Re: [Libexif-devel] Segfault / Leak - Exif 0.6.16

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Michele,

thnak you for reporting this problem. I checked in a fix in
libexif/libexif/olympus/exif-mnote-data-olympus.c
The maker note was wrongly interpreted on read due to the wrong
word order (endianness). This caused wrong data sizes leading into
possibly failing huge memory allocations.

 Kind regards,
                    Jan Patera

> Hi all,
>
> long story short. While using f-spot I stumbled into a 100%
> reproduceable crash:
>
>         /usr/lib/libexif.so.12(exif_set_short+0x2c) [0xb39119ac]
>         /usr/lib/libexif.so.12 [0xb3908d2f]
>         /usr/lib/libexif.so.12 [0xb390912b]
>         /usr/lib/libexif.so.12(exif_data_save_data+0x1bf) [0xb39096af]
>
> (The crash happens in exif_set_short, I *think* because
> exif_data_save_data has a corrupted data struct or data->priv)
>
> So I went ahead and installed gexif in order to make a smaller test
> case. Running gexif, loading the picture and then saving it again shows
> problems (leak plus seagfault). The leaks get pretty big (this is always
> just loading and saving an image in gexif without touching any values) :
>  2527 michele   18   0 2284m 1.6g 2032 T    0 80.3   0:02.96 gexif
>
> and then it crashes. Here is the full backtrace:
>
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread -1218484544 (LWP 2527)]
> 0xb7f5895b in exif_set_sshort (b=0x1a6 <Address 0x1a6 out of bounds>,
> order=EXIF_BYTE_ORDER_MOTOROLA, value=-28026) at exif-utils.c:113
> 113                     b[0] = (unsigned char) (value >> 8);
> (gdb) bt full
> #0  0xb7f5895b in exif_set_sshort (b=0x1a6 <Address 0x1a6 out of
> bounds>, order=EXIF_BYTE_ORDER_MOTOROLA, value=-28026) at
> exif-utils.c:113
> No locals.
> #1  0xb7f589ac in exif_set_short (b=0x1a6 <Address 0x1a6 out of bounds>,
> order=EXIF_BYTE_ORDER_MOTOROLA, value=37510) at exif-utils.c:126
> No locals.
> #2  0xb7f4fd2f in exif_data_save_data_content (data=0x8207700,
> ifd=0x8205ba8, d=0xbfb59f04, ds=0xbfb59f08, offset=222) at
> exif-data.c:237
>         j = 16
>         n_ptr = <value optimized out>
>         n_thumb = <value optimized out>
>         i = EXIF_IFD_EXIF
> #3  0xb7f5012b in exif_data_save_data_content (data=0x8207700,
> ifd=0x8203100, d=0xbfb59f04, ds=0xbfb59f08, offset=142) at
> exif-data.c:555
>         j = 10
>         n_ptr = <value optimized out>
>         n_thumb = <value optimized out>
>         i = EXIF_IFD_0
> #4  0xb7f506af in exif_data_save_data (data=0x8207700, d=0xbfb59f04,
> ds=0xbfb59f08) at exif-data.c:947
>         fd = <value optimized out>
> #5  0x0804b211 in jpeg_data_save_data (data=0x81938e8, d=0xbfb59f3c,
> ds=0xbfb59f38) at jpeg-data.c:127
>         i = 1
>         eds = 2366559238
>         s = {marker = JPEG_MARKER_APP1, content = {generic = {data
> 0x8207700 "", size = 775305261}, app1 = 0x8207700}} ed =
> (unsigned char *) 0x0
> #6  0x0804b2dd in jpeg_data_save_file (data=0x81938e8, path=0x82076e0
> "/tmp/gexif/gexif/img-86.jpg") at jpeg-data.c:80
>         f = <value optimized out>
>         d = (unsigned char *) 0x81aaba0 "ďż˝ďż˝ďż˝ďż˝X\213\037\b\020"
> size = 4
> #7  0x08049b9b in gexif_main_save_file (m=<value optimized out>,
> path=0x9286 <Address 0x9286 out of bounds>) at gexif-main.c:190
> No locals.
> #8  0xb7d17428 in ?? () from /usr//lib/libgtk-x11-2.0.so.0
> No symbol table info available.
> #9  0x0807b000 in ?? ()
> No symbol table info available.
> #10 0x00000000 in ?? ()
> No symbol table info available.
>
>
> Let me know if you need further info.
>
> thanks a lot for the library and regards,
> Michele Baldessari
>
> (culprit image is at http://michele.pupazzo.org/files/img-86.jpg)