Bug 1279152

Version-Release number of selected component (if applicable):
libopenraw-pixbuf-loader-0.0.9-10.fc22.x86_64

How reproducible:
100%

Steps to Reproduce:
1. install libopenraw-pixbuf-loader
2. download (into e.g. ~/Downloads) a RAW file not supported by libopenraw, e.g. http://www.rawsamples.ch/raws/olympus/sp350/RAW_OLYMPUS_SP350.ORF
3. start/open nautilus
4. in Preferences->Preview, make sure "Show thumbnails" is not "Never" and "Only for files smaller than" is set to at least 100MB (the above example is ~12MB)
5. then browse to the folder (e.g. ~/Downloads) containing the RAW file.

Actual results:
Segfault.

Expected results:
Error message to stderr, no thumbnail generated.

Description of problem:
gdk_pixbuf_loader_close is documented to set a non-NULL @error when returning FALSE, but lines 821-831 allow the possibility of returning FALSE without setting @error:

https://git.gnome.org/browse/gdk-pixbuf/tree/gdk-pixbuf/gdk-pixbuf-loader.c?h=gdk-pixbuf-2-32#n766

libgnome-desktop's _gdk_pixbuf_new_from_uri_at_scale (used by Nautilus to generate thumbnails for image formats supported by GdkPixbuf) depends on the documented behaviour by accessing error->message without checking that error != NULL:

https://git.gnome.org/browse/gnome-desktop/tree/libgnome-desktop/gnome-desktop-thumbnail.c?h=gnome-3-18#n552

However, libopenraw's gdk_pixbuf__or_image_stop_load, which is the vfunc called by gdk_pixbuf_loader_close, completely ignores @error:

http://cgit.freedesktop.org/libopenraw/tree/gnome/pixbuf-loader.c#n93

So, when faced with a RAW image that libopenraw does not support (which, at least in 0.0.9 are many, given that there are four years of yet unreleased development in upstream git), libopenraw-pixbuf-loader causes gdk_pixbuf_loader_close to return FALSE but does *not* set @error as promised.  The result is a NULL dereference in libgnome-desktop causing nautilus to SEGV.

Ultimately, there is plenty of blame to go around here:

* libopenraw-0.0.9 does not support many currently available RAW formats.  The possibility of shipping a git snapshot, or even better getting upstream to ship a new release, would make this library much more useful.  I have not investigated the API/ABI compatibility of git master vs. 0.0.9.

* Regardless, libopenraw's gdk_pixbuf__or_image_stop_load should conform with the documented requirement of gdk_pixbuf_loader close along the lines of the following:

--- a/gnome/pixbuf-loader.c
+++ b/gnome/pixbuf-loader.c
@@ -98,7 +98,6 @@ gdk_pixbuf__or_image_stop_load (gpointer

     GdkPixbuf *pixbuf = NULL;
     ORRawFileRef raw_file = NULL;
-    (void)error;

     raw_file = or_rawfile_new_from_memory(context->data->data, context->data->len,
                                           OR_DATA_TYPE_NONE);
@@ -129,6 +128,11 @@ gdk_pixbuf__or_image_stop_load (gpointer
                                       context->user_data);
         }
         result = TRUE;
+    } else if (error) {
+        g_set_error (error,
+                     GDK_PIXBUF_ERROR,
+                     GDK_PIXBUF_ERROR_FAILED,
+                     "Unable to load RAW file");
     }
 
 
* gdk_pixbuf_loader_close must conform with its documentation and assure that (a non-NULL) @error is always set when returning FALSE, in case a(nother) loader's stop_load vfunc does not conform.

* it could be argued that libgnome-desktop should check for error != NULL before error->message, but OTOH gdk-pixbuf's documentation does indicate that it is a safe assumption to make.

I believe this affects all supported versions of Fedora.