GNOME Bugzilla – Bug 505085
crash in Image Viewer: I opened file name.bmp, ...
Last modified: 2010-07-10 04:06:28 UTC
Version: 2.20.3 What were you doing when the application crashed? I opened file name.bmp, which probably is damage Distribution: Debian lenny/sid Gnome Release: 2.20.2 2007-11-29 (Debian) BugBuddy Version: 2.20.1 System: Linux 2.6.23.1 #1 Fri Nov 9 13:57:47 CET 2007 i686 X Vendor: The X.Org Foundation X Vendor Release: 10300000 Selinux: No Accessibility: Disabled GTK+ Theme: SphereCrystal Icon Theme: Mist Memory status: size: 45162496 vsize: 45162496 resident: 17293312 share: 12374016 rss: 17293312 rss_rlim: 4294967295 CPU usage: start_time: 1198348783 rtime: 48 utime: 38 stime: 10 cutime:0 cstime: 0 timeout: 0 it_real_value: 0 frequency: 100 Backtrace was generated from '/usr/bin/eog' (no debugging symbols found) Using host libthread_db library "/lib/i686/cmov/libthread_db.so.1". (no debugging symbols found) [Thread debugging using libthread_db enabled] [New Thread 0xb6c0f6c0 (LWP 7754)] [New Thread 0x6efbdb90 (LWP 7756)] [New Thread 0xb6a3fb90 (LWP 7755)] 0xffffe410 in __kernel_vsyscall ()
+ Trace 182674
Thread 3 (Thread 0xb6a3fb90 (LWP 7755))
----------- .xsession-errors --------------------- Ostrzeżenie menedżera okien: Buggy client sent a _NET_ACTIVE_WINDOW message with a timestamp of 0 for 0x2a00074 (Lista odtw) Ostrzeżenie menedżera okien: meta_window_activate called by a pager with a 0 timestamp; the pager needs to be fixed. Ostrzeżenie menedżera okien: Buggy client sent a _NET_ACTIVE_WINDOW message with a timestamp of 0 for 0x2a00074 (Lista odtw) Ostrzeżenie menedżera okien: meta_window_activate called by a pager with a 0 timestamp; the pager needs to be fixed. amidi-plug(i_backend.c:i_backend_unload:164): unloading backend 'alsa' amidi-plug(i_backend.c:i_backend_unload:167): backend 'alsa' unloaded Unable to read from file:///media/Tmp/backup/win%20net%2024%20X.pbf, giving up. Error opening - using the oggvorbis module. The file may be corrupted. ERROR: meta.c (179): wmf_header_read: this isn't a wmf file ** (gnome-cups-icon:7665): WARNING **: Could not start the printer tray icon, because the CUPS server could not be contacted. EOG-ERROR **: file eog-image.c: line 1148 (eog_image_real_load): assertion failed: (priv->image != NULL) aborting... --------------------------------------------------
Looks like the pixbuf loader is not setting the error correctly here (most probably a gdk-pixbuf bug then). Could you please attach the BMP file that produces this crash (if possible/legal/allowed)?
*** Bug 505449 has been marked as a duplicate of this bug. ***
Created attachment 101740 [details] crashing file I'm not sure if this is the same file but it make similar error (IMO)
Confirming crasher.
there's a similar report in Ubuntu here: https://bugs.launchpad.net/eog/+bug/180779
This looks like a duplicate of bug #479912.
*** Bug 479912 has been marked as a duplicate of this bug. ***
Created attachment 102417 [details] minimal test case This is a minimal program that does the same as EOG to load an image, and the assertion fails as well.
Created attachment 102419 [details] correct one hm, previous program didn't close the pixbuf, this one does. And the assertion stsill fails.
(I meant, it didn't close the loader)
Moving to gtk+/gdk-pixbuf. From the documentation, if the loader, when closed doesn't return FALSE and an error, then loader.get_pixbuf () should return the pixbuf and not NULL.
*** Bug 510157 has been marked as a duplicate of this bug. ***
*** Bug 514068 has been marked as a duplicate of this bug. ***
*** Bug 517810 has been marked as a duplicate of this bug. ***
*** Bug 517400 has been marked as a duplicate of this bug. ***
FYI, Bug 517810 shows that renaming a JPG file to a BMP file is an easy way to create your own BMPs triggering this.
*** Bug 520822 has been marked as a duplicate of this bug. ***
Created attachment 107015 [details] [review] add extra check before closing the loader The problem seems to be that the loader doesn't check robustly the header, so on broken images, it may believe that it needs a lot of data before first decoding the header. This patch doesn't address the issue of the bogus data, but makes sure that if the user closes the loader, and we are still reading the bmp header, then returns an error notifying that the BMP file has not enough data. This seems neccessary to me in any case.
By the way, I'm afraid that there could be other stages during the bmp loading that should trigger the same warning though. Not exactly sure.
Created attachment 107090 [details] [review] check the BMP magic number before decoding the header This is a different patch that checks the two first bytes of the header, before decoding. In a BMP, these bytes should correspond to 0x42 0x4D.[1] [1] http://en.wikipedia.org/wiki/BMP_file_format#BMP_file_header
Please commit to the gtk-2-12 branch, too. Thanks
Committed to both branches. I changed the string for the first patch to "Premature end-of-file encountered", to avoid adding a new string to the stable branch. 2008-03-11 Claudio Saavedra <csaavedra@alumnos.utalca.cl> * io-bmp.c: (gdk_pixbuf__bmp_image_stop_load): Set a GDK_ERROR_CORRUPT_IMAGE error if the loader is closed while still reading the headers. (#505085) 2008-03-11 Claudio Saavedra <csaavedra@alumnos.utalca.cl> * io-bmp.c: (DecodeHeader): Check for the BMP header magic numbers before decoding it. (#505085)
*** Bug 523550 has been marked as a duplicate of this bug. ***
*** Bug 536633 has been marked as a duplicate of this bug. ***