Bug 299886

Summary: ShowFoto crash while saving PNG
Product: [Applications] digikam Reporter: dilnix <dilnix>
Component: Plugin-DImg-PNGAssignee: Digikam Developers <digikam-bugs-null>
Status: RESOLVED FIXED    
Severity: crash CC: caulier.gilles, kevin.kofler, nucleo, rdieter, vivo75+kde
Priority: NOR    
Version: 2.6.0   
Target Milestone: ---   
Platform: Fedora RPMs   
OS: Linux   
Latest Commit: Version Fixed In: 2.6.0
Sentry Crash Report:
Attachments: result of command "locate libqt >> libqt.txt"
result of command "locate libkde >> libkde.txt"

Description dilnix 2012-05-12 15:22:00 UTC
Application: showfoto (2.6.0-beta3)
KDE Platform Version: 4.8.3 (4.8.3)
Qt Version: 4.8.1
Operating System: Linux 3.3.4-4.fc17.i686.PAE i686
Distribution: "Fedora release 17 (Beefy Miracle)"

-- Information about the crash:
- What I was doing when the application crashed:

I have opened few files (some JPG, some PNG) in ShowFoto and made some "crop" for each file. When made crop to first PNG i have chosen to save and then it fails without saved changes.

The crash can be reproduced some of the time.

-- Backtrace:
Application: showFoto (showfoto), signal: Aborted
Using host libthread_db library "/lib/libthread_db.so.1".
[Current thread is 1 (Thread 0xb7795900 (LWP 11179))]

Thread 2 (Thread 0xb5164b40 (LWP 11182)):
#0  0xb77e8424 in __kernel_vsyscall ()
#1  0x4bd2712c in pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/i386/i486/pthread_cond_wait.S:172
#2  0x4151d7a8 in wait (time=4294967295, this=0x8849ef8) at thread/qwaitcondition_unix.cpp:86
#3  QWaitCondition::wait (this=0x883dc70, mutex=0x883dc6c, time=4294967295) at thread/qwaitcondition_unix.cpp:158
#4  0x47afc5ac in Digikam::ParkingThread::run (this=0x883dc60) at /usr/src/debug/digikam-2.6.0-beta3/core/libs/threads/threadmanager.cpp:119
#5  0x4151d221 in QThreadPrivate::start (arg=0x883dc60) at thread/qthread_unix.cpp:298
#6  0x4bd23adf in start_thread (arg=0xb5164b40) at pthread_create.c:309
#7  0x4bc5755e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:133

Thread 1 (Thread 0xb7795900 (LWP 11179)):
[KCrash Handler]
#7  0xb77e8424 in __kernel_vsyscall ()
#8  0x4bb9491f in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#9  0x4bb96273 in __GI_abort () at abort.c:91
#10 0x4bbd2785 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x4bcd3074 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:198
#11 0x4bbda109 in malloc_printerr (ptr=0x8b29ee8, str=0x4bcd0ecc "free(): invalid pointer", action=<optimized out>) at malloc.c:5027
#12 _int_free (av=0x4bd10420, p=0x8b29ee0, have_lock=0) at malloc.c:3948
#13 0x41515b4c in qFree (ptr=0x8b29ee8) at global/qmalloc.cpp:60
#14 0x4156f198 in QString::free (d=0x8b29ee8) at tools/qstring.cpp:1235
#15 0x41ad9650 in ~QString (this=0x8b2a0c0, __in_chrg=<optimized out>) at /usr/include/QtCore/qstring.h:880
#16 ~QHashNode (this=0x8b2a0b8, __in_chrg=<optimized out>) at /usr/include/QtCore/qhash.h:216
#17 QHash<QString, QStringList>::deleteNode2 (node=0x8b2a0b8) at /usr/include/QtCore/qhash.h:521
#18 0x4153c16c in QHashData::free_helper (this=0x8b13820, node_delete=0x41ad9610 <QHash<QString, QStringList>::deleteNode2(QHashData::Node*)>) at tools/qhash.cpp:275
#19 0x41ada732 in freeData (x=<optimized out>, this=<optimized out>) at /usr/include/QtCore/qhash.h:570
#20 ~QHash (this=0x8acda6c, __in_chrg=<optimized out>) at /usr/include/QtCore/qhash.h:283
#21 KMimeTypeRepository::~KMimeTypeRepository (this=0x8acda68, __in_chrg=<optimized out>) at /usr/src/debug/kdelibs-4.8.3/kdecore/services/kmimetyperepository.cpp:54
#22 0x41ada8ba in destroy () at /usr/src/debug/kdelibs-4.8.3/kdecore/services/kmimetyperepository.cpp:36
#23 0x41a158ca in KCleanUpGlobalStatic::~KCleanUpGlobalStatic (this=0x41c55668, __in_chrg=<optimized out>) at /usr/src/debug/kdelibs-4.8.3/kdecore/kernel/kglobal.h:62
#24 0x4bb97cc1 in __run_exit_handlers (status=status@entry=0, listp=0x4bd103d8, run_list_atexit=run_list_atexit@entry=true) at exit.c:78
#25 0x4bb97d4d in __GI_exit (status=0) at exit.c:100
#26 0x4bb7f63d in __libc_start_main (main=0x8057070 <main(int, char**)>, argc=6, ubp_av=0xbfbbeb04, init=0x8079400 <__libc_csu_init>, fini=0x8079470 <__libc_csu_fini>, rtld_fini=0x4bb4ea90 <_dl_fini>, stack_end=0xbfbbeafc) at libc-start.c:258
#27 0x08057cf9 in _start ()

Possible duplicates by query: bug 299137, bug 296435, bug 294766, bug 292022, bug 290830.

Reported using DrKonqi
Comment 1 caulier.gilles 2012-05-12 16:14:36 UTC
It crash indeep into KDELibs/Qt. Sound like a binary compatibilty issue on your computer. Please check is libqt and libkdelibs are updated properly...

Gilles Caulier
Comment 2 dilnix 2012-05-12 18:19:58 UTC
Created attachment 71049 [details]
result of command "locate libqt >> libqt.txt"

searching libqt...
Comment 3 dilnix 2012-05-12 18:21:51 UTC
Created attachment 71050 [details]
result of command "locate libkde >> libkde.txt"

searching libkde
Comment 4 dilnix 2012-05-12 18:23:30 UTC
Ok. My system is always updated. Updates checking proceeds every day. So:
kdelibs-4.8.3-1.fc17.i686 is installed
and i made some attachments about searching libqt & libkde
Comment 5 caulier.gilles 2012-05-12 19:57:21 UTC
What's about digiKam ? Your crash sound abnormal. I suspect something not recompiled. Do you install digiKam & co by a package or a compilation done by you ?

Gilles
Comment 6 dilnix 2012-05-12 20:38:51 UTC
I have all the system installed from original repos & rpmfusion repos... so all software including digiKam is installed from RPM packages. Only one program installed by "autopackage" project, it is Xara Xtreme DL.
I have digikam-2.6.0-0.4.beta3.fc17.1.i686 from Fedora repos...
Comment 7 caulier.gilles 2012-05-12 20:51:11 UTC
I suspect a problem with digiKam package compiled. Can you try to compile yoursef wholde digiKam & co source code ?

Gilles Caulier
Comment 8 dilnix 2012-05-12 21:13:44 UTC
I did not ever made compiling any program from source... I can try to do it if you give me instructions.
I see you made post about 2.6.0 RC on off.site. Maybe if I try to install it (cause i have beta3) so that problem can be resolved? Maybe i can install it even from RPM??? Or it has no bearing on the case?
Comment 9 caulier.gilles 2012-05-12 21:20:01 UTC
Take a look here :

http://www.digikam.org/drupal/download/GIT

Gilles Caulier
Comment 10 dilnix 2012-05-12 21:28:07 UTC
Ok, i will try to do it so tomorrow... because i'm in Ukraine & we having
00:26am now... so i going to sleep.
Have a good dreams!

2012/5/13 Gilles Caulier <caulier.gilles@gmail.com>

> https://bugs.kde.org/show_bug.cgi?id=299886
>
> --- Comment #9 from Gilles Caulier <caulier.gilles@gmail.com> ---
> Take a look here :
>
> http://www.digikam.org/drupal/download/GIT
>
> Gilles Caulier
>
> --
> You are receiving this mail because:
> You reported the bug.
>
Comment 11 nucleo 2012-05-12 22:00:37 UTC
digikam-2.6.0-rc is in Fedora 17 updates-testing.

you can install it with 'yum --enablerepo updates-testing update digikam\* kipi-plugins\* libkface libkgeomap libkvkontakte libmediawiki'
Comment 12 nucleo 2012-05-12 22:13:44 UTC
(In reply to comment #1)
> It crash indeep into KDELibs/Qt. Sound like a binary compatibilty issue on
> your computer. Please check is libqt and libkdelibs are updated properly...
> 
> Gilles Caulier

This is impossible for Fedora packages.
digikam package have necessary requirements for KDE libs used at build time:

Requires: kdebase-runtime%{?_kde4_version: >= %{_kde4_version}}
Comment 13 dilnix 2012-05-13 05:39:07 UTC
I have tried to install RC from updates-testing repo and made check. Tried to crop and save PNG in various situations. So, when i opened only one file at the time by showFoto -> no problems. But when i opened few files at the time and tried to crop and save one of them -> showFoto have been crashed.
& I found some new bug in digiKam... when i tried to rotate some JPG, it comes hanging... i tried to wait some 5 minutes & then exit digiKam... he said "finishing tasks"... i chosed to Finish & it crashed
I made new bug report for it (Bug 299917)
...if it's important I can build digiKam from source and then test...
Comment 14 caulier.gilles 2012-05-13 06:55:48 UTC
Crash happen only with PNG files ? Note that i use everyday PNG in my workflow with any problem.

Which libpng you use ? Do you updated it recently ?

Gilles Caulier
Comment 15 caulier.gilles 2012-05-13 07:42:31 UTC
*** Bug 299917 has been marked as a duplicate of this bug. ***
Comment 16 nucleo 2012-05-13 09:22:17 UTC
(In reply to comment #14)
> Crash happen only with PNG files ? Note that i use everyday PNG in my
> workflow with any problem.
> 
> Which libpng you use ? Do you updated it recently ?
> 
> Gilles Caulier

libpng-1.5.10 used in Fedora 17, it has not been updated recently.
Comment 17 dilnix 2012-05-13 13:44:06 UTC
(In reply to comment #16)
> (In reply to comment #14)
> > Crash happen only with PNG files ? Note that i use everyday PNG in my
> > workflow with any problem.
> > 
> > Which libpng you use ? Do you updated it recently ?
> > 
> > Gilles Caulier
> 
> libpng-1.5.10 used in Fedora 17, it has not been updated recently.

Thats right... i have installed libpng-1.5.10 now.
So what me to do? Delete digiKam that is from repo and install anew from source?
Comment 18 nucleo 2012-05-13 14:48:52 UTC
(In reply to comment #17)

> So what me to do? Delete digiKam that is from repo and install anew from
> source?

No sense to do that until bug not fixed.
When fix will be available it will be backported in fedora  package.
Comment 19 caulier.gilles 2012-05-15 14:30:10 UTC
*** Bug 300066 has been marked as a duplicate of this bug. ***
Comment 20 nucleo 2012-05-15 16:24:03 UTC
$ valgrind showfoto
==1597== Memcheck, a memory error detector
==1597== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==1597== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==1597== Command: showfoto
==1597== 
libdc1394 error: Failed to initialize libdc1394
==1597== Invalid read of size 8
==1597==    at 0x543666F: ??? (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x562BA84: ??? (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x5633B5C: ??? (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x563DFCB: ??? (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x55B73CF: QPainter::drawPixmap(QRectF const&, QPixmap const&, QRectF const&) (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x577D5FE: QStyle::drawItemPixmap(QPainter*, QRect const&, int, QPixmap const&) const (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0xF: ???
==1597==  Address 0x117c9f20 is 8 bytes before a block of size 1,024 alloc'd
==1597==    at 0x402A059: malloc (vg_replace_malloc.c:263)
==1597==    by 0x550A57E: QImageData::create(QSize const&, QImage::Format, int) (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x550A9CD: QImage::QImage(int, int, QImage::Format) (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x550E667: QImage::convertToFormat(QImage::Format, QFlags<Qt::ImageConversionFlag>) const (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x553793E: QRasterPixmapData::createPixmapForImage(QImage&, QFlags<Qt::ImageConversionFlag>, bool) (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x1101: ???
==1597== 
==1597== Invalid read of size 8
==1597==    at 0x5436910: ??? (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x562BA84: ??? (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x5633B5C: ??? (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x563DFCB: ??? (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x55B73CF: QPainter::drawPixmap(QRectF const&, QPixmap const&, QRectF const&) (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x577D5FE: QStyle::drawItemPixmap(QPainter*, QRect const&, int, QPixmap const&) const (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0xF: ???
==1597==  Address 0x117ca328 is 0 bytes after a block of size 1,024 alloc'd
==1597==    at 0x402A059: malloc (vg_replace_malloc.c:263)
==1597==    by 0x550A57E: QImageData::create(QSize const&, QImage::Format, int) (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x550A9CD: QImage::QImage(int, int, QImage::Format) (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x550E667: QImage::convertToFormat(QImage::Format, QFlags<Qt::ImageConversionFlag>) const (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x553793E: QRasterPixmapData::createPixmapForImage(QImage&, QFlags<Qt::ImageConversionFlag>, bool) (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x1101: ???
==1597== 
==1597== Invalid read of size 8
==1597==    at 0x54366D0: ??? (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x562BA84: ??? (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x563200F: ??? (in /usr/lib/libQtGui.so.4.8.1)
==1597==  Address 0x11069458 is 0 bytes after a block of size 1,024 alloc'd
==1597==    at 0x402A059: malloc (vg_replace_malloc.c:263)
==1597==    by 0x550A57E: QImageData::create(QSize const&, QImage::Format, int) (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x550A9CD: QImage::QImage(int, int, QImage::Format) (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x550E667: QImage::convertToFormat(QImage::Format, QFlags<Qt::ImageConversionFlag>) const (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x553793E: QRasterPixmapData::createPixmapForImage(QImage&, QFlags<Qt::ImageConversionFlag>, bool) (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0xBEC852BF: ???
==1597== 
==1597== Invalid read of size 8
==1597==    at 0x54366D0: ??? (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x562BA84: ??? (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x5633B5C: ??? (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x563DFCB: ??? (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x55B73CF: QPainter::drawPixmap(QRectF const&, QPixmap const&, QRectF const&) (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x577D5FE: QStyle::drawItemPixmap(QPainter*, QRect const&, int, QPixmap const&) const (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0xF: ???
==1597==  Address 0x118b78f8 is 0 bytes after a block of size 1,024 alloc'd
==1597==    at 0x402A059: malloc (vg_replace_malloc.c:263)
==1597==    by 0x550A57E: QImageData::create(QSize const&, QImage::Format, int) (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x550A9CD: QImage::QImage(int, int, QImage::Format) (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x550E667: QImage::convertToFormat(QImage::Format, QFlags<Qt::ImageConversionFlag>) const (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x553793E: QRasterPixmapData::createPixmapForImage(QImage&, QFlags<Qt::ImageConversionFlag>, bool) (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x1101: ???
==1597== 
Adding device "/org/freedesktop/UDisks2/Manager" 
Adding device "/org/freedesktop/UDisks2/block_devices/loop0" 
Adding device "/org/freedesktop/UDisks2/block_devices/loop1" 
Adding device "/org/freedesktop/UDisks2/block_devices/loop2" 
Adding device "/org/freedesktop/UDisks2/block_devices/loop3" 
Adding device "/org/freedesktop/UDisks2/block_devices/loop4" 
Adding device "/org/freedesktop/UDisks2/block_devices/loop5" 
Adding device "/org/freedesktop/UDisks2/block_devices/loop6" 
Adding device "/org/freedesktop/UDisks2/block_devices/loop7" 
Adding device "/org/freedesktop/UDisks2/block_devices/sda" 
Adding device "/org/freedesktop/UDisks2/block_devices/sda1" 
Adding device "/org/freedesktop/UDisks2/block_devices/sda2" 
Adding device "/org/freedesktop/UDisks2/block_devices/sr0" 
Adding device "/org/freedesktop/UDisks2/drives/VMware_Virtual_IDE_CDROM_Drive_10000000000000000001" 
Adding device "/org/freedesktop/UDisks2/drives/VMware_Virtual_IDE_Hard_Drive_00000000000000000001" 
==1597== Thread 5:
==1597== Conditional jump or move depends on uninitialised value(s)
==1597==    at 0x10D40E0E: ??? (in /usr/lib/kde4/plugins/imageformats/kimg_pic.so)
==1597==    by 0x10D42601: ??? (in /usr/lib/kde4/plugins/imageformats/kimg_pic.so)
==1597==    by 0x5517880: ??? (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0xFD0C9BF: ???
==1597== 
==1597== Thread 1:
==1597== Invalid read of size 8
==1597==    at 0x543666F: ??? (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x562BA84: ??? (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x563200F: ??? (in /usr/lib/libQtGui.so.4.8.1)
==1597==  Address 0x110e20a0 is 8 bytes before a block of size 1,764 alloc'd
==1597==    at 0x402A059: malloc (vg_replace_malloc.c:263)
==1597==    by 0x550A57E: QImageData::create(QSize const&, QImage::Format, int) (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x550A9CD: QImage::QImage(int, int, QImage::Format) (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x1194FFFF: ???
==1597== 
==1597== Invalid read of size 8
==1597==    at 0x5436910: ??? (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x562BA84: ??? (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x563200F: ??? (in /usr/lib/libQtGui.so.4.8.1)
==1597==  Address 0x110e2788 is 1,760 bytes inside a block of size 1,764 alloc'd
==1597==    at 0x402A059: malloc (vg_replace_malloc.c:263)
==1597==    by 0x550A57E: QImageData::create(QSize const&, QImage::Format, int) (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x550A9CD: QImage::QImage(int, int, QImage::Format) (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x1194FFFF: ???
==1597== 
==1597== Thread 5:
==1597== Conditional jump or move depends on uninitialised value(s)
==1597==    at 0x10D40E0E: ??? (in /usr/lib/kde4/plugins/imageformats/kimg_pic.so)
==1597==    by 0x10D42601: ??? (in /usr/lib/kde4/plugins/imageformats/kimg_pic.so)
==1597==    by 0x5517880: ??? (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0xDC96407: ???
==1597== 
==1597== Conditional jump or move depends on uninitialised value(s)
==1597==    at 0x10D40E0E: ??? (in /usr/lib/kde4/plugins/imageformats/kimg_pic.so)
==1597==    by 0x10D42601: ??? (in /usr/lib/kde4/plugins/imageformats/kimg_pic.so)
==1597==    by 0x5517880: ??? (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0xF5E709F: ???
==1597== 
==1597== Thread 6:
==1597== Conditional jump or move depends on uninitialised value(s)
==1597==    at 0x10D40E0E: ??? (in /usr/lib/kde4/plugins/imageformats/kimg_pic.so)
==1597==    by 0x10D42601: ??? (in /usr/lib/kde4/plugins/imageformats/kimg_pic.so)
==1597==    by 0x5517880: ??? (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0x108F1E6F: ???
==1597== 
==1597== Thread 1:
==1597== Invalid write of size 4
==1597==    at 0x402CD64: memmove (mc_replace_strmem.c:981)
==1597==    by 0x4A3AEEE: cmsGetHeaderProfileID (string3.h:58)
==1597==    by 0xBEC847F7: ???
==1597==  Address 0x133b2864 is 11 bytes after a block of size 1 alloc'd
==1597==    at 0x4029B55: operator new(unsigned int) (vg_replace_malloc.c:282)
==1597==    by 0x41A0A02: dkCmsTakeProfileID(void*) (digikam-lcms.cpp:494)
==1597==    by 0xBEC847F7: ???
==1597== 
==1597== Thread 5:
==1597== Conditional jump or move depends on uninitialised value(s)
==1597==    at 0x10D40E0E: ??? (in /usr/lib/kde4/plugins/imageformats/kimg_pic.so)
==1597==    by 0x10D42601: ??? (in /usr/lib/kde4/plugins/imageformats/kimg_pic.so)
==1597==    by 0x5517880: ??? (in /usr/lib/libQtGui.so.4.8.1)
==1597==    by 0xFDB5F3F: ???
==1597== 
==1597== 
==1597== HEAP SUMMARY:
==1597==     in use at exit: 1,184,325 bytes in 10,228 blocks
==1597==   total heap usage: 1,709,690 allocs, 1,699,462 frees, 246,538,858 bytes allocated
==1597== 
==1597== LEAK SUMMARY:
==1597==    definitely lost: 14,535 bytes in 107 blocks
==1597==    indirectly lost: 544,654 bytes in 3,284 blocks
==1597==      possibly lost: 252,436 bytes in 905 blocks
==1597==    still reachable: 372,700 bytes in 5,932 blocks
==1597==         suppressed: 0 bytes in 0 blocks
==1597== Rerun with --leak-check=full to see details of leaked memory
==1597== 
==1597== For counts of detected and suppressed errors, rerun with: -v
==1597== Use --track-origins=yes to see where uninitialised values come from
==1597== ERROR SUMMARY: 434 errors from 12 contexts (suppressed: 2 from 1)
Comment 21 nucleo 2012-05-15 16:24:32 UTC
Note that we switched to lcms2.
Comment 22 Kevin Kofler 2012-05-15 16:28:25 UTC
digikam-lcms.cpp:494 is probably the line around which to look for the error.
Comment 23 caulier.gilles 2012-05-15 16:32:15 UTC
Not sure that lcms2 can be the problem :

==1597== Thread 1:
==1597== Invalid write of size 4
==1597==    at 0x402CD64: memmove (mc_replace_strmem.c:981)
==1597==    by 0x4A3AEEE: cmsGetHeaderProfileID (string3.h:58)
==1597==    by 0xBEC847F7: ???
==1597==  Address 0x133b2864 is 11 bytes after a block of size 1 alloc'd
==1597==    at 0x4029B55: operator new(unsigned int) (vg_replace_malloc.c:282)
==1597==    by 0x41A0A02: dkCmsTakeProfileID(void*) (digikam-lcms.cpp:494)
==1597==    by 0xBEC847F7: ???

https://projects.kde.org/projects/extragear/graphics/digikam/repository/revisions/master/entry/libs/dklcms/digikam-lcms.cpp#L494

but as you can see in the code, it just a memory allocation through new operator...

Other parts from your trace show a KDELibs corruption into kimg_pic.so and other from QImage...

Just to test, can you switch to lcms1 ?

Gilles Caulier
Comment 24 Kevin Kofler 2012-05-15 17:10:46 UTC
The linked location is exactly the source of the error. You're allocating a single cmsUInt8Number (a single byte!) with new, then you're passing it to cmsGetHeaderProfileID, which clearly expects a whole array of cmsUInt8Number (it's writing to byte 12, i.e. the thirteenth byte, of what it thinks is an array of cmsUInt8Number). So this needs at least a cmsUInt8Number[13], please check the documentation for how big the array really needs to be.
Comment 25 Kevin Kofler 2012-05-15 17:20:09 UTC
So, the profile ID is an MD5, it also says "7.2.18 Profile ID field (Bytes 84 to 99)". This means you need to allocate a cmsUInt8Number[16], which is also what e.g. http://mail.gnome.org/archives/commits-list/2011-April/msg04234.html does. (And the Valgrind log also says that, because the write at byte 12 is of size 4, and there are no further offending writes.)
Comment 26 Rex Dieter 2012-05-15 17:31:41 UTC
confirmed that's what the lcms2 api docs say (in essence):

cmsProfileID (union):
cmsUInt8Number  ID8[16];
cmsUInt16Number ID16[8];
cmsUInt32Number ID32[4];
Comment 27 Francesco Riosa 2012-05-15 17:43:21 UTC
mine
Comment 28 nucleo 2012-05-15 17:57:01 UTC
(In reply to comment #23)
> Just to test, can you switch to lcms1 ?

Showfoto built agains lcms1 looks more stable with limited number of tests.
Comment 29 Francesco Riosa 2012-05-15 19:29:56 UTC
probably you know but the plan was to leave lcms2 as an option for this release, switch to lcms2 default next and remove lcms1 the one even after.
While we do apreciate greatly more testing on lcms2, maybe it's advisable to stay on lcms1 for now, since it's not so well tested, unless obviously lcms1 has been removed in fedora repo.
(However I'm using lcms2 and never triggered this bug)
rgds, Francesco R.
Comment 30 Kevin Kofler 2012-05-15 20:40:24 UTC
Well, I'd rather we fix the issues with lcms2 rather than switching back to the deprecated lcms 1. This particular buffer overflow is trivial to fix, just allocate the correct amount of memory.

> (However I'm using lcms2 and never triggered this bug)

You just didn't notice. This overflow always happens, but it doesn't always trigger a crash.
Comment 31 Francesco Riosa 2012-05-15 22:11:22 UTC
Git commit 6c1db4afb98e1718fa237c6310170b5980d4af81 by Francesco Riosa.
Committed on 16/05/2012 at 00:09.
Pushed by riosa into branch 'master'.

dkCmsTakeProfileID allocate right size

Thanks Kevin Kofler and Nucleo(Fedora) for squashing it.

M  +1    -1    libs/dklcms/digikam-lcms.cpp

http://commits.kde.org/digikam/6c1db4afb98e1718fa237c6310170b5980d4af81
Comment 32 Francesco Riosa 2012-05-15 22:22:41 UTC
Gilles I've tested only with lcms2, but lcms1 was not involved, also I've searched briefly for other similar bugs maybe for the early morning coding of that piece but there aren't evident ones.
Kevin, nucleo thanks again, if problem arise in lcms2 code feel free to assign to me (if bugzilla permit it, dunno)
Comment 33 nucleo 2012-05-16 19:37:00 UTC
digikam-2.6.0-0.9.rc.fc17 with fix from Comment 31 pushed to Fedora 17 updates-testing repository (may need some time for mirrors synchronization).
Please test it. You can install it with
'yum --enablerepo updates-testing update digikam\* kipi-plugins\* libkface libkgeomap libkvkontakte libmediawiki'
Comment 34 dilnix 2012-05-18 00:19:10 UTC
(In reply to comment #33)
> digikam-2.6.0-0.9.rc.fc17 with fix from Comment 31 pushed to Fedora 17
> updates-testing repository (may need some time for mirrors synchronization).
> Please test it. You can install it with
> 'yum --enablerepo updates-testing update digikam\* kipi-plugins\* libkface
> libkgeomap libkvkontakte libmediawiki'

Thank you! Since digiKam updated there is no any problem. Nice to use stable app =)