GNOME Bugzilla – Bug 440740
gdk_pixbuf_scale crashes on ARM
Last modified: 2018-05-22 13:05:37 UTC
With the right parameters gdk_pixbuf_scale crashes on ARM. Even after trying to disable MMX I didn't manage to reproduce the crash or get any valgrind warnings on x86. From the trace and experiments it seems we are overflowing the x counter in pixops.c:pixops_process (look at the x_init parameter)
Created attachment 88678 [details] testcase
It seems to be crashing in pixops.c (scale_line_22_33) : int x_scaled = x >> SCALE_SHIFT; [...] q0 = src0 + x_scaled * 3; q1 = src1 + x_scaled * 3; [...] r = w1 * q0[0]; <--- CRASH g = w1 * q0[1]; b = w1 * q0[2]; x=0xc3780000 (-1015545856) x_scaled=0xffffc378 (-15496) It looks like in pixops.c (pixops_process) we break out the following loop with x_start < 0, which then gets passed (as x) to line_func and we end up addressing random area in memory: while (x_start < 0 && outbuf < outbuf_end) { process_pixel (run_weights + ((x >> (SCALE_SHIFT - SUBSAMPLE_BITS)) & SUBSAMPLE_MASK) * (filter->x.n * filter->y.n), filter->x.n, filter->y.n, outbuf, dest_x, dest_channels, dest_has_alpha, line_bufs, src_channels, src_has_alpha, x >> SCALE_SHIFT, src_width, check_size, tcolor1, tcolor2, pixel_func); x += x_step; x_start = x >> SCALE_SHIFT; dest_x++; outbuf += dest_channels; } new_outbuf = (*line_func) (run_weights, filter->x.n, filter->y.n, outbuf, dest_x, dest_buf + dest_rowstride * i + run_end_index * dest_channels, dest_channels, dest_has_alpha, line_bufs, src_channels, src_has_alpha, x, x_step, src_width, check_size, tcolor1, tcolor2); I'm not really sure how such case should be handled here.
-- GitLab Migration Automatic Message -- This bug has been migrated to GNOME's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.gnome.org/GNOME/gdk-pixbuf/issues/12.