk_ pixbuf- 2.0.so. 0 libgnome- desktop- 3.so.2 thumbnail_ factory_ generate_ thumbnail () from /usr/lib/ libgnome- desktop- 3.so.2 thread_ start (data=<optimized out>) at nautilus- thumbnails. c:726 3700) at pthread_ create. c:304 unix/sysv/ linux/x86_ 64/clone. S:112
#1 0x00007fffd6af6ad4 in jpc_ns_synthesize (a=0x7fffc7fff010, xstart=<optimized out>, ystart=<optimized out>, width=2048, height=2048, stride=4096) at jpc_qmfb.c:3131
#2 0x00007fffd6b00df7 in jpc_tsfb_
#3 0x00007fffd6b00da0 in jpc_tsfb_
#4 0x00007fffd6b00e50 in jpc_tsfb_synthesize (tsfb=<optimized out>, a=<optimized out>) at jpc_tsfb.c:154
#5 0x00007fffd6ae9f84 in jpc_dec_tiledecode (dec=0x7fffd000
#6 0x00007fffd6aec301 in jpc_dec_process_sod (dec=0x7fffd000
#7 0x00007fffd6aeb6ad in jpc_dec_decode (dec=0x7fffd000
#8 jpc_decode (in=<optimized out>, optstr=<optimized out>) at jpc_dec.c:254
#9 0x00007fffd6ae4b48 in jp2_decode (in=0x7fffd0017460, optstr=0x0) at jp2_dec.c:215
#10 0x00007fffd6ad941c in jas_image_decode (in=0x7fffd0017460, fmt=<optimized out>, optstr=0x0) at jas_image.c:372
#11 0x00007fffd73a0e0d in ?? () from /usr/lib/
#12 0x00007ffff5f470f1 in gdk_pixbuf_
#13 0x00007ffff77ad02a in ?? () from /usr/lib/
#14 0x00007ffff77ad66c in gnome_desktop_
#15 0x00000000004db08b in thumbnail_
#16 0x00007ffff4b4befc in start_thread (arg=0x7fffd75c
#17 0x00007ffff3a7f59d in clone () at ../sysdeps/
The line where nautilus crashes is the assignment to *dstptr2
in the inner loop of the following code block from jpc_qmfb.c:
/* Save the samples from the lowpass channel. */
dstptr2 = dstptr;
srcptr2 = srcptr; COLGRPSIZE; ++i) {
*dstptr2 = *srcptr2;
++dstptr2;
++srcptr2;
srcptr += stride;
dstptr += JPC_QMFB_ COLGRPSIZE;
n = hstartcol;
srcptr = &a[0];
dstptr = buf;
while (n-- > 0) {
for (i = 0; i < JPC_QMFB_
}
}
Maybe the destination buffer is too small and this is just a buffer
overflow?
I hope this helps,
Jochen