[Bug 376086] New: libexif chokes on some inputs

https://bugzilla.novell.com/show_bug.cgi?id=376086 Summary: libexif chokes on some inputs Product: openSUSE 11.0 Version: Factory Platform: x86 OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: hpj@novell.com QAContact: qa@suse.de Found By: Development Not sure basesystem is the best category for this, but it's the closest I could find. I have a jpeg image that causes a lot of applications to crash or hang (confirmed with EOG, Gimp, beagled-helper). I suspect it's a bug in libexif. This might have security implications. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=376086 User hpj@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=376086#c1 --- Comment #1 from Hans Petter Jansson <hpj@novell.com> 2008-04-01 15:50:04 MST --- Valgrind log from an (interrupted) hang in EOG: ==4184== 23741121 errors in context 28 of 29: ==4184== Thread 2: ==4184== Invalid read of size 4 ==4184== at 0x4F97BAF: exif_content_remove_entry (exif-content.c:162) ==4184== by 0x4F98432: fix_func (exif-data.c:1223) ==4184== by 0x4F9828C: exif_data_foreach_content (exif-data.c:1089) ==4184== by 0x4F9833E: exif_data_fix (exif-data.c:1234) ==4184== by 0x4F9A8F2: exif_data_load_data (exif-data.c:924) ==4184== by 0x4F9AB03: exif_data_new_from_data (exif-data.c:159) ==4184== by 0x8099902: eog_metadata_reader_get_exif_data (eog-metadata-reader.c:439) ==4184== by 0x808A0FE: eog_image_real_load (eog-image.c:874) ==4184== by 0x808AFDF: eog_image_load (eog-image.c:1264) ==4184== by 0x80968DE: eog_job_load_run (eog-jobs.c:289) ==4184== by 0x8095963: eog_render_thread (eog-job-queue.c:78) ==4184== by 0x51FF75E: g_thread_create_proxy (gthread.c:635) ==4184== by 0x4803154: start_thread (in /lib/libpthread-2.7.so) ==4184== by 0x536869D: clone (in /lib/libc-2.7.so) ==4184== Address 0xac8150c is 20 bytes inside a block of size 28 free'd ==4184== at 0x4023B7A: free (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==4184== by 0x4FA139C: exif_mem_free_func (exif-mem.c:27) ==4184== by 0x4FA126B: exif_mem_free (exif-mem.c:70) ==4184== by 0x4F9C068: exif_entry_free (exif-entry.c:160) ==4184== by 0x4F9C0AE: exif_entry_unref (exif-entry.c:147) ==4184== by 0x4F97C4D: exif_content_remove_entry (exif-content.c:172) ==4184== by 0x4F98432: fix_func (exif-data.c:1223) ==4184== by 0x4F9828C: exif_data_foreach_content (exif-data.c:1089) ==4184== by 0x4F9833E: exif_data_fix (exif-data.c:1234) ==4184== by 0x4F9A8F2: exif_data_load_data (exif-data.c:924) ==4184== by 0x4F9AB03: exif_data_new_from_data (exif-data.c:159) ==4184== by 0x8099902: eog_metadata_reader_get_exif_data (eog-metadata-reader.c:439) ==4184== by 0x808A0FE: eog_image_real_load (eog-image.c:874) ==4184== by 0x808AFDF: eog_image_load (eog-image.c:1264) ==4184== by 0x80968DE: eog_job_load_run (eog-jobs.c:289) ==4184== by 0x8095963: eog_render_thread (eog-job-queue.c:78) ==4184== by 0x51FF75E: g_thread_create_proxy (gthread.c:635) ==4184== by 0x4803154: start_thread (in /lib/libpthread-2.7.so) ==4184== by 0x536869D: clone (in /lib/libc-2.7.so) ==4184== ==4184== 23741122 errors in context 29 of 29: ==4184== Invalid read of size 4 ==4184== at 0x4F98424: fix_func (exif-data.c:1223) ==4184== by 0x4F9828C: exif_data_foreach_content (exif-data.c:1089) ==4184== by 0x4F9833E: exif_data_fix (exif-data.c:1234) ==4184== by 0x4F9A8F2: exif_data_load_data (exif-data.c:924) ==4184== by 0x4F9AB03: exif_data_new_from_data (exif-data.c:159) ==4184== by 0x8099902: eog_metadata_reader_get_exif_data (eog-metadata-reader.c:439) ==4184== by 0x808A0FE: eog_image_real_load (eog-image.c:874) ==4184== by 0x808AFDF: eog_image_load (eog-image.c:1264) ==4184== by 0x80968DE: eog_job_load_run (eog-jobs.c:289) ==4184== by 0x8095963: eog_render_thread (eog-job-queue.c:78) ==4184== by 0x51FF75E: g_thread_create_proxy (gthread.c:635) ==4184== by 0x4803154: start_thread (in /lib/libpthread-2.7.so) ==4184== by 0x536869D: clone (in /lib/libc-2.7.so) ==4184== Address 0xac81bc0 is 0 bytes inside a block of size 4 free'd ==4184== at 0x4023B7A: free (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==4184== by 0x4024EF9: realloc (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==4184== by 0x4FA13D3: exif_mem_realloc_func (exif-mem.c:21) ==4184== by 0x4FA133D: exif_mem_realloc (exif-mem.c:88) ==4184== by 0x4F97C6F: exif_content_remove_entry (exif-content.c:173) ==4184== by 0x4F98432: fix_func (exif-data.c:1223) ==4184== by 0x4F9828C: exif_data_foreach_content (exif-data.c:1089) ==4184== by 0x4F9833E: exif_data_fix (exif-data.c:1234) ==4184== by 0x4F9A8F2: exif_data_load_data (exif-data.c:924) ==4184== by 0x4F9AB03: exif_data_new_from_data (exif-data.c:159) ==4184== by 0x8099902: eog_metadata_reader_get_exif_data (eog-metadata-reader.c:439) ==4184== by 0x808A0FE: eog_image_real_load (eog-image.c:874) ==4184== by 0x808AFDF: eog_image_load (eog-image.c:1264) ==4184== by 0x80968DE: eog_job_load_run (eog-jobs.c:289) ==4184== by 0x8095963: eog_render_thread (eog-job-queue.c:78) ==4184== by 0x51FF75E: g_thread_create_proxy (gthread.c:635) ==4184== by 0x4803154: start_thread (in /lib/libpthread-2.7.so) ==4184== by 0x536869D: clone (in /lib/libc-2.7.so) --4184-- -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=376086 User hpj@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=376086#c2 --- Comment #2 from Hans Petter Jansson <hpj@novell.com> 2008-04-01 15:50:53 MST --- Created an attachment (id=205534) --> (https://bugzilla.novell.com/attachment.cgi?id=205534) Offending image. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=376086 Marcus Meissner <meissner@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-screening@forge.provo.novell.com |meissner@novell.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=376086 User meissner@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=376086#c3 Marcus Meissner <meissner@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Version|Factory |Beta 2 --- Comment #3 from Marcus Meissner <meissner@novell.com> 2008-04-28 03:38:12 MST --- eog no longer hangs at least with the just submitted libexif. but this is likely just a patch over the real problem, i still see a bad free -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=376086 Marcus Meissner <meissner@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=376086 User meissner@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=376086#c4 Marcus Meissner <meissner@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #4 from Marcus Meissner <meissner@novell.com> 2008-07-29 01:06:22 MDT --- i think i finally found and submitted a fix for this problem, to 11.0, stable and upstream. will go out via online update for 11.0 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=376086 User ast@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=376086#c5 --- Comment #5 from Anja Stock <ast@novell.com> 2008-08-01 09:43:38 MDT --- released -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com