After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 380196 - crash in Open Folder: iniciando sistema
crash in Open Folder: iniciando sistema
Status: RESOLVED FIXED
Product: gdk-pixbuf
Classification: Platform
Component: general
git master
Other All
: High critical
: ---
Assigned To: gtk-bugs
gtk-bugs
Depends on:
Blocks:
 
 
Reported: 2006-11-28 16:38 UTC by marrajo
Modified: 2010-07-10 04:04 UTC
See Also:
GNOME target: ---
GNOME version: 2.29/2.30

Attachments
Added an extra validation in gdk_pixbuf_loader_set_size() (902 bytes, patch)
2009-10-18 00:51 UTC, Javier Jardón (IRC: jjardon) 		needs-work Details | Review
Added an extra validation in gdk_pixbuf_loader_set_size().v2 (1.07 KB, patch)
2010-02-12 01:02 UTC, Javier Jardón (IRC: jjardon) 		committed Details | Review

Description marrajo 2006-11-28 16:38:55 UTC 
What were you doing when the application crashed?
iniciando sistema


Distribution: Ubuntu 6.10 (edgy)
Gnome Release: 2.16.1 2006-10-02 (Ubuntu)
BugBuddy Version: 2.16.0

Memory status: size: 74125312 vsize: 0 resident: 74125312 share: 0 rss: 14888960 rss_rlim: 0
CPU usage: start_time: 1164731837 rtime: 0 utime: 51 stime: 0 cutime:45 cstime: 0 timeout: 6 it_real_value: 0 frequency: 0

Backtrace was generated from '/usr/bin/nautilus'

(no debugging symbols found)
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
[New Thread -1227331920 (LWP 4772)]
(no debugging symbols found)
0xffffe410 in __kernel_vsyscall ()

+ Trace 90039

Thread 1 (Thread -1227331920 (LWP 4772))

  • #0 __kernel_vsyscall
  • #1 __waitpid_nocancel
    from /lib/tls/i686/cmov/libpthread.so.0
  • #2 gnome_gtk_module_info_get
    from /usr/lib/libgnomeui-2.so.0
  • #3 <signal handler called>
  • #4 jpeg_CreateDecompress
    from /lib/libjpeg.so.62
  • #5 to_callback_terminate
    from /usr/lib/gtk-2.0/2.10.0/loaders/libpixbufloader-jpeg.so
  • #6 gdk_pixbuf_loader_set_size
    from /usr/lib/libgdk_pixbuf-2.0.so.0
  • #7 gdk_pixbuf_loader_write
    from /usr/lib/libgdk_pixbuf-2.0.so.0
  • #8 eel_gdk_pixbuf_load
    from /usr/lib/libeel-2.so.2
  • #9 eel_background_is_set
    from /usr/lib/libeel-2.so.2
  • #10 eel_background_is_set
    from /usr/lib/libeel-2.so.2
  • #11 nautilus_directory_async_state_changed
  • #12 nautilus_directory_async_state_changed
  • #13 fm_directory_view_bump_zoom_level
  • #14 g_cclosure_marshal_VOID__VOID
    from /usr/lib/libgobject-2.0.so.0
  • #15 g_value_set_boxed
    from /usr/lib/libgobject-2.0.so.0
  • #16 g_closure_invoke
    from /usr/lib/libgobject-2.0.so.0
  • #17 g_signal_chain_from_overridden
    from /usr/lib/libgobject-2.0.so.0
  • #18 g_signal_emit_valist
    from /usr/lib/libgobject-2.0.so.0
  • #19 g_signal_emit
    from /usr/lib/libgobject-2.0.so.0
  • #20 fm_directory_view_bump_zoom_level
  • #21 fm_directory_view_bump_zoom_level
  • #22 nautilus_clipboard_monitor_emit_changed
  • #23 nautilus_clipboard_monitor_emit_changed
  • #24 nautilus_directory_async_state_changed
  • #25 nautilus_icon_container_request_update_all
  • #26 g_source_is_destroyed
    from /usr/lib/libglib-2.0.so.0
  • #27 g_main_context_dispatch
    from /usr/lib/libglib-2.0.so.0
  • #28 g_main_context_check
    from /usr/lib/libglib-2.0.so.0
  • #29 g_main_loop_run
    from /usr/lib/libglib-2.0.so.0
  • #30 gtk_main
    from /usr/lib/libgtk-x11-2.0.so.0
  • #31 POA_Nautilus_MetafileMonitor__init
  • #32 __libc_start_main
    from /lib/tls/i686/cmov/libc.so.6
  • #33 ??
  • #0 __kernel_vsyscall 






Comment 1


Germán Poo-Caamaño





          2006-11-29 01:55:50 UTC
        



It seems that a validation is missing in gdk_pixbuf_loader_set_size().

The crashed is produced in libgjpeg, which is not a GNOME library, but our functions should validate which data is passed.






Comment 2


Matthias Clasen





          2007-09-10 01:57:57 UTC
        



We do have a 
g_return_if_fail (width >= 0 && height >= 0)

I guess we could add a 
g_return_if_fail (GDK_IS_PIXBUF_LOADER (loader));








Comment 3


Javier Jardón (IRC: jjardon)





          2009-10-18 00:51:10 UTC
        



Created attachment 145707 [details] [review]
Added an extra validation in gdk_pixbuf_loader_set_size()






Comment 4


Owen Taylor





          2010-02-11 23:30:06 UTC
        



Comment on attachment 145707 [details] [review]
Added an extra validation in gdk_pixbuf_loader_set_size()

Patch is obviously wrong, should be fine with the obvious correction. (See how the assignment of priv is handled elsewhere in the file.)






Comment 5


Javier Jardón (IRC: jjardon)





          2010-02-12 01:02:39 UTC
        



Created attachment 153591 [details] [review]
Added an extra validation in gdk_pixbuf_loader_set_size().v2

Oh yeah, you are right.

Here the correct patch






Comment 6


Javier Jardón (IRC: jjardon)





          2010-05-03 22:40:20 UTC
        



Comment on attachment 153591 [details] [review]
Added an extra validation in gdk_pixbuf_loader_set_size().v2

commit 64812ce662835b1967791196944b73b2d2617f7a






Comment 7


Javier Jardón (IRC: jjardon)





          2010-05-03 22:40:45 UTC
        



This problem has been fixed in the development version. The fix will be available in the next major software release. Thank you for your bug report.