65040 – meta info (EXIF for jpeg) of some JPEG and PNGs images causes konqueror to crash

Bug 65040 - meta info (EXIF for jpeg) of some JPEG and PNGs images causes konqueror to crash

Summary: meta info (EXIF for jpeg) of some JPEG and PNGs images causes konqueror to crash

Status:	RESOLVED DUPLICATE of bug 52356

Alias:	None

Product:	konqueror
Classification:	Applications
Component:	general (show other bugs)
Version:	unspecified
Platform:	Slackware Linux

Importance:	NOR crash
Target Milestone:	---
Assignee:	Konqueror Developers

URL:
Keywords:

Depends on:
Blocks:

Reported:	2003-09-27 15:58 UTC by Mitch Mao
Modified:	2003-10-15 16:35 UTC (History)
CC List:	0 users

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Mitch Mao 2003-09-27 15:58:35 UTC

Version:            (using KDE KDE 3.1.3)
Installed from:    Slackware Packages
OS:          Linux

i'm using .tgz packages of kde 3.1.3 on linux kernel 2.4.22 and slackware 8.1.

when browsing local hard drive i experience crashes of Konqueror when dealing with meta info of SOME jpg and png files..

when going mouseOver the images, konqueror tries to parse meta info of files (EXIF data for jpg) to draw the tooltip, and then crashes.

disabling tooltips there is no crash. but when accesing the "meta info" tab in the "properties" dialog for the images, i experience the same, identical crash.

same thing happens in kuickshow.

i have a sample jpg file here:
http://www.hidingpolly.com/casta.jpg

-------------------------------------------------

follows backtrace:

[New Thread 1024 (LWP 16167)]
0x40ece239 in __wait4 () at __wait4:-1
	in __wait4
#0  0x40ece239 in __wait4 () at __wait4:-1
#1  0x40f48e58 in __DTOR_END__ () from /lib/libc.so.6
#2  0x40d9f7b2 in waitpid (pid=16181, stat_loc=0x0, options=0)
    at wrapsyscall.c:173
#3  0x4058265c in KCrash::defaultCrashHandler ()
   from /opt/kde/lib/libkdecore.so.4
#4  0x40d9d144 in pthread_sighandler (signo=6, ctx=
      {gs = 0, __gsh = 0, fs = 0, __fsh = 0, es = 43, __esh = 0, ds = 43, __dsh = 0, edi = 1088036896, esi = 16167, ebp = 3221218396, esp = 3221218336, ebx = 16167, edx = 1088064220, ecx = 6, eax = 0, trapno = 0, err = 0, eip = 1088770913, cs = 35, __csh = 0, eflags = 643, esp_at_signal = 3221218336, ss = 43, __ssh = 0, fpstate = 0xbfffe1a0, oldmask = 2147483648, cr2 = 0}) at signals.c:97
#5  <signal handler called>
#6  0x40e55361 in __kill () at __kill:-1
#7  0x40d9d052 in pthread_kill (thread=1024, signo=6) at signals.c:65
#8  0x40d9d531 in raise (sig=6) at signals.c:236
#9  0x40e5688b in abort () at ../sysdeps/generic/abort.c:88
#10 0x40df0f28 in __terminate () at ../../gcc-2.95.3/gcc/libgcc2.c:-1
#11 0x40df0f45 in __terminate () from /usr/lib/libstdc++-libc6.2-2.so.3
#12 0x40df1ad4 in __throw () from /usr/lib/libstdc++-libc6.2-2.so.3
#13 0x4142bf7c in ExifData::ReadJpegSections ()
   from /opt/kde/lib/kde3/kfile_jpeg.so
#14 0x4142d771 in ExifData::scan () from /opt/kde/lib/kde3/kfile_jpeg.so
#15 0x41427155 in KJpegPlugin::readInfo () from /opt/kde/lib/kde3/kfile_jpeg.so
#16 0x401dd997 in KFileMetaInfo::KFileMetaInfo () from /opt/kde/lib/libkio.so.4
#17 0x401b86ff in KFileItem::metaInfo () from /opt/kde/lib/libkio.so.4
#18 0x401b6670 in KFileItem::getToolTipText () from /opt/kde/lib/libkio.so.4
#19 0x410b5cbd in KFileTip::setItem () from /opt/kde/lib/libkonq.so.4
#20 0x410b6fd0 in KonqIconViewWidget::slotOnItem ()
   from /opt/kde/lib/libkonq.so.4
#21 0x410bbcb5 in KonqIconViewWidget::qt_invoke ()
   from /opt/kde/lib/libkonq.so.4
#22 0x408cf265 in QObject::activate_signal ()
   from /usr/lib/qt-3.1.1/lib/libqt-mt.so.3
#23 0x40b7e2cd in QIconView::onItem () from /usr/lib/qt-3.1.1/lib/libqt-mt.so.3
#24 0x40a32605 in QIconView::contentsMouseMoveEvent ()
   from /usr/lib/qt-3.1.1/lib/libqt-mt.so.3
#25 0x409a7772 in QScrollView::viewportMouseMoveEvent ()
   from /usr/lib/qt-3.1.1/lib/libqt-mt.so.3
#26 0x409a6eeb in QScrollView::eventFilter ()
   from /usr/lib/qt-3.1.1/lib/libqt-mt.so.3
#27 0x40a368be in QIconView::eventFilter ()
   from /usr/lib/qt-3.1.1/lib/libqt-mt.so.3
#28 0x408cd128 in QObject::activate_filters ()
   from /usr/lib/qt-3.1.1/lib/libqt-mt.so.3
#29 0x408cd004 in QObject::event () from /usr/lib/qt-3.1.1/lib/libqt-mt.so.3
#30 0x408fab14 in QWidget::event () from /usr/lib/qt-3.1.1/lib/libqt-mt.so.3
#31 0x4087a72a in QApplication::internalNotify ()
   from /usr/lib/qt-3.1.1/lib/libqt-mt.so.3
#32 0x4087a1de in QApplication::notify ()
   from /usr/lib/qt-3.1.1/lib/libqt-mt.so.3
#33 0x405109eb in KApplication::notify () from /opt/kde/lib/libkdecore.so.4
#34 0x4082de5b in QETWidget::translateMouseEvent ()
   from /usr/lib/qt-3.1.1/lib/libqt-mt.so.3
#35 0x4082c109 in QApplication::x11ProcessEvent ()
   from /usr/lib/qt-3.1.1/lib/libqt-mt.so.3
#36 0x4083de14 in QEventLoop::processEvents ()
   from /usr/lib/qt-3.1.1/lib/libqt-mt.so.3
#37 0x4088c8d3 in QEventLoop::enterLoop ()
   from /usr/lib/qt-3.1.1/lib/libqt-mt.so.3
#38 0x4088c822 in QEventLoop::exec () from /usr/lib/qt-3.1.1/lib/libqt-mt.so.3
#39 0x4087a8ad in QApplication::exec ()
   from /usr/lib/qt-3.1.1/lib/libqt-mt.so.3
#40 0x411232fe in main () from /opt/kde/lib/konqueror.so
#41 0x0804cf86 in launch ()
#42 0x0804de58 in handle_launcher_request ()
#43 0x0804e375 in handle_requests ()
#44 0x0804f237 in main ()
#45 0x40e4417d in __libc_start_main (main=0x804ec48 <main>, argc=3,
    ubp_av=0xbffffa44, init=0x804ab44 <_init>, fini=0x804fd00 <_fini>, 
    rtld_fini=0x4000a534 <_dl_fini>, stack_end=0xbffffa3c)
    at ../sysdeps/generic/libc-start.c:129

-------------------------------------------------

if there's a fix for this bug in another bug report, i'll be glad if you can indicate the precise file to edit or procedure to follow, because i couldn't find help in any other bug report.

thanks in advance..

Mitch Mao

Comment 1 George Staikos 2003-09-27 17:49:18 UTC

Can't reproduce with 3.1.4 or 3.2 but I think this is a compiler bug because 
that code contains no assert(), no abort() and all the throws are caught.

Comment 2 Stephan Kulow 2003-09-27 22:06:51 UTC

fixed as #52356

Comment 3 Mitch Mao 2003-09-29 15:39:03 UTC

I have more info..
bug #52356 has not to do with this one..
I get my crashes only with jpgs created with:
Arles Image Web Page Creator - www.digitaldutch.com
.. as written in the exif comment of the images (and some other png, but still
investigating)
the crash, in 3.1.4 appears only when, browsing in my local hard drive for saved
pics, i first view the full size image with KHTMLIMAGE and then, hitting back
(or up) i go back with the mouse over the pic, when loading meta info, konqueror
crashes with backtrace as in original report...

the compatibility issue with this "Arles Image Web Page Creator -
www.digitaldutch.com" should be fixed.

if I start konqueror from a shell and open a full size view of this images
(KHTMLIMAGE) i get in stderr:
Corrupt JPEG data: 2 extraneous bytes before marker 0xdb

hope that i've been precise enough =)

Comment 4 Mitch Mao 2003-09-29 15:59:50 UTC

the error seems to be on some bytes at the end of the comment:
0000:0010 00 01 00 00 ff fe 00 45 43 72 65 61 74 65 64 20 ....ÿþ.ECreated 
0000:0020 77 69 74 68 20 41 72 6c 65 73 20 49 6d 61 67 65 with Arles Image
0000:0030 20 57 65 62 20 50 61 67 65 20 43 72 65 61 74 6f  Web Page Creato
0000:0040 72 20 2d 20 77 77 77 2e 64 69 67 69 74 61 6c 64 r - www.digitald
0000:0050 75 74 63 68 2e 63 6f 6d 00 00 00 00 00 ff db 00 utch.com.....ÿÛ.

before the 0xdb marker, reading the jpg in hex, there is this "0xff" that i
think is causing problems both in
kdegraphics-3.1.*/kfile-plugins/jpeg/exif.cpp:270 and in the KHTMLIMAGE that
konqueror uses for previewing images.

the function ExifData::scan() catches an error trown by
ExifData::ReadJpegSections() in line 272.

That's exactly what it should do but, well, it shouldn't crash Konqueror (or
kuickshow) but maybe just do not show meta info.

kview does not seem to have any problem with those jpg of Arles...

thanks a lot for attention..

Comment 5 Mitch Mao 2003-09-29 16:04:01 UTC

additional info:
konqueror crashes after several times you access the tooltips after viewing the
full size image. i think is something like a buffer overflow or similar..
it looks like it does not free memory or somthing.. and then, accessing meta
after viewing the pic, it faults in ::ReadJpegSections()
maybe for this famous 2 bytes before the 0xdb marker

this is the best i can do =)

mitch

Comment 6 George Staikos 2003-09-29 19:28:15 UTC

Subject: Re:  meta info (EXIF for jpeg) of some JPEG and PNGs images causes konqueror to crash

On Monday 29 September 2003 09:59, Mitch Mao wrote:
>            What    |Removed                     |Added
> ---------------------------------------------------------------------------
>- Status|RESOLVED                    |UNCONFIRMED
>          Resolution|WORKSFORME                  |
>
> the function ExifData::scan() catches an error trown by
> ExifData::ReadJpegSections() in line 272.
>
> That's exactly what it should do but, well, it shouldn't crash Konqueror
> (or kuickshow) but maybe just do not show meta info.

  Yes but it should not crash unless it's a compiler bug.  What can we do 
about this?

Comment 7 Stephan Kulow 2003-10-15 16:35:51 UTC

your example jpeg doesn't crash here - konqueror just doesn't generate EXIF infos out
them. As I said, duplicate

*** This bug has been marked as a duplicate of 52356 ***