GNOME Bugzilla – Bug 443606
Certain EXIF entries make F-Spot try to allocate gigabytes of memory
Last modified: 2007-11-10 16:12:56 UTC
Steps to reproduce: I have photos from a friend I would like to import into F-Spot. All of the photos appear to have a bug in the EXIF metadata though. The result is that f-spot attempts to consume an impossibly large amount of memory, so I have to kill it immediately to make my desktop usable again (because of the swap storm). If I'm unlucky, it crashes my whole desktop (presumably due to the Linux OOM killer?). Here's the debug output from SVN f-spot when opening one of these files: open uri = file:///tmp/IMG_0200.jpg Reading First IFD reading 8 entries Added Entry Make 0000010f - Ascii * 6 Added Entry Model 00000110 - Ascii * 14 Added Entry XResolution 0000011a - Rational * 1 Added Entry YResolution 0000011b - Rational * 1 Added Entry ResolutionUnit 00000128 - Short * 1 Added Entry DateTime 00000132 - Ascii * 20 Added Entry ExifIfdPointer 00008769 - Long * 1 Added Entry 0 00000000 - 0 * 1130458735 reading 24 entries Added Entry ExposureTime 0000829a - Rational * 1 Added Entry FNumber 0000829d - Rational * 1 Added Entry ExposureProgram 00008822 - Short * 1 Added Entry ISOSpeedRatings 00008827 - Short * 1 Added Entry ExifVersion 00009000 - Undefined * 4 Added Entry DateTimeOriginal 00009003 - Ascii * 20 Added Entry DateTimeDigitized 00009004 - Ascii * 20 Added Entry ShutterSpeedValue 00009201 - SRational * 1 Added Entry ApertureValue 00009202 - Rational * 1 Added Entry ExposureBiasValue 00009204 - SRational * 1 Added Entry MeteringMode 00009207 - Short * 1 Added Entry Flash 00009209 - Short * 1 Added Entry FocalLength 0000920a - Rational * 1 Added Entry FlashPixVersion 0000a000 - Undefined * 4 Added Entry ColorSpace 0000a001 - Short * 1 Added Entry PixelXDimension 0000a002 - Long * 1 Added Entry PixelYDimension 0000a003 - Long * 1 Added Entry FocalPlaneXResolution 0000a20e - Rational * 1 Added Entry FocalPlaneYResolution 0000a20f - Rational * 1 Added Entry FocalPlaneResolutionUnit 0000a210 - Short * 1 Added Entry CustomRendered 0000a401 - Short * 1 Added Entry ExposureMode 0000a402 - Short * 1 Added Entry WhiteBalance 0000a403 - Short * 1 Added Entry SceneCaptureType 0000a406 - Short * 1 As you might expect, it's the "0 00000000 - 0 * 1130458735" entry that provokes f-spot into eating all available memory and crashing. It does so on this line of Tiff.cs, inside DirectoryEntry.LoadExternal: byte [] data = new byte [count * GetTypeSize ()]; Obviously count here is ridiculously huge, and is directly affected by whatever the EXIF data claims to be the case. As a first approximation, how about ignoring entries that appear to require reading beyond the end of the file? (I may try to produce a patch, but I have zero experience writing C# code so don't hold your breath). I've pasted a stack trace obtained with SIGQUIT. The line numbers in Tiff.cs may be slightly different to SVN, as I have inserted extra debugging prints. Let me know if this is a serious problem and I'll regenerate with a clean build. If I strip the EXIF information with another tool, then f-spot can import the photo without difficulty. One strange thing I don't understand: my wife's laptop, running the exact same version of f-spot (and same version of the Ubuntu) successfully imported these photos and can browse them, whereas on my laptop I cannot even view them with "f-spot -v ...". If I copy her photos.db, then I cannot browse them (the bug occurs as soon as f-spot tries to generate a thumbnail). I am at a loss to explain this, as it is 100% reproducible on my system with the exact same data. Stack trace: Full thread dump: "" tid=0x0xb4772b90 this=0x0x217d0: at (wrapper managed-to-native) System.Threading.Monitor.Monitor_wait (object,int) <0x00004> at (wrapper managed-to-native) System.Threading.Monitor.Monitor_wait (object,int) <0xffffffff> "" tid=0x0xb577fb90 this=0x0x21898: "" tid=0x0xb7d976e0 this=0x0x21e10: at System.Threading.Monitor.Wait (object) [0x00027] in /build/buildd/mono-1.2.3.1/mcs/class/corlib/System.Threading/Monitor.cs:188 at FSpot.PixbufCache.WorkerTask () [0x0001f] in /home/andrew/code/f-spot/trunk/src/PixbufCache.cs:158 at (wrapper delegate-invoke) System.MulticastDelegate.invoke_void () <0xffffffff> at (wrapper runtime-invoke) System.Object.runtime_invoke_void (object,intptr,intptr,intptr) <0xffffffff> at (wrapper managed-to-native) System.Threading.Monitor.Monitor_wait (object,int) <0x00004> at (wrapper managed-to-native) System.Threading.Monitor.Monitor_wait (object,int) <0xffffffff> at System.Threading.Monitor.Wait (object) [0x00027] in /build/buildd/mono-1.2.3.1/mcs/class/corlib/System.Threading/Monitor.cs:188 at PixbufLoader.WorkerThread () [0x000f8] in /home/andrew/code/f-spot/trunk/src/PixbufLoader.cs:229 at (wrapper delegate-invoke) System.MulticastDelegate.invoke_void () <0xffffffff> at (wrapper runtime-invoke) System.Object.runtime_invoke_void (object,intptr,intptr,intptr) <0xffffffff> System.Threading.SynchronizationLockException: Object is not synchronized at System.Threading.Monitor.Wait (System.Object obj) [0x0002f] in /build/buildd/mono-1.2.3.1/mcs/class/corlib/System.Threading/Monitor.cs:189 at FSpot.PixbufCache.WorkerTask () [0x0001f] in /home/andrew/code/f-spot/trunk/src/PixbufCache.cs:158 at (wrapper managed-to-native) System.Object.__icall_wrapper_mono_array_new_specific (intptr,int) <0x00004> at (wrapper managed-to-native) System.Object.__icall_wrapper_mono_array_new_specific (intptr,int) <0xffffffff> at FSpot.Tiff.DirectoryEntry.LoadExternal (System.IO.Stream) [0x00044] in /home/andrew/code/f-spot/trunk/src/Imaging/Tiff.cs:1731 at FSpot.Tiff.ImageDirectory.LoadEntries (System.IO.Stream) [0x00070] in /home/andrew/code/f-spot/trunk/src/Imaging/Tiff.cs:1223 at FSpot.Tiff.ImageDirectory.Load (System.IO.Stream) [0x00016] in /home/andrew/code/f-spot/trunk/src/Imaging/Tiff.cs:1172 at FSpot.Tiff.ImageDirectory..ctor (System.IO.Stream,uint,FSpot.Tiff.Endian) [0x0002a] in /home/andrew/code/f-spot/trunk/src/Imaging/Tiff.cs:1139 at FSpot.Tiff.Header..ctor (System.IO.Stream) [0x0012c] in /home/andrew/code/f-spot/trunk/src/Imaging/Tiff.cs:918 at JpegHeader.GetExifHeader () [0x00042] in /home/andrew/code/f-spot/trunk/src/Imaging/JpegHeader.cs:322 at FSpot.JpegFile.get_ExifHeader () [0x0000c] in /home/andrew/code/f-spot/trunk/src/Imaging/JpegFile.cs:54 at FSpot.JpegFile.GetOrientation () [0x00002] in /home/andrew/code/f-spot/trunk/src/Imaging/JpegFile.cs:271 at FSpot.ImageFile.get_Orientation () [0x00000] in /home/andrew/code/f-spot/trunk/src/Imaging/ImageFile.cs:74 at FSpot.AsyncPixbufLoader.Load (System.Uri) [0x00043] in /home/andrew/code/f-spot/trunk/src/AsyncPixbufLoader.cs:117 at FSpot.PhotoImageView.PhotoItemChanged (FSpot.BrowsablePointer,FSpot.BrowsablePointerChangedArgs) [0x000f2] in /home/andrew/code/f-spot/trunk/src/PhotoImageView.cs:325 at (wrapper delegate-invoke) System.MulticastDelegate.invoke_void_BrowsablePointer_BrowsablePointerChangedArgs (FSpot.BrowsablePointer,FSpot.BrowsablePointerChangedArgs) <0x0006e> at (wrapper delegate-invoke) System.MulticastDelegate.invoke_void_BrowsablePointer_BrowsablePointerChangedArgs (FSpot.BrowsablePointer,FSpot.BrowsablePointerChangedArgs) <0xffffffff> at FSpot.BrowsablePointer.SetIndex (int) [0x00030] in /home/andrew/code/f-spot/trunk/src/IBrowsableItem.cs:207 at FSpot.BrowsablePointer.set_Index (int) [0x0000c] in /home/andrew/code/f-spot/trunk/src/IBrowsableItem.cs:192 Unhandled Exception: System.Threading.SynchronizationLockException: Object is not synchronized at System.Threading.Monitor.Wait (System.Object obj) [0x0002f] in /build/buildd/mono-1.2.3.1/mcs/class/corlib/System.Threading/Monitor.cs:189 at PixbufLoader.WorkerThread () [0x000f8] in /home/andrew/code/f-spot/trunk/src/PixbufLoader.cs:229 at (wrapper delegate-invoke) System.MulticastDelegate:invoke_void () at FSpot.SingleView.HandleSelectionChanged (FSpot.IBrowsableCollection) [0x0000c] in /home/andrew/code/f-spot/trunk/src/SingleView.cs:220 at (wrapper delegate-invoke) System.MulticastDelegate.invoke_void_IBrowsableCollection (FSpot.IBrowsableCollection) <0xffffffff> at SelectionCollection.SignalChange (int[]) [0x0001d] in /home/andrew/code/f-spot/trunk/src/IconView.cs:537 at SelectionCollection.Add (int,bool) [0x0003a] in /home/andrew/code/f-spot/trunk/src/IconView.cs:432 at SelectionCollection.Add (int) [0x00000] in /home/andrew/code/f-spot/trunk/src/IconView.cs:417 at FSpot.SingleView..ctor (System.Uri[]) [0x003c9] in /home/andrew/code/f-spot/trunk/src/SingleView.cs:141 at FSpot.SingleView..ctor (UriList) [0x00000] in /home/andrew/code/f-spot/trunk/src/SingleView.cs:57 at FSpot.Core.Viewbla (UriList) [0x00000] in /home/andrew/code/f-spot/trunk/src/Core.cs:127 at FSpot.Core.View (string) [0x00000] in /home/andrew/code/f-spot/trunk/src/Core.cs:121 at FSpot.Driver.Main (string[]) [0x002e4] in /home/andrew/code/f-spot/trunk/src/main.cs:196 at (wrapper runtime-invoke) System.Object.runtime_invoke_void_string[] (object,intptr,intptr,intptr) <0xffffffff> Other information: My laptop is running Ubuntu Feisty (7.04). I can reproduce this both with f-spot in feisty, and with f-spot from SVN.
can you please provide such an image ?
Closing this bug report as no further information has been provided. Please feel free to reopen this bug if you can provide the information asked for. Thanks!