Bug 589283

Summary: save as jpeg eats all memory and crashes file-jpeg
Product: [Fedora] Fedora Reporter: Klaus Lichtenwalder <klic>
Component: libexifAssignee: Thomas Janssen <thomasj>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: medium    
Version: 12CC: mattdm, nphilipp, rdieter, rhbugs, thomasj
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: libexif-0.6.19-1.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 597695 (view as bug list) Environment:
Last Closed: 2010-06-16 17:48:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 597695    
Attachments:
Description Flags
test image none

Description Klaus Lichtenwalder 2010-05-05 18:28:15 UTC
Description of problem:
trying to save an edited image as jpeg eats up all memory, and after the crash of /usr/lib64/gimp/2.0/plug-ins/file-jpeg the error is
1) Bogus marker length
2) /usr/lib64/gimp/2.0/plug-ins/file-jpeg: fatal error: (segmentation fault)

saving as png does work, though, but it does have much less exif information in it

Version-Release number of selected component (if applicable):
gimp-help-2.4.2-5.fc12.noarch
gimp-2.6.8-1.fc12.x86_64
gimp-help-browser-2.6.8-1.fc12.x86_64
gimp-data-extras-2.0.2-3.fc12.noarch
gimp-debuginfo-2.6.8-1.fc13.x86_64
gimp-libs-2.6.8-1.fc12.x86_64
ufraw-common-0.16-1.fc12.x86_64
ufraw-0.16-1.fc12.x86_64
ufraw-gimp-0.16-1.fc12.x86_64


How reproducible:
I put the two images where it's happening so far at http://lklaus.homelinux.org/image1.orf and image2.orf resp. (large!)

Steps to Reproduce:
1. open image
2. save as jpg

  
Actual results:
save as jpeg should be fine

Expected results:


Additional info:
You need ufraw for the raw image

Comment 1 Andriy Bondarchuk 2010-05-10 10:39:15 UTC
Created attachment 412791 [details]
test image


How to play easier:

1. open the file one_black_pixel.xcf (of attachment).

2. save the image as one_black_pixel.JPG.

3. processor is busy for about 1 minute.

4. on-screen message:
            GIMP Message
Saving '/home/bond/HOSTING/bug/one_black_pixel.JPG' failed:
JPEG image plug-in could not save image        

5. console message:
   Bogus marker length 

This does not happen with all images, and approximately one out of 100.


P.S.
conversion to JPG works correctly in Arch Linux

Comment 2 Nils Philippsen 2010-05-26 12:51:52 UTC
(In reply to comment #1)

Thanks for the easy reproducer.

> P.S.
> conversion to JPG works correctly in Arch Linux    

Which version of gimp is this?

Comment 3 Nils Philippsen 2010-05-26 13:34:17 UTC
Never mind the Arch Linux gimp version... I strongly suspect Arch has a more up to date version of libexif than Fedora (which has 0.6.16 instead of .19 which is current). This is why I suspect libexif to be the culprit:

In order to not have to wait for the crash too long (and clog the machine), I limited the size of virtual memory available to GIMP to 1GB:

nils@gibraltar:~> ulimit -v $((1024*1024))

Then I started gimp, opening your reproducer image and attempting to save it as a JPEG:

nils@gibraltar:~> gimp --stack-trace-mode=always Download/one_black_pixel.xcf
/usr/lib64/gimp/2.0/plug-ins/file-jpeg: fatal error: Segmentation fault
#0  0x0000003b0560ec4e in waitpid () from /lib64/libpthread.so.0
#1  0x0000003b07a159d2 in g_on_error_stack_trace ()
#2  0x0000003b0d212a20 in ?? () from /usr/lib64/libgimp-2.0.so.0
#3  <signal handler called>
#4  0x0000003b12a13b7b in exif_set_sshort () from /usr/lib64/libexif.so.12
#5  0x0000003b12a0cbfb in ?? () from /usr/lib64/libexif.so.12
#6  0x0000003b12a0cd91 in ?? () from /usr/lib64/libexif.so.12
#7  0x0000003b12a0d339 in exif_data_save_data () from /usr/lib64/libexif.so.12
#8  0x0000000000409670 in ?? ()
#9  0x00000000004060a2 in ?? ()
#10 0x0000003b0d2126c6 in gimp_main () from /usr/lib64/libgimp-2.0.so.0
#11 0x0000003b04a1eb1d in __libc_start_main () from /lib64/libc.so.6
#12 0x00000000004058e9 in ?? ()
#13 0x00007fffd88d8328 in ?? ()
#14 0x000000000000001c in ?? ()
#15 0x0000000000000006 in ?? ()
#16 0x00007fffd88d93db in ?? ()
#17 0x00007fffd88d9402 in ?? ()
#18 0x00007fffd88d9408 in ?? ()
#19 0x00007fffd88d940b in ?? ()
#20 0x00007fffd88d940e in ?? ()
#21 0x00007fffd88d9413 in ?? ()
#22 0x0000000000000000 in ?? ()

The actual SEGV happens here:

#4  0x0000003b12a13b7b in exif_set_sshort () from /usr/lib64/libexif.so.12

After compiling the current version of libexif (0.6.19) and running GIMP against it instead of the packaged Fedora version, I could save the image as JPEG without problems, the resulting JPEG is the expected single black pixel:

nils@gibraltar:~> LD_LIBRARY_PATH=/home/nils/libexif/lib gimp --stack-trace-mode=always Download/one_black_pixel.xcf
nils@gibraltar:~> eog ~/Download/chromium/one_black_pixel.jpg 
nils@gibraltar:~> 

(In reply to comment #0)
> saving as png does work, though, but it does have much less exif information in
> it

The missing EXIF tags may be the reason why saving as PNG worked at all.

On http://libexif.cvs.sourceforge.net/viewvc/libexif/libexif/NEWS?view=markup&pathrev=libexif-0_6_19-release the release notes of libexif-0.6.19 have the following:

libexif-0.6.19 (2009-11-12):
[...]
  * Fixed a heap buffer overflow during tag format conversion

Changing component to libexif.

Comment 4 Thomas Janssen 2010-05-26 14:54:28 UTC
Updating libexif..

Comment 5 Fedora Update System 2010-05-26 19:27:33 UTC
libexif-0.6.19-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/libexif-0.6.19-1.fc13

Comment 6 Fedora Update System 2010-05-26 19:27:38 UTC
libexif-0.6.19-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/libexif-0.6.19-1.fc12

Comment 7 Fedora Update System 2010-05-27 18:29:07 UTC
libexif-0.6.19-1.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update libexif'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/libexif-0.6.19-1.fc13

Comment 8 Fedora Update System 2010-05-27 18:32:07 UTC
libexif-0.6.19-1.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update libexif'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/libexif-0.6.19-1.fc12

Comment 9 Matthew Miller 2010-05-30 03:59:16 UTC
Maybe I'm hitting another bug, but I'm suddenly unable to save to jpeg without getting a segfault in /usr/lib64/gimp/2.0/plug-ins/file-jpeg; Fedora 12 with gimp-2.6.8-1.fc12.x86_64. Updating from libexif-0.6.16-4.fc12.x86_64 to libexif-0.6.19-1.fc12.x86_64 has no effect.

However, my symptoms are slightly different: it says nothing about "Bogus marker length", and takes nothing special to trigger -- any attempt to save any image as a jpeg, regardless of origin, fails.

Comment 10 Fedora Update System 2010-06-16 17:48:10 UTC
libexif-0.6.19-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2010-06-16 17:50:39 UTC
libexif-0.6.19-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Nils Philippsen 2010-11-04 11:46:12 UTC
*** Bug 551755 has been marked as a duplicate of this bug. ***