eog crashed with SIGSEGV in __memcpy_ssse3()
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tiff (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Lucid |
Fix Released
|
Medium
|
Unassigned | ||
Maverick |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Binary package hint: libtiff4
Any application using libtiff will segfault because of a null dereference when opening the attached TIFF-file. Valgrind seems to crash when debugging eog with the attached file, but the output until the crash was:
==10652== Invalid write of size 1
==10652== at 0x402689F: memcpy (mc_replace_
==10652== by 0x647EA85: tiff_load_read (string3.h:52)
==10652== by 0x7CBF022: ??? (in /usr/lib/
==10652== by 0x7CBF1D5: TIFFFillStrip (in /usr/lib/
==10652== by 0x7CBF767: TIFFReadEncoded
==10652== by 0x7CA717A: ??? (in /usr/lib/
==10652== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/
==10652== by 0x7CA95FF: TIFFReadRGBAIma
==10652== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==10652== by 0x647F2FE: gdk_pixbuf_
==10652== by 0x477E7A0: gdk_pixbuf_
==10652== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==10652== Address 0x97bba3e is 2 bytes before a block of size 0 alloc'd
==10652== at 0x4024F20: malloc (vg_replace_
==10652== by 0x7CC0FCC: _TIFFmalloc (in /usr/lib/
==10652== by 0x7CBE7D9: TIFFReadBufferSetup (in /usr/lib/
==10652== by 0x7CBF1AB: TIFFFillStrip (in /usr/lib/
==10652== by 0x7CBF767: TIFFReadEncoded
==10652== by 0x7CA717A: ??? (in /usr/lib/
==10652== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/
==10652== by 0x7CA95FF: TIFFReadRGBAIma
==10652== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==10652== by 0x647F2FE: gdk_pixbuf_
==10652== by 0x477E7A0: gdk_pixbuf_
==10652== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==10652==
==10652== Invalid write of size 1
==10652== at 0x40268A7: memcpy (mc_replace_
==10652== by 0x647EA85: tiff_load_read (string3.h:52)
==10652== by 0x7CBF022: ??? (in /usr/lib/
==10652== by 0x7CBF1D5: TIFFFillStrip (in /usr/lib/
==10652== by 0x7CBF767: TIFFReadEncoded
==10652== by 0x7CA717A: ??? (in /usr/lib/
==10652== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/
==10652== by 0x7CA95FF: TIFFReadRGBAIma
==10652== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==10652== by 0x647F2FE: gdk_pixbuf_
==10652== by 0x477E7A0: gdk_pixbuf_
==10652== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==10652== Address 0x97bba3d is 3 bytes before a block of size 0 alloc'd
==10652== at 0x4024F20: malloc (vg_replace_
==10652== by 0x7CC0FCC: _TIFFmalloc (in /usr/lib/
==10652== by 0x7CBE7D9: TIFFReadBufferSetup (in /usr/lib/
==10652== by 0x7CBF1AB: TIFFFillStrip (in /usr/lib/
==10652== by 0x7CBF767: TIFFReadEncoded
==10652== by 0x7CA717A: ??? (in /usr/lib/
==10652== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/
==10652== by 0x7CA95FF: TIFFReadRGBAIma
==10652== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==10652== by 0x647F2FE: gdk_pixbuf_
==10652== by 0x477E7A0: gdk_pixbuf_
==10652== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==10652==
==10652== Invalid write of size 1
==10652== at 0x40268B0: memcpy (mc_replace_
==10652== by 0x647EA85: tiff_load_read (string3.h:52)
==10652== by 0x7CBF022: ??? (in /usr/lib/
==10652== by 0x7CBF1D5: TIFFFillStrip (in /usr/lib/
==10652== by 0x7CBF767: TIFFReadEncoded
==10652== by 0x7CA717A: ??? (in /usr/lib/
==10652== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/
==10652== by 0x7CA95FF: TIFFReadRGBAIma
==10652== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==10652== by 0x647F2FE: gdk_pixbuf_
==10652== by 0x477E7A0: gdk_pixbuf_
==10652== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==10652== Address 0x97bba3c is 4 bytes before a block of size 0 alloc'd
==10652== at 0x4024F20: malloc (vg_replace_
==10652== by 0x7CC0FCC: _TIFFmalloc (in /usr/lib/
==10652== by 0x7CBE7D9: TIFFReadBufferSetup (in /usr/lib/
==10652== by 0x7CBF1AB: TIFFFillStrip (in /usr/lib/
==10652== by 0x7CBF767: TIFFReadEncoded
==10652== by 0x7CA717A: ??? (in /usr/lib/
==10652== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/
==10652== by 0x7CA95FF: TIFFReadRGBAIma
==10652== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==10652== by 0x647F2FE: gdk_pixbuf_
==10652== by 0x477E7A0: gdk_pixbuf_
==10652== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==10652==
==10652== Invalid write of size 1
==10652== at 0x40268B9: memcpy (mc_replace_
==10652== by 0x647EA85: tiff_load_read (string3.h:52)
==10652== by 0x7CBF022: ??? (in /usr/lib/
==10652== by 0x7CBF1D5: TIFFFillStrip (in /usr/lib/
==10652== by 0x7CBF767: TIFFReadEncoded
==10652== by 0x7CA717A: ??? (in /usr/lib/
==10652== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/
==10652== by 0x7CA95FF: TIFFReadRGBAIma
==10652== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==10652== by 0x647F2FE: gdk_pixbuf_
==10652== by 0x477E7A0: gdk_pixbuf_
==10652== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==10652== Address 0x97bba3b is 5 bytes before a block of size 0 alloc'd
==10652== at 0x4024F20: malloc (vg_replace_
==10652== by 0x7CC0FCC: _TIFFmalloc (in /usr/lib/
==10652== by 0x7CBE7D9: TIFFReadBufferSetup (in /usr/lib/
==10652== by 0x7CBF1AB: TIFFFillStrip (in /usr/lib/
==10652== by 0x7CBF767: TIFFReadEncoded
==10652== by 0x7CA717A: ??? (in /usr/lib/
==10652== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/
==10652== by 0x7CA95FF: TIFFReadRGBAIma
==10652== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==10652== by 0x647F2FE: gdk_pixbuf_
==10652== by 0x477E7A0: gdk_pixbuf_
==10652== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==10652==
==10652== Invalid read of size 1
==10652== at 0x40268B4: memcpy (mc_replace_
==10652== by 0x647EA85: tiff_load_read (string3.h:52)
==10652== by 0x7CBF022: ??? (in /usr/lib/
==10652== by 0x7CBF1D5: TIFFFillStrip (in /usr/lib/
==10652== by 0x7CBF767: TIFFReadEncoded
==10652== by 0x7CA717A: ??? (in /usr/lib/
==10652== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/
==10652== by 0x7CA95FF: TIFFReadRGBAIma
==10652== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==10652== by 0x647F2FE: gdk_pixbuf_
==10652== by 0x477E7A0: gdk_pixbuf_
==10652== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==10652== Address 0x8af4e17 is 1 bytes before a block of size 16,384 alloc'd
==10652== at 0x4024F20: malloc (vg_replace_
==10652== by 0x4024FAA: realloc (vg_replace_
==10652== by 0x4AE8DEF: g_try_realloc (in /lib/libglib-
==10652== by 0x647EBBC: gdk_pixbuf_
==10652== by 0x477ED1D: gdk_pixbuf_
==10652== by 0x807C323: eog_image_load (eog-image.c:991)
==10652== by 0x808804F: eog_job_load_run (eog-jobs.c:336)
==10652== by 0x8087DA3: eog_job_run (eog-jobs.c:153)
==10652== by 0x80877D6: eog_render_thread (eog-job-
==10652== by 0x4B0ADEE: ??? (in /lib/libglib-
==10652== by 0x4A4C96D: start_thread (pthread_
==10652== by 0x4EBAA4D: clone (clone.S:130)
==10652==
==10652== Invalid read of size 1
==10652== at 0x4026898: memcpy (mc_replace_
==10652== by 0x647EA85: tiff_load_read (string3.h:52)
==10652== by 0x7CBF022: ??? (in /usr/lib/
==10652== by 0x7CBF1D5: TIFFFillStrip (in /usr/lib/
==10652== by 0x7CBF767: TIFFReadEncoded
==10652== by 0x7CA717A: ??? (in /usr/lib/
==10652== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/
==10652== by 0x7CA95FF: TIFFReadRGBAIma
==10652== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==10652== by 0x647F2FE: gdk_pixbuf_
==10652== by 0x477E7A0: gdk_pixbuf_
==10652== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==10652== Address 0x8af4e16 is 2 bytes before a block of size 16,384 alloc'd
==10652== at 0x4024F20: malloc (vg_replace_
==10652== by 0x4024FAA: realloc (vg_replace_
==10652== by 0x4AE8DEF: g_try_realloc (in /lib/libglib-
==10652== by 0x647EBBC: gdk_pixbuf_
==10652== by 0x477ED1D: gdk_pixbuf_
==10652== by 0x807C323: eog_image_load (eog-image.c:991)
==10652== by 0x808804F: eog_job_load_run (eog-jobs.c:336)
==10652== by 0x8087DA3: eog_job_run (eog-jobs.c:153)
==10652== by 0x80877D6: eog_render_thread (eog-job-
==10652== by 0x4B0ADEE: ??? (in /lib/libglib-
==10652== by 0x4A4C96D: start_thread (pthread_
==10652== by 0x4EBAA4D: clone (clone.S:130)
==10652==
==10652== Invalid read of size 1
==10652== at 0x40268A2: memcpy (mc_replace_
==10652== by 0x647EA85: tiff_load_read (string3.h:52)
==10652== by 0x7CBF022: ??? (in /usr/lib/
==10652== by 0x7CBF1D5: TIFFFillStrip (in /usr/lib/
==10652== by 0x7CBF767: TIFFReadEncoded
==10652== by 0x7CA717A: ??? (in /usr/lib/
==10652== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/
==10652== by 0x7CA95FF: TIFFReadRGBAIma
==10652== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==10652== by 0x647F2FE: gdk_pixbuf_
==10652== by 0x477E7A0: gdk_pixbuf_
==10652== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==10652== Address 0x8af4e15 is 3 bytes before a block of size 16,384 alloc'd
==10652== at 0x4024F20: malloc (vg_replace_
==10652== by 0x4024FAA: realloc (vg_replace_
==10652== by 0x4AE8DEF: g_try_realloc (in /lib/libglib-
==10652== by 0x647EBBC: gdk_pixbuf_
==10652== by 0x477ED1D: gdk_pixbuf_
==10652== by 0x807C323: eog_image_load (eog-image.c:991)
==10652== by 0x808804F: eog_job_load_run (eog-jobs.c:336)
==10652== by 0x8087DA3: eog_job_run (eog-jobs.c:153)
==10652== by 0x80877D6: eog_render_thread (eog-job-
==10652== by 0x4B0ADEE: ??? (in /lib/libglib-
==10652== by 0x4A4C96D: start_thread (pthread_
==10652== by 0x4EBAA4D: clone (clone.S:130)
==10652==
==10652== Invalid read of size 1
==10652== at 0x40268AB: memcpy (mc_replace_
==10652== by 0x647EA85: tiff_load_read (string3.h:52)
==10652== by 0x7CBF022: ??? (in /usr/lib/
==10652== by 0x7CBF1D5: TIFFFillStrip (in /usr/lib/
==10652== by 0x7CBF767: TIFFReadEncoded
==10652== by 0x7CA717A: ??? (in /usr/lib/
==10652== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/
==10652== by 0x7CA95FF: TIFFReadRGBAIma
==10652== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==10652== by 0x647F2FE: gdk_pixbuf_
==10652== by 0x477E7A0: gdk_pixbuf_
==10652== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==10652== Address 0x8af4e14 is 4 bytes before a block of size 16,384 alloc'd
==10652== at 0x4024F20: malloc (vg_replace_
==10652== by 0x4024FAA: realloc (vg_replace_
==10652== by 0x4AE8DEF: g_try_realloc (in /lib/libglib-
==10652== by 0x647EBBC: gdk_pixbuf_
==10652== by 0x477ED1D: gdk_pixbuf_
==10652== by 0x807C323: eog_image_load (eog-image.c:991)
==10652== by 0x808804F: eog_job_load_run (eog-jobs.c:336)
==10652== by 0x8087DA3: eog_job_run (eog-jobs.c:153)
==10652== by 0x80877D6: eog_render_thread (eog-job-
==10652== by 0x4B0ADEE: ??? (in /lib/libglib-
==10652== by 0x4A4C96D: start_thread (pthread_
==10652== by 0x4EBAA4D: clone (clone.S:130)
==10652==
==10652==
==10652== Process terminating with default action of signal 11 (SIGSEGV)
==10652== Access not within mapped region at address 0x88BFFFF
==10652== at 0x40268B4: memcpy (mc_replace_
==10652== by 0x647EA85: tiff_load_read (string3.h:52)
==10652== by 0x7CBF022: ??? (in /usr/lib/
==10652== by 0x7CBF1D5: TIFFFillStrip (in /usr/lib/
==10652== by 0x7CBF767: TIFFReadEncoded
==10652== by 0x7CA717A: ??? (in /usr/lib/
==10652== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/
==10652== by 0x7CA95FF: TIFFReadRGBAIma
==10652== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==10652== by 0x647F2FE: gdk_pixbuf_
==10652== by 0x477E7A0: gdk_pixbuf_
==10652== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==10652== If you believe this happened as a result of a stack
==10652== overflow in your program's main thread (unlikely but
==10652== possible), you can try to increase the size of the
==10652== main thread stack using the --main-stacksize= flag.
==10652== The main thread stack size used in this run was 8388608.
--10652-- VALGRIND INTERNAL ERROR: Valgrind received a signal 11 (SIGSEGV) - exiting
--10652-- si_code=1; Faulting address: 0x6E656D75; sp: 0x62d59094
valgrind: the 'impossible' happened:
Killed by fatal signal
==10652== at 0x38033D7E: mkFreeBlock (m_mallocfree.
==10652== by 0x380355A9: vgPlain_arena_free (m_mallocfree.
==10652== by 0x38064818: vgPlain_cli_free (replacemalloc_
==10652== by 0x38001F61: die_and_free_mem (mc_malloc_
==10652== by 0x38002A37: vgMemCheck_free (mc_malloc_
==10652== by 0x3806715F: vgPlain_scheduler (scheduler.c:1384)
==10652== by 0x38030E66: final_tidyup (m_main.c:2590)
==10652== by 0x38030FBC: shutdown_
==10652== by 0x3809429B: run_a_thread_
sched status:
running_tid=1
Thread 1: status = VgTs_Runnable
==10652== at 0x4024B3A: free (vg_replace_
==10652== by 0x4F09BB7: ??? (in /lib/tls/
==10652== by 0x4F098A6: ??? (in /lib/tls/
==10652== by 0x4F0A119: ??? (in /lib/tls/
==10652== by 0x401F4F3: _vgnU_freeres (vg_preloaded.c:62)
==10652== by 0x7B18BB7: ???
==10652== by 0x4514D1B: gtk_tree_
==10652== by 0x43F38A6: gtk_icon_
==10652== by 0x43F443C: gtk_icon_
==10652== by 0x43F9AD6: gtk_icon_
==10652== by 0x43F9B87: layout_callback (gtkiconview.
==10652== by 0x46D7357: gdk_threads_
==10652== by 0x4ADE660: ??? (in /lib/libglib-
==10652== by 0x4AE05E4: g_main_
==10652== by 0x4AE42D7: ??? (in /lib/libglib-
==10652== by 0x4AE4816: g_main_loop_run (in /lib/libglib-
==10652== by 0x4423308: gtk_main (gtkmain.c:1219)
==10652== by 0x8060800: main (main.c:239)
ProblemType: Crash
DistroRelease: Ubuntu 10.04
Package: eog 2.30.0-0ubuntu1
ProcVersionSign
Uname: Linux 2.6.32-22-generic i686
Architecture: i386
Date: Fri Jun 4 10:31:42 2010
EcryptfsInUse: Yes
ExecutablePath: /usr/bin/eog
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Alpha i386 (20100113)
ProcCmdline: eog /home/username/
ProcEnviron:
SHELL=/bin/bash
LANG=en_US.utf8
SegvAnalysis:
Segfault happened at: 0x6b17bbe <__memcpy_
PC (0x06b17bbe) ok
source "0x488bdc4a(%ecx)" (0x488bdc49) not located in a known VMA region (needed readable region)!
SegvReason: reading unknown VMA
Signal: 11
SourcePackage: eog
StacktraceTop:
__memcpy_ssse3 ()
?? ()
?? () from /usr/lib/
TIFFFillStrip () from /usr/lib/
TIFFReadEncode
Title: eog crashed with SIGSEGV in __memcpy_ssse3()
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare
XsessionErrors:
(polkit-
(gnome-
CVE References
Changed in tiff (Ubuntu): | |
status: | New → Confirmed |
visibility: | private → public |
Changed in tiff (Ubuntu Maverick): | |
status: | Confirmed → Fix Released |
Changed in tiff (Ubuntu Lucid): | |
status: | New → Fix Committed |
importance: | Undecided → Medium |
StacktraceTop: i686/cmov/ libc.so. 6 dStrip (tif=0xaabb8b0, strip=0,
?? () from /lib/tls/
?? ()
TIFFReadRawStrip1 (tif=0xffffffff, strip=185877048,
TIFFFillStrip (tif=0xaabb8b0, strip=0) at tif_read.c:348
TIFFReadEncode