Description of problem: opened .jpg file. Completely reproducible Version-Release number of selected component: geeqie-1.1-21.fc20 Additional info: reporter: libreport-2.2.3 backtrace_rating: 4 cmdline: geeqie --blank crash_function: saturation executable: /usr/bin/geeqie kernel: 3.15.8-200.fc20.x86_64 runlevel: N 5 type: CCpp uid: 1001 Truncated backtrace: Thread no. 1 (9 frames) #0 saturation at io-xcf.c:493 #1 composite at io-xcf.c:766 #2 xcf_image_load_real at io-xcf.c:1173 #3 xcf_image_stop_load at io-xcf.c:1459 #4 gdk_pixbuf_loader_close at gdk-pixbuf-loader.c:834 #5 image_loader_stop_loader at image-load.c:528 #6 image_loader_begin at image-load.c:663 #8 image_loader_thread_run at image-load.c:911 #10 g_thread_proxy at gthread.c:798
Created attachment 938953 [details] File: backtrace
Created attachment 938954 [details] File: cgroup
Created attachment 938955 [details] File: core_backtrace
Created attachment 938956 [details] File: dso_list
Created attachment 938957 [details] File: environ
Created attachment 938958 [details] File: limits
Created attachment 938959 [details] File: maps
Created attachment 938960 [details] File: open_fds
Created attachment 938961 [details] File: proc_pid_status
Created attachment 938962 [details] File: var_log_messages
> opened .jpg file. Completely reproducible Then please attach that .jpg file. > #0 saturation at io-xcf.c:493 > #1 composite at io-xcf.c:766 > #2 xcf_image_load_real at io-xcf.c:1173 > #3 xcf_image_stop_load at io-xcf.c:1459 That's not within Geeqie, so I do need a test-case. Thousands of JPG images load fine here. And XCF isn't JPG either.
(In reply to Michael Schwendt from comment #11) > > opened .jpg file. Completely reproducible > > Then please attach that .jpg file. > > > #0 saturation at io-xcf.c:493 > > #1 composite at io-xcf.c:766 > > #2 xcf_image_load_real at io-xcf.c:1173 > > #3 xcf_image_stop_load at io-xcf.c:1459 > > That's not within Geeqie, so I do need a test-case. Thousands of JPG images > load fine here. And XCF isn't JPG either. You are right Michael, this must be not the jpg file I thought initially, but an .xcf from the same directory. It is just that every time I launched Geeqie by doublick on a particular .jpg and it would consistently crash. It must have been scanning all the files in that directory and crashed when it stumble upon .xcf. The .xcf file in question is ~60 MB, so I'm not sure how to attach it, in addition it is actually a photo of a particular person for official documents so I'd rather not make it public. Please advise.
Well, xcf-pixbuf-loader ran into an arithmetic exception while calculating max0 * (min1 - max1) / (max0*(min1-max1) - min1*max0 + max1*min0) which looks like a divide-by-zero error as a result of not applying a plausibility check on the input data. Some programmers rely on certain assumptions about the sanity of input data, especially when rapidly developing something experimental. Though, this is sloppy programming style, because it opens an attack vector on the program to crash it by feeding it with deliberately damaged/corrupted input data. As xcf-pixbuf-loader is a plugin for gdk-pixbuf2 ( /usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders ) the same file would also crash programs other than Geeqie, provided that they use gdk-pixbuf2. This reminds me of bug 1060497 - also reported by you about a very similar type of bug in that loader. I will forward this ticket to the upstream developer, too.
Upstream says he hasn't touched the project for years and really has no time to fix that. Bastien, any comment on this one and bug 1060497? Btw, it's a short void function that already handles some corner-cases. Clearly there could be a sanity-check to avoid div-by-zero. 473 void 474 saturation (guchar *rgb0, guchar *rgb1) 475 { 476 //hue and value of rgb0, saturation of rgb1 477 guchar min0 = MIN (MIN (rgb0[0], rgb0[1]), rgb0[2]); 478 guchar max0 = MAX (MAX (rgb0[0], rgb0[1]), rgb0[2]); 479 guchar min1 = MIN (MIN (rgb1[0], rgb1[1]), rgb1[2]); 480 guchar max1 = MAX (MAX (rgb1[0], rgb1[1]), rgb1[2]); 481 if (max0 == 0) { 482 rgb1[0] = 0x00; 483 rgb1[1] = 0x00; 484 rgb1[2] = 0x00; 485 return; 486 } 487 if (max0 == min0) { 488 rgb1[0] = max0; 489 rgb1[1] = min1*max0 / max0; 490 rgb1[2] = rgb1[1]; 491 return; 492 } 493 double p = max0 * (min1 - max1) / (max0*(min1-max1) - min1*max0 + max1*min0); 494 double q = - max0 * (min1*max0 - max1*min0) / (max0*(min1-max1) - min1*max0 + max1*min0); 495 rgb1[0] = (guchar)(rgb0[0] * p + q); 496 rgb1[1] = (guchar)(rgb0[1] * p + q); 497 rgb1[2] = (guchar)(rgb0[2] * p + q); 498 499 }
This message is a reminder that Fedora 20 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 20. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '20'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 20 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 20 changed to end-of-life (EOL) status on 2015-06-23. Fedora 20 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.
Since upstream maintenance seems stalled, I'm considering simply blacklisting xcf support in Geeqie. Any strong opinions on that?
we'll miss it, but in it's current state this is probably optimal solution
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle. Changing version to '24'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
Just adopted this package. Given the age of this bug, could anyone who saw this before please try again with the following: https://bodhi.fedoraproject.org/updates/FEDORA-2016-2eef90d329
This message is a reminder that Fedora 24 is nearing its end of life. Approximately 2 (two) weeks from now Fedora will stop maintaining and issuing updates for Fedora 24. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '24'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 24 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 24 changed to end-of-life (EOL) status on 2017-08-08. Fedora 24 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.