Bug 730364

Summary: invalid read from valgrind in libjpeg-turbo
Product: [Fedora] Fedora Reporter: Christophe Fergeau <cfergeau>
Component: libjpeg-turboAssignee: Adam Tkac <atkac>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 15CC: atkac, ovasik, sbergman, siarhei.siamashka
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-10 15:07:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Christophe Fergeau 2011-08-12 15:48:06 UTC 
When using spicec, I occasionnally get the warning below from libjpeg-turbo:

==13781== Invalid read of size 8
==13781==    at 0x308722E4F4: ??? (in /usr/lib64/libjpeg.so.62.0.0)
==13781==    by 0xE29B7FF: ???
==13781==    by 0x308722E56A: ??? (in /usr/lib64/libjpeg.so.62.0.0)
==13781==    by 0x308721E1F4: merged_2v_upsample (jdmerge.c:183)
==13781==    by 0x308721A123: process_data_simple_main (jdmainct.c:369)
==13781==    by 0x308721564D: jpeg_read_scanlines (jdapistd.c:175)
==13781==    by 0x49D9B4: MJpegDecoder::decode_data(unsigned char*, unsigned long) (mjpeg_decoder.cpp:237)
==13781==    by 0x475DE8: VideoStream::maintenance() (display_channel.cpp:398)
==13781==    by 0x475FDF: VideoStream::handle_update_mark(unsigned long) (display_channel.cpp:439)
==13781==    by 0x47A8C4: DisplayChannel::on_streams_trigger() (display_channel.cpp:1725)
==13781==    by 0x4761D9: StreamsTrigger::on_event() (display_channel.cpp:484)
==13781==    by 0x40B124: EventSources::Trigger::action() (event_sources_p.cpp:193)
==13781==    by 0x40ABF4: EventSources::wait_events(int) (event_sources_p.cpp:121)
==13781==    by 0x4A664C: ProcessLoop::run() (process_loop.cpp:281)
==13781==    by 0x4BE3C1: RedChannel::run() (red_channel.cpp:491)
==13781==    by 0x4BDA4F: RedChannel::worker_main(void*) (red_channel.cpp:340)
==13781==    by 0x4C36B30: start_thread (pthread_create.c:305)
==13781==    by 0x30756DFD2C: clone (clone.S:115)
==13781==  Address 0xf41ce78 is 1,160 bytes inside a block of size 1,164 alloc'd
==13781==    at 0x4A0649D: malloc (vg_replace_malloc.c:236)
==13781==    by 0x49AA57: spice_malloc (mem.c:88)
==13781==    by 0x49D987: MJpegDecoder::decode_data(unsigned char*, unsigned long) (mjpeg_decoder.cpp:236)
==13781==    by 0x475DE8: VideoStream::maintenance() (display_channel.cpp:398)
==13781==    by 0x475FDF: VideoStream::handle_update_mark(unsigned long) (display_channel.cpp:439)
==13781==    by 0x47A8C4: DisplayChannel::on_streams_trigger() (display_channel.cpp:1725)
==13781==    by 0x4761D9: StreamsTrigger::on_event() (display_channel.cpp:484)
==13781==    by 0x40B124: EventSources::Trigger::action() (event_sources_p.cpp:193)
==13781==    by 0x40ABF4: EventSources::wait_events(int) (event_sources_p.cpp:121)
==13781==    by 0x4A664C: ProcessLoop::run() (process_loop.cpp:281)
==13781==    by 0x4BE3C1: RedChannel::run() (red_channel.cpp:491)
==13781==    by 0x4BDA4F: RedChannel::worker_main(void*) (red_channel.cpp:340)
==13781==    by 0x4C36B30: start_thread (pthread_create.c:305)
==13781==    by 0x30756DFD2C: clone (clone.S:115)
==13781== 

It's trying to read 4 bytes outside of the buffer I allocated to read 1 scanline:

        while (_y < _height) {
            free(_scanline);
            _scanline = (uint8_t *)spice_malloc(_cinfo.output_width * _cinfo.output_components * sizeof(JSAMPLE));
            res = jpeg_read_scanlines(&_cinfo, &_scanline, 1);

            if (res == 0) {
                break;
            }

            convert_scanline();
            _y++;
        }

_cinfo.output_width is 388, _cinfo.output_components is 3. The only similar backtrace I could find on google is http://code.google.com/p/chromium/issues/detail?id=72399 , but when I tried to rebuild the sources with their patch applied, it didn't compile.

Let me know if you need any additional information/investigation done to help figure out why this invalid read is happening.
Comment 1 Stephan Bergmann 2011-09-30 09:17:36 UTC 
I get a similar problem when valgrinding LibreOffice (its chart2/qa/unoapi test triggers this) on Fedora 15 x86_64,

Invalid read of size 8
   at ??? (in jsimd_idct_islow_sse2 assembler code)
   by jsimd_idct_islow (.../libjpeg-turbo-1.1.1/simd/jsimd_x86_64.c:662)
   by jsimd_ycc_rgb_convert (.../libjpeg-turbo-1.1.1/simd/jsimd_x86_64.c:133)
   by sep_upsample (.../libjpeg-turbo-1.1.1/jdsample.c:132)
   by process_data_simple_main (.../libjpeg-turbo-1.1.1/jdmainct.c:369)
   by jpeg_read_scanlines (.../libjpeg-turbo-1.1.1/jdapistd.c:175)
   by ReadJPEG (.../libreoffice/core/svtools/source/filter/jpeg/jpegc.c:196)
 Address 0x241290c4 is 26,692 bytes inside a block of size 26,696 alloc'd
   at malloc (.../valgrind/trunk/coregrind/m_replacemalloc/vg_replace_malloc.c:263)
   by rtl_allocateMemory_SYSTEM (.../libreoffice/core/sal/rtl/source/alloc_global.c:278)
   by rtl_allocateMemory (.../libreoffice/core/sal/rtl/source/alloc_global.c:308)
   by JPEGReader::CreateBitmap(void*) (.../libreoffice/core/svtools/source/filter/jpeg/jpeg.cxx:403)
   by ReadJPEG (.../libreoffice/core/svtools/source/filter/jpeg/jpegc.c:158)

This appears to be benign, the jsimd_idct_islow_sse2 assembler code apparently reading 8-byte-sized chunks and thus including 4 bytes past the end of the buffer, for a buffer whose length is a multiple of 4 but not of 8.  If I manually change the malloc size by +4, this valgrind error goes (naturally) away and valgrind also does not complain about use of uninitialized memory afterwards, so the way jsimd_idct_islow_sse2 uses the excess 4 bytes appears to indeed be harmless.
Comment 2 Adam Tkac 2011-11-10 15:07:14 UTC 
In my opinion this is only cosmetic issue and doesn't cause any real problem/crash. I opened following ticket in upstream:

https://sourceforge.net/tracker/?func=detail&aid=3436130&group_id=303195&atid=1278158

I'm closing this ticket. If upstream decides that this issue should be fixed, fix will be included into Fedora when upstream releases new tarball.
Comment 3 Siarhei Siamashka 2011-11-14 22:54:05 UTC 
(In reply to comment #1)
> I get a similar problem when valgrinding LibreOffice (its chart2/qa/unoapi
> test triggers this) on Fedora 15 x86_64,

Is it difficult to reproduce this test? I tried, but gave up after ~15 minutes.
Comment 4 Stephan Bergmann 2012-01-04 17:16:50 UTC 
Re comment #3,

  . Env.Host.sh
  cd chart2
  VALGRIND=memcheck make -r "${WORKDIR?}"/JunitTest/chart2_unoapi/done

should suffice to reproduce it from within a LibreOffice build, but the valgrind run can indeed take quite a while.