[Bug 1043479] New: xv crashes reading gimp created png image
http://bugzilla.novell.com/show_bug.cgi?id=1043479 Bug ID: 1043479 Summary: xv crashes reading gimp created png image Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: Other Status: NEW Severity: Major Priority: P5 - None Component: X11 Applications Assignee: bnc-team-screening@forge.provo.novell.com Reporter: rcoe@wi.rr.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- opensuse Tumbleweed xv-3.10a 1296.49 xv crashed while loading png images created by gimp. *** Error in `xv': free(): invalid next size (fast): 0x0000000000c7c380 *** ======= Backtrace: ========= /lib64/libc.so.6(+0x7383b)[0x7ff155f6983b] /lib64/libc.so.6(+0x79dee)[0x7ff155f6fdee] /lib64/libc.so.6(+0x7a5fe)[0x7ff155f705fe] xv[0x42396e] xv[0x412698] xv[0x40bd7f] /lib64/libc.so.6(__libc_start_main+0xf1)[0x7ff155f16541] xv[0x40d44a] I ran valgrind, but the default does not have line numbers, and I had to build the opensuse version with debug. ==16988== Invalid write of size 1 ==16988== at 0x4C32638: __stpcpy_sse2_unaligned (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==16988== by 0x1A04F8: strcat (string3.h:147) ==16988== by 0x1A04F8: LoadPNG (xvpng.c:1162) ==16988== by 0x124F98: openPic (xv.c:2520) ==16988== by 0x11DD5C: openFirstPic (xv.c:3666) ==16988== by 0x11DD5C: mainLoop (xv.c:3785) ==16988== by 0x11DD5C: main (xv.c:1043) ==16988== Address 0x7953d8b is 0 bytes after a block of size 11 alloc'd ==16988== at 0x4C2C0AF: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==16988== by 0x1A045C: LoadPNG (xvpng.c:1154) ==16988== by 0x124F98: openPic (xv.c:2520) ==16988== by 0x11DD5C: openFirstPic (xv.c:3666) ==16988== by 0x11DD5C: mainLoop (xv.c:3785) ==16988== by 0x11DD5C: main (xv.c:1043) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=1043479 http://bugzilla.novell.com/show_bug.cgi?id=1043479#c1 --- Comment #1 from Rich Coe <rcoe@wi.rr.com> --- Created attachment 728337 --> http://bugzilla.novell.com/attachment.cgi?id=728337&action=edit correctly calculate string buffer size The code uses .text_length to determine size of buffer, but uses .text as the data to append, and .text_length is not the length of the .text string. Use .text to calculate the correct size of the buffer. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=1043479 http://bugzilla.novell.com/show_bug.cgi?id=1043479#c2 Stephan Kulow <coolo@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |coolo@suse.com Assignee|bnc-team-screening@forge.pr |werner@suse.com |ovo.novell.com | --- Comment #2 from Stephan Kulow <coolo@suse.com> --- If you already have a patch, you can send it to multimedia:apps/xv in build.opensuse.org -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com