After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 604106 - [jpegdec] Crash in jpeg_idct_ifast if more than 3 components
[jpegdec] Crash in jpeg_idct_ifast if more than 3 components
Status: RESOLVED FIXED
Product: GStreamer
Classification: Platform
Component: gst-plugins-good
git master
Other Linux
: Normal normal
: 0.10.22
Assigned To: Tim-Philipp Müller
GStreamer Maintainers
Depends on:
Blocks:
 
 
Reported: 2009-12-08 17:56 UTC by Bastien Nocera
Modified: 2010-04-25 23:23 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
Crasher jpeg (405.97 KB, image/jpeg)
2009-12-08 17:56 UTC, Bastien Nocera 		Details

Description Bastien Nocera 2009-12-08 17:56:45 UTC 
Created attachment 149363 [details]
Crasher jpeg

gstreamer-0.10.25.1-2.fc12.x86_64
gstreamer-plugins-base-0.10.25.1-2.fc12.x86_64
gstreamer-plugins-good-0.10.17-3.fc12.x86_64

Crasher file attached.

$ gst-launch playbin2 uri=file:///home/hadess/Desktop/rb-crasher.jpg 
(gst-launch-0.10:9785): GLib-WARNING **: g_set_prgname() called multiple times
Setting pipeline to PAUSED ...
Pipeline is PREROLLING ...
Caught SIGSEGV accessing address (nil)

347	    outptr[0] = range_limit[IDESCALE(tmp0 + tmp7, PASS1_BITS+3)
Missing separate debuginfos, use: debuginfo-install gstreamer-0.10.25.1-2.fc12.x86_64
(gdb) bt

+ Trace 219504

  • #0 jpeg_idct_ifast
    at ./jidctfst.c line 347
  • #1 decompress_onepass
    at ./jdcoefct.c line 197
  • #2 jpeg_read_raw_data
    at ./jdapistd.c line 210
  • #3 gst_jpeg_dec_decode_indirect
    at gstjpegdec.c line 740
  • #4 gst_jpeg_dec_chain
    at gstjpegdec.c line 1177
  • #5 gst_pad_chain_data_unchecked
    at gstpad.c line 4116
  • #6 gst_pad_push_data
    at gstpad.c line 4345
  • #7 gst_type_find_element_chain
    at gsttypefindelement.c line 697
  • #8 gst_pad_chain_data_unchecked
    at gstpad.c line 4116
  • #9 gst_pad_push_data
    at gstpad.c line 4345
  • #10 gst_pad_chain_data_unchecked
    at gstpad.c line 4116
  • #11 gst_pad_push_data
    at gstpad.c line 4345
  • #12 ??
    from /usr/lib64/libgstbase-0.10.so.0
  • #13 gst_task_func
    at gsttask.c line 234
  • #14 g_thread_pool_thread_proxy
    at gthreadpool.c line 265
  • #15 g_thread_create_proxy
    at gthread.c line 635
  • #16 start_thread
    at pthread_create.c line 297
  • #17 clone
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S line 112 






Comment 1


Bastien Nocera





          2009-12-08 17:57:05 UTC
        



From downstream:
https://bugzilla.redhat.com/show_bug.cgi?id=539503






Comment 2


Tim-Philipp Müller





          2009-12-08 18:13:39 UTC
        



Thanks for the test file. I can reproduce this. Probably crashes because the image has 4 components but our code assumes there won't be more than 3.






Comment 3


Tim-Philipp Müller





          2010-04-25 23:22:12 UTC
        



commit 6b2a0c7c46616f8148e846a17f5675b0000f07cf
Author: Tim-Philipp Müller <tim.muller@collabora.co.uk>
Date:   Sun Apr 25 15:12:20 2010 +0100

    jpegdec: don't crash if jpeg image contains more than three components
    
    Our code currently only handles a maximum of 3 components, so error
    out for now if the image has more components than that.
    
    Fixes #604106.