After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 443606 - Certain EXIF entries make F-Spot try to allocate gigabytes of memory
Certain EXIF entries make F-Spot try to allocate gigabytes of memory
Status: RESOLVED INCOMPLETE
Product: f-spot
Classification: Other
Component: General
0.3.x
Other All
: Normal critical
: ---
Assigned To: F-spot maintainers
F-spot maintainers
Depends on:
Blocks:
 
 
Reported: 2007-06-03 15:43 UTC by andrew-gnomebugs
Modified: 2007-11-10 16:12 UTC
See Also:
GNOME target: ---
GNOME version: ---



Description andrew-gnomebugs 2007-06-03 15:43:18 UTC
Steps to reproduce:
I have photos from a friend I would like to import into F-Spot.  All of the photos appear to have a bug in the EXIF metadata though.  The result is that f-spot attempts to consume an impossibly large amount of memory, so I have to kill it immediately to make my desktop usable again (because of the swap storm).  
If I'm unlucky, it crashes my whole desktop (presumably due to the Linux OOM killer?).

Here's the debug output from SVN f-spot when opening one of these files:

open uri = file:///tmp/IMG_0200.jpg
Reading First IFD
reading 8 entries
Added Entry Make 0000010f - Ascii * 6
Added Entry Model 00000110 - Ascii * 14
Added Entry XResolution 0000011a - Rational * 1
Added Entry YResolution 0000011b - Rational * 1
Added Entry ResolutionUnit 00000128 - Short * 1
Added Entry DateTime 00000132 - Ascii * 20
Added Entry ExifIfdPointer 00008769 - Long * 1
Added Entry 0 00000000 - 0 * 1130458735
reading 24 entries
Added Entry ExposureTime 0000829a - Rational * 1
Added Entry FNumber 0000829d - Rational * 1
Added Entry ExposureProgram 00008822 - Short * 1
Added Entry ISOSpeedRatings 00008827 - Short * 1
Added Entry ExifVersion 00009000 - Undefined * 4
Added Entry DateTimeOriginal 00009003 - Ascii * 20
Added Entry DateTimeDigitized 00009004 - Ascii * 20
Added Entry ShutterSpeedValue 00009201 - SRational * 1
Added Entry ApertureValue 00009202 - Rational * 1
Added Entry ExposureBiasValue 00009204 - SRational * 1
Added Entry MeteringMode 00009207 - Short * 1
Added Entry Flash 00009209 - Short * 1
Added Entry FocalLength 0000920a - Rational * 1
Added Entry FlashPixVersion 0000a000 - Undefined * 4
Added Entry ColorSpace 0000a001 - Short * 1
Added Entry PixelXDimension 0000a002 - Long * 1
Added Entry PixelYDimension 0000a003 - Long * 1
Added Entry FocalPlaneXResolution 0000a20e - Rational * 1
Added Entry FocalPlaneYResolution 0000a20f - Rational * 1
Added Entry FocalPlaneResolutionUnit 0000a210 - Short * 1
Added Entry CustomRendered 0000a401 - Short * 1
Added Entry ExposureMode 0000a402 - Short * 1
Added Entry WhiteBalance 0000a403 - Short * 1
Added Entry SceneCaptureType 0000a406 - Short * 1

As you might expect, it's the "0 00000000 - 0 * 1130458735" entry that provokes f-spot into eating all available memory and crashing.  It does so on this line of Tiff.cs, inside DirectoryEntry.LoadExternal:

				byte [] data = new byte [count * GetTypeSize ()];

Obviously count here is ridiculously huge, and is directly affected by whatever the EXIF data claims to be the case.

As a first approximation, how about ignoring entries that appear to require reading beyond the end of the file?

(I may try to produce a patch, but I have zero experience writing C# code so don't hold your breath).

I've pasted a stack trace obtained with SIGQUIT.  The line numbers in Tiff.cs may be slightly different to SVN, as I have inserted extra debugging prints.  Let me know if this is a serious problem and I'll regenerate with a clean build.

If I strip the EXIF information with another tool, then f-spot can import the photo without difficulty.

One strange thing I don't understand: my wife's laptop, running the exact same version of f-spot (and same version of the Ubuntu) successfully imported these photos and can browse them, whereas on my laptop I cannot even view them with "f-spot -v ...".  If I copy her photos.db, then I cannot browse them (the bug occurs as soon as f-spot tries to generate a thumbnail).  I am at a loss to explain this, as it is 100% reproducible on my system with the exact same data.

Stack trace:
Full thread dump:

"" tid=0x0xb4772b90 this=0x0x217d0:
  at (wrapper managed-to-native) System.Threading.Monitor.Monitor_wait (object,int) <0x00004>
  at (wrapper managed-to-native) System.Threading.Monitor.Monitor_wait (object,int) <0xffffffff>

"" tid=0x0xb577fb90 this=0x0x21898:

"" tid=0x0xb7d976e0 this=0x0x21e10:
  at System.Threading.Monitor.Wait (object) [0x00027] in /build/buildd/mono-1.2.3.1/mcs/class/corlib/System.Threading/Monitor.cs:188
  at FSpot.PixbufCache.WorkerTask () [0x0001f] in /home/andrew/code/f-spot/trunk/src/PixbufCache.cs:158
  at (wrapper delegate-invoke) System.MulticastDelegate.invoke_void () <0xffffffff>
  at (wrapper runtime-invoke) System.Object.runtime_invoke_void (object,intptr,intptr,intptr) <0xffffffff>
  at (wrapper managed-to-native) System.Threading.Monitor.Monitor_wait (object,int) <0x00004>
  at (wrapper managed-to-native) System.Threading.Monitor.Monitor_wait (object,int) <0xffffffff>
  at System.Threading.Monitor.Wait (object) [0x00027] in /build/buildd/mono-1.2.3.1/mcs/class/corlib/System.Threading/Monitor.cs:188
  at PixbufLoader.WorkerThread () [0x000f8] in /home/andrew/code/f-spot/trunk/src/PixbufLoader.cs:229
  at (wrapper delegate-invoke) System.MulticastDelegate.invoke_void () <0xffffffff>
  at (wrapper runtime-invoke) System.Object.runtime_invoke_void (object,intptr,intptr,intptr) <0xffffffff>
System.Threading.SynchronizationLockException: Object is not synchronized
  at System.Threading.Monitor.Wait (System.Object obj) [0x0002f] in /build/buildd/mono-1.2.3.1/mcs/class/corlib/System.Threading/Monitor.cs:189 
  at FSpot.PixbufCache.WorkerTask () [0x0001f] in /home/andrew/code/f-spot/trunk/src/PixbufCache.cs:158 
  at (wrapper managed-to-native) System.Object.__icall_wrapper_mono_array_new_specific (intptr,int) <0x00004>
  at (wrapper managed-to-native) System.Object.__icall_wrapper_mono_array_new_specific (intptr,int) <0xffffffff>
  at FSpot.Tiff.DirectoryEntry.LoadExternal (System.IO.Stream) [0x00044] in /home/andrew/code/f-spot/trunk/src/Imaging/Tiff.cs:1731
  at FSpot.Tiff.ImageDirectory.LoadEntries (System.IO.Stream) [0x00070] in /home/andrew/code/f-spot/trunk/src/Imaging/Tiff.cs:1223
  at FSpot.Tiff.ImageDirectory.Load (System.IO.Stream) [0x00016] in /home/andrew/code/f-spot/trunk/src/Imaging/Tiff.cs:1172
  at FSpot.Tiff.ImageDirectory..ctor (System.IO.Stream,uint,FSpot.Tiff.Endian) [0x0002a] in /home/andrew/code/f-spot/trunk/src/Imaging/Tiff.cs:1139
  at FSpot.Tiff.Header..ctor (System.IO.Stream) [0x0012c] in /home/andrew/code/f-spot/trunk/src/Imaging/Tiff.cs:918
  at JpegHeader.GetExifHeader () [0x00042] in /home/andrew/code/f-spot/trunk/src/Imaging/JpegHeader.cs:322
  at FSpot.JpegFile.get_ExifHeader () [0x0000c] in /home/andrew/code/f-spot/trunk/src/Imaging/JpegFile.cs:54
  at FSpot.JpegFile.GetOrientation () [0x00002] in /home/andrew/code/f-spot/trunk/src/Imaging/JpegFile.cs:271
  at FSpot.ImageFile.get_Orientation () [0x00000] in /home/andrew/code/f-spot/trunk/src/Imaging/ImageFile.cs:74
  at FSpot.AsyncPixbufLoader.Load (System.Uri) [0x00043] in /home/andrew/code/f-spot/trunk/src/AsyncPixbufLoader.cs:117
  at FSpot.PhotoImageView.PhotoItemChanged (FSpot.BrowsablePointer,FSpot.BrowsablePointerChangedArgs) [0x000f2] in /home/andrew/code/f-spot/trunk/src/PhotoImageView.cs:325
  at (wrapper delegate-invoke) System.MulticastDelegate.invoke_void_BrowsablePointer_BrowsablePointerChangedArgs (FSpot.BrowsablePointer,FSpot.BrowsablePointerChangedArgs) <0x0006e>
  at (wrapper delegate-invoke) System.MulticastDelegate.invoke_void_BrowsablePointer_BrowsablePointerChangedArgs (FSpot.BrowsablePointer,FSpot.BrowsablePointerChangedArgs) <0xffffffff>
  at FSpot.BrowsablePointer.SetIndex (int) [0x00030] in /home/andrew/code/f-spot/trunk/src/IBrowsableItem.cs:207
  at FSpot.BrowsablePointer.set_Index (int) [0x0000c] in /home/andrew/code/f-spot/trunk/src/IBrowsableItem.cs:192

Unhandled Exception: System.Threading.SynchronizationLockException: Object is not synchronized
  at System.Threading.Monitor.Wait (System.Object obj) [0x0002f] in /build/buildd/mono-1.2.3.1/mcs/class/corlib/System.Threading/Monitor.cs:189 
  at PixbufLoader.WorkerThread () [0x000f8] in /home/andrew/code/f-spot/trunk/src/PixbufLoader.cs:229 
  at (wrapper delegate-invoke) System.MulticastDelegate:invoke_void ()
  at FSpot.SingleView.HandleSelectionChanged (FSpot.IBrowsableCollection) [0x0000c] in /home/andrew/code/f-spot/trunk/src/SingleView.cs:220
  at (wrapper delegate-invoke) System.MulticastDelegate.invoke_void_IBrowsableCollection (FSpot.IBrowsableCollection) <0xffffffff>
  at SelectionCollection.SignalChange (int[]) [0x0001d] in /home/andrew/code/f-spot/trunk/src/IconView.cs:537
  at SelectionCollection.Add (int,bool) [0x0003a] in /home/andrew/code/f-spot/trunk/src/IconView.cs:432
  at SelectionCollection.Add (int) [0x00000] in /home/andrew/code/f-spot/trunk/src/IconView.cs:417
  at FSpot.SingleView..ctor (System.Uri[]) [0x003c9] in /home/andrew/code/f-spot/trunk/src/SingleView.cs:141
  at FSpot.SingleView..ctor (UriList) [0x00000] in /home/andrew/code/f-spot/trunk/src/SingleView.cs:57
  at FSpot.Core.Viewbla (UriList) [0x00000] in /home/andrew/code/f-spot/trunk/src/Core.cs:127
  at FSpot.Core.View (string) [0x00000] in /home/andrew/code/f-spot/trunk/src/Core.cs:121
  at FSpot.Driver.Main (string[]) [0x002e4] in /home/andrew/code/f-spot/trunk/src/main.cs:196
  at (wrapper runtime-invoke) System.Object.runtime_invoke_void_string[] (object,intptr,intptr,intptr) <0xffffffff>


Other information:
My laptop is running Ubuntu Feisty (7.04).  I can reproduce this both with f-spot in feisty, and with f-spot from SVN.
Comment 1 Stephane Delcroix 2007-07-16 09:25:09 UTC
can you please provide such an image ?
Comment 2 Bruno Boaventura 2007-11-10 16:12:56 UTC
Closing this bug report as no further information has been provided. Please feel free to reopen this bug if you can provide the information asked for.
Thanks!