Description of problem: just browsing some photos Version-Release number of selected component: geeqie-1.1-13.fc20 Additional info: reporter: libreport-2.1.11 backtrace_rating: 4 cmdline: geeqie --blank crash_function: memcpy executable: /usr/bin/geeqie kernel: 3.12.8-300.fc20.x86_64 runlevel: N 5 type: CCpp uid: 1001 Truncated backtrace: Thread no. 1 (10 frames) #0 memcpy at ../sysdeps/x86_64/memcpy.S:72 #1 _IO_file_xsgetn at fileops.c:1382 #2 _IO_fread at iofread.c:42 #3 fread at /usr/include/bits/stdio2.h:295 #4 rle_decode at io-xcf.c:179 #5 xcf_image_load_real at io-xcf.c:1145 #6 xcf_image_stop_load at io-xcf.c:1459 #7 gdk_pixbuf_loader_close at gdk-pixbuf-loader.c:834 #8 image_loader_stop_loader at image-load.c:528 #9 image_loader_begin at image-load.c:635
Created attachment 858171 [details] File: backtrace
Created attachment 858172 [details] File: cgroup
Created attachment 858173 [details] File: core_backtrace
Created attachment 858174 [details] File: dso_list
Created attachment 858175 [details] File: environ
Created attachment 858176 [details] File: exploitable
Created attachment 858177 [details] File: limits
Created attachment 858178 [details] File: maps
Created attachment 858179 [details] File: open_fds
Created attachment 858180 [details] File: proc_pid_status
Created attachment 858181 [details] File: var_log_messages
> just browsing some photos Please describe the problem more carefully. Does it crash reproducibly when browsing the same photo(s)? The backtrace ends in xcf-pixbuf-loader space, which is outside Geeqie and in a package not installed by default for Fedora's GNOME desktop. Since Geeqie uses gdk-pixbuf2 and its loaders for a long time, that is reason to believe that there is a bug in this special xcf-pixbuf-loader.
> at io-xcf.c:179 > pixels_count = 44 > channels = 1920103026 At least the channels variable here seems to be uninitialized due to unsafe C programming (switch-case without default) and the local array "ch" depending on that channels value: 156 157 void 158 rle_decode (FILE *f, gchar *ptr, int count, int type) 159 { 160 int channels; 161 switch (type) { 162 case LAYERTYPE_RGB : channels = 3; break; 163 case LAYERTYPE_RGBA: channels = 4; break; 164 case LAYERTYPE_GRAYSCALE: channels = 1; break; 165 case LAYERTYPE_GRAYSCALEA: channels = 2; break; 166 case LAYERTYPE_INDEXED: channels = 1; break; 167 case LAYERTYPE_INDEXEDA: channels = 2; break; 168 } 169 170 guchar opcode; 171 guchar buffer[3]; 172 guchar ch[channels][count]; 173 int channel; 174 175 //un-rle 176 for (channel = 0; channel < channels; channel++) { 177 int pixels_count = 0; 178 while (pixels_count < count) { 179 fread (&opcode, sizeof(guchar), 1, f);
(In reply to Michael Schwendt from comment #12) > > just browsing some photos > > Please describe the problem more carefully. Does it crash reproducibly when > browsing the same photo(s)? > Michael, I wish I could help you more. I did encounter similar crash again, at least one more time, while browsing photos. Not sure if this was the same folder though, but it would not let me to submit the bug again. I'll try to run geeqie through my pictures again later to see if I can catch a correlation. > The backtrace ends in xcf-pixbuf-loader space, which is outside Geeqie and > in a package not installed by default for Fedora's GNOME desktop. Since > Geeqie uses gdk-pixbuf2 and its loaders for a long time, that is reason to > believe that there is a bug in this special xcf-pixbuf-loader. Well, I'm running it in XFCE4, so that is possibly the reason for this special loader, but I'm pretty sure I installed all xfce4-* packages from F20 repos. How do I find which package doth the loader belong to?
xcf has nothing to do with XFCE. It is for displaying .xcf files from the GIMP. Another image viewer that uses this loader from the same xcf-pixbuf-loader package is Eye of GNOME (eog). If you could revisit your .xcf files, that may lead to finding one that triggers the crash. Unfortunately, if my theory from comment 13 is true, loading files in a specific order may be necessary to reproduce the problem. Upstream has been notified about this problem.
ok, wa(In reply to Michael Schwendt from comment #15) > If you could revisit your .xcf files, that may lead to finding one that > triggers the crash. Unfortunately, if my theory from comment 13 is true, > loading files in a specific order may be necessary to reproduce the problem. > > Upstream has been notified about this problem. ok, I was able to repeat the crash and I think I know the .xcf files in specific directory, which trigger it. I also have another 340MB of coredump and logs from the latest crash, in case somebody cares.
crashed again. abrt said this is the same problem. This itme it happened when I tried to quit geeqie through hotkey combination Ctrl+Q, while it was in the process of rendering big .xcf file (~180 MB).
https://lists.fedoraproject.org/pipermail/devel/2014-November/204608.html
This message is a reminder that Fedora 20 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 20. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '20'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 20 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 20 changed to end-of-life (EOL) status on 2015-06-23. Fedora 20 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.
Since upstream maintenance seems stalled, I'm considering simply blacklisting xcf support in Geeqie. Any strong opinions on that?
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle. Changing version to '24'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
Just adopted this package. Given the age of this bug, could anyone who saw this before please try again with the following: https://bodhi.fedoraproject.org/updates/FEDORA-2016-2eef90d329
1) Do I understand you correctly that you haven't patched the program and still hope that it will fix the problems despite being unchanged? 2) Have you read the comments in the tickets? Such as: https://lists.fedoraproject.org/pipermail/devel/2014-November/204608.html
The test release is a new git snapshot, so it's not unchanged.
> 0.0.1-18.20120530gitb037c59.fc24 ^^^^^^^^ https://fedoraproject.org/wiki/Packaging:Versioning#Snapshot_packages
Yes, the upstream code was last updated in 2012, but that is still a newer snapshot then what was previously available. If you were able to reproduce this issue previously, I would appreciate retesting with the aforementioned NVR in updates-testing. If that doesn't fix it -- which it may or may not -- then I'll a reproducer in order to be able to debug this.
You are supposed to enter the date of when you checked out the snapshot, not estimate the date of the source code files. That would have avoided the confusion. Looking at the diff, I see added supported for bzip2 compression and something crude/preliminary/FIXME-flagged to reject unexpectedly high property values, but no direct fix for comment 13 (uninitialized variable) or the other bug 1144090 comment 14 (div by zero). As I see it, the code would need to add much more input data checking to avoid the corner-cases that causes crashes.
Unfortunately the previous release wasn't properly versioned, otherwise the update from 2010-something to 2012 would have made this obvious. Again, what I need now is a reproducer for either or both bugs, which I don't see. Without that, there's really nothing more I can do here.
> Unfortunately the previous release wasn't properly versioned, Your one isn't either, and it's the one that causes the confusion. > Again, what I need now is a reproducer for either or both bugs, which > I don't see. Without that, there's really nothing more I can do here. https://lists.fedoraproject.org/pipermail/devel/2014-November/204608.html and https://fedoraproject.org/wiki/Package_maintainer_responsibilities#Deal_with_reported_bugs_in_a_timely_manner If upstream development has stopped and you don't patch the code yourself to add safety checks, you're stuck with broken software that is able to take down programs that depend on it. Note that crashes based on damaged or deliberately modified input data are security vulnerabilities.
(In reply to Michael Schwendt from comment #32) > > Again, what I need now is a reproducer for either or both bugs, which > > I don't see. Without that, there's really nothing more I can do here. > > https://lists.fedoraproject.org/pipermail/devel/2014-November/204608.html > https://fedoraproject.org/wiki/Package_maintainer_responsibilities#Deal_with_reported_bugs_in_a_timely_manner Neither of which point to the reproducer I requested.
This message is a reminder that Fedora 24 is nearing its end of life. Approximately 2 (two) weeks from now Fedora will stop maintaining and issuing updates for Fedora 24. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '24'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 24 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 24 changed to end-of-life (EOL) status on 2017-08-08. Fedora 24 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.