#42 picture crashes during exif tagparsing

closed-fixed
libexif (62)
5
2005-10-01
2005-09-27
No

Hi,

attached picture crashes during tag parsing in strlen()

Ciao, Marcus
(gdb) r crash.jpg
Starting program: /usr/bin/exif crash.jpg
EXIF tags in 'crash.jpg' ('Motorola' byte order):
--------------------+----------------------------------------------------------
Tag |Value
--------------------+----------------------------------------------------------
Image Description |
Manufacturer |Eastman Kodak Company
Model |DC210 Zoom (V05.00)
Orientation |top - left
x-Resolution |216.00
y-Resolution |216.00
Resolution Unit |Inch
YCbCr Positioning |centered

Program received signal SIGSEGV, Segmentation fault.
0x00002aaaaafe46a0 in strlen () from /lib64/tls/libc.so.6
(gdb) bt
#0 0x00002aaaaafe46a0 in strlen () from /lib64/tls/libc.so.6
#1 0x00002aaaaabcfceb in exif_entry_get_value
(e=0x50f160, val=0x7fffffffd0e0 "[None] (Photographer)",
maxlen=58) at exif-entry.c:685
#2 0x0000000000402a6b in show_entry (e=0x50f160,
data=<value optimized out>) at actions.c:80
#3 0x00002aaaaabcb636 in exif_content_foreach_entry
(content=0x509590, func=0x402980 <show_entry>,
data=0x7fffffffd1ef)
at exif-content.c:199
#4 0x00002aaaaabcdf23 in exif_data_foreach_content
(data=0x509500, func=0x402620 <show_ifd>,
user_data=0x7fffffffd1ef)
at exif-data.c:1031
#5 0x00000000004028d7 in action_tag_list
(filename=0x7fffffffde3e "crash.jpg", ed=0x509500,
ids=<value optimized out>) at actions.c:179
#6 0x0000000000403ebf in main (argc=<value optimized
out>, argv=<value optimized out>) at main.c:593
(gdb)

Discussion

  • Marcus Meissner

    Marcus Meissner - 2005-09-27

    crash.jpg

     
  • Marcus Meissner

    Marcus Meissner - 2005-09-27

    Logged In: YES
    user_id=48092

    e->data is NULL in "case EXIF_TAG_COPYRIGHT", which is
    handled by the upper part of the code, but not by the lower part.

     
  • Marcus Meissner

    Marcus Meissner - 2005-10-01
    • status: open --> closed
     
  • Marcus Meissner

    Marcus Meissner - 2005-10-01

    Logged In: YES
    user_id=48092

    committed a patch fixing the problem

     
  • Marcus Meissner

    Marcus Meissner - 2005-10-01
    • assigned_to: nobody --> marcusmeissner
    • status: closed --> closed-fixed
     
  • mjc

    mjc - 2007-01-08

    Logged In: YES
    user_id=853476
    Originator: NO

    Marcus,

    Do you think this is the same bug:

    http://bugzilla.gnome.org/show_bug.cgi?id=373857

    - Mike

     
  • Marcus Meissner

    Marcus Meissner - 2007-01-08

    Logged In: YES
    user_id=48092
    Originator: YES

    no, its unrelated I think.

    my strlen() was a direct crash, but your backtrace is with dcgettext()
    (within translation).

    I checked all current occurences of variable arguments to _() but
    none can be NULL.

    A better backltrace would be helpful

     

Log in to post a comment.