342229 – crash attempting to rotate empty (NULL) thumbnail [patch]

Bug 342229 - crash attempting to rotate empty (NULL) thumbnail [patch]

Summary: crash attempting to rotate empty (NULL) thumbnail [patch]

Status:	RESOLVED FIXED

Alias:	None

Product:	digikam
Classification:	Applications
Component:	Thumbs-Engine (show other bugs)
Version:	4.6.0
Platform:	MacPorts macOS

Importance:	NOR crash
Target Milestone:	---
Assignee:	Digikam Developers

URL:
Keywords:	drkonqi

Depends on:
Blocks:

Reported:	2014-12-26 20:09 UTC by RJVB
Modified:	2017-07-28 15:04 UTC (History)
CC List:	3 users (show)

See Also:
Latest Commit:	http://commits.kde.org/digikam/94bc2463c9c1f6c9cebc4b2f2ff71ba2a54c9d9d
Version Fixed In:	4.7.0
Sentry Crash Report:

Attachments
New crash information added by DrKonqi (11.44 KB, text/plain) 2014-12-26 20:17 UTC, RJVB	Details
image that crashes digikam 4.6 (and 4.4!) on OS X 10.9 (2.44 MB, image/jpeg) 2014-12-26 22:58 UTC, RJVB	Details
I think the code should do this (835 bytes, patch) 2014-12-27 20:39 UTC, RJVB	Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description RJVB 2014-12-26 20:09:58 UTC

Application: digikam (4.6.0)
KDE Platform Version: 4.14.3 (Compiled from sources)
Qt Version: 4.8.6
Operating System: Darwin 13.4.0 x86_64
Distribution (Platform): MacPorts Packages

-- Information about the crash:
- What I was doing when the application crashed:

Browsing through an album in slideshow mode, digiKam apparently crashed when "stumbling upon" a .mov file for which it cannot create thumbnails.

-- Backtrace:
Application: digiKam (digikam), signal: Segmentation fault: 11
(lldb) process attach --pid 68916
Process 68916 stopped
Executable module set to "/Applications/MacPorts/KDE4/digikam.app/Contents/MacOS/digikam.bin".
Architecture set to: x86_64-apple-macosx.
(lldb) set set term-width 200
(lldb) thread info
thread #1: tid = 0x2c965a, 0x00007fff93ca7a1a libsystem_kernel.dylib`mach_msg_trap + 10, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP

(lldb) bt all
* thread #1: tid = 0x2c965a, 0x00007fff93ca7a1a libsystem_kernel.dylib`mach_msg_trap + 10, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
  * frame #0: 0x00007fff93ca7a1a libsystem_kernel.dylib`mach_msg_trap + 10
    frame #1: 0x00007fff93ca6d18 libsystem_kernel.dylib`mach_msg + 64
    frame #2: 0x00007fff92481f15 CoreFoundation`__CFRunLoopServiceMachPort + 181
    frame #3: 0x00007fff92481539 CoreFoundation`__CFRunLoopRun + 1161
    frame #4: 0x00007fff92480e75 CoreFoundation`CFRunLoopRunSpecific + 309
    frame #5: 0x00007fff8a987a0d HIToolbox`RunCurrentEventLoopInMode + 226
    frame #6: 0x00007fff8a9877b7 HIToolbox`ReceiveNextEventCommon + 479
    frame #7: 0x00007fff8a9875bc HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 65
    frame #8: 0x00007fff8eb7e24e AppKit`_DPSNextEvent + 1434
    frame #9: 0x00007fff8eb7d89b AppKit`-[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 122
    frame #10: 0x00007fff8eb7199c AppKit`-[NSApplication run] + 553
    frame #11: 0x0000000104c36ecb QtGui`QEventDispatcherMac::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) + 2059
    frame #12: 0x0000000105ec01df QtCore`QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) [inlined] QFlags<QEventLoop::ProcessEventsFlag>::QFlags(this=0x00007fff00000024) + 9 at qglobal.h:2359
    frame #13: 0x0000000105ec01d6 QtCore`QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) [inlined] QFlags<QEventLoop::ProcessEventsFlag>::QFlags(this=0x00007fff00000024) at qglobal.h:2359
    frame #14: 0x0000000105ec01d6 QtCore`QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) [inlined] QFlags<QEventLoop::ProcessEventsFlag>::operator|(f=<unavailable>) const + 59 at qeventloop.cpp:149
    frame #15: 0x0000000105ec019b QtCore`QEventLoop::exec(this=0x00007fff5f88fa80, flags=(i = 0)) + 427 at qeventloop.cpp:204
    frame #16: 0x0000000105ec33f7 QtCore`QCoreApplication::exec() + 199 at qcoreapplication.cpp:1225
    frame #17: 0x000000010061fb7e digikam.bin`main(argc=<unavailable>, argv=<unavailable>) + 7118 at main.cpp:237
    frame #18: 0x00007fff888d25fd libdyld.dylib`start + 1

  thread #2: tid = 0x2c9671, 0x00007fff93cac662 libsystem_kernel.dylib`kevent64 + 10, queue = 'com.apple.libdispatch-manager'
    frame #0: 0x00007fff93cac662 libsystem_kernel.dylib`kevent64 + 10
    frame #1: 0x00007fff88890421 libdispatch.dylib`_dispatch_mgr_invoke + 239
    frame #2: 0x00007fff88890136 libdispatch.dylib`_dispatch_mgr_thread + 52

  thread #3: tid = 0x2c968b, 0x00007fff93cab9aa libsystem_kernel.dylib`__select + 10, name = 'com.apple.CFSocket.private'
    frame #0: 0x00007fff93cab9aa libsystem_kernel.dylib`__select + 10
    frame #1: 0x00007fff924cda03 CoreFoundation`__CFSocketManager + 867
    frame #2: 0x00007fff936b5899 libsystem_pthread.dylib`_pthread_body + 138
    frame #3: 0x00007fff936b572a libsystem_pthread.dylib`_pthread_start + 137
    frame #4: 0x00007fff936b9fc9 libsystem_pthread.dylib`thread_start + 13

  thread #4: tid = 0x2c96b4, 0x00007fff93cab716 libsystem_kernel.dylib`__psynch_cvwait + 10, name = 'Digikam::ScanController'
    frame #0: 0x00007fff93cab716 libsystem_kernel.dylib`__psynch_cvwait + 10
    frame #1: 0x00007fff936b7c3b libsystem_pthread.dylib`_pthread_cond_wait + 727
    frame #2: 0x0000000105db30cb QtCore`QWaitConditionPrivate::wait(this=<unavailable>, time=<unavailable>) + 203
    frame #3: 0x0000000105db2f2f QtCore`QWaitCondition::wait(this=0x00007f8d6947aaa0, mutex=0x00007f8d6947aa98, time=18446744073709551615) + 111 at qwaitcondition_unix.cpp:158
    frame #4: 0x00000001004f71b1 digikam.bin`Digikam::ScanController::run(this=0x00007f8d694c9e40) + 129 at scancontroller.cpp:725
    frame #5: 0x0000000105db1a32 QtCore`QThreadPrivate::start(arg=<unavailable>) + 418 at qthread_unix.cpp:349
    frame #6: 0x00007fff936b5899 libsystem_pthread.dylib`_pthread_body + 138
    frame #7: 0x00007fff936b572a libsystem_pthread.dylib`_pthread_start + 137
    frame #8: 0x00007fff936b9fc9 libsystem_pthread.dylib`thread_start + 13

  thread #5: tid = 0x2c96bf, 0x00007fff93ca7a1a libsystem_kernel.dylib`mach_msg_trap + 10
    frame #0: 0x00007fff93ca7a1a libsystem_kernel.dylib`mach_msg_trap + 10
    frame #1: 0x00007fff93ca6d18 libsystem_kernel.dylib`mach_msg + 64
    frame #2: 0x00007fff92481f15 CoreFoundation`__CFRunLoopServiceMachPort + 181
    frame #3: 0x00007fff92481539 CoreFoundation`__CFRunLoopRun + 1161
    frame #4: 0x00007fff92480e75 CoreFoundation`CFRunLoopRunSpecific + 309
    frame #5: 0x00007fff8ed1e05e AppKit`_NSEventThread + 144
    frame #6: 0x00007fff936b5899 libsystem_pthread.dylib`_pthread_body + 138
    frame #7: 0x00007fff936b572a libsystem_pthread.dylib`_pthread_start + 137
    frame #8: 0x00007fff936b9fc9 libsystem_pthread.dylib`thread_start + 13

  thread #6: tid = 0x2c96c2, 0x00007fff93cab716 libsystem_kernel.dylib`__psynch_cvwait + 10, name = 'QThread'
    frame #0: 0x00007fff93cab716 libsystem_kernel.dylib`__psynch_cvwait + 10
    frame #1: 0x00007fff936b7c3b libsystem_pthread.dylib`_pthread_cond_wait + 727
    frame #2: 0x0000000105db30cb QtCore`QWaitConditionPrivate::wait(this=<unavailable>, time=<unavailable>) + 203
    frame #3: 0x0000000105db2f2f QtCore`QWaitCondition::wait(this=0x00007f8d69666fc0, mutex=0x00007f8d69666fb8, time=18446744073709551615) + 111 at qwaitcondition_unix.cpp:158
    frame #4: 0x0000000101dbb3a0 libdigikamcore.4.6.0.dylib`Digikam::ParkingThread::run(this=0x00007f8d69666fa0) + 192 at threadmanager.cpp:119
    frame #5: 0x0000000105db1a32 QtCore`QThreadPrivate::start(arg=<unavailable>) + 418 at qthread_unix.cpp:349
    frame #6: 0x00007fff936b5899 libsystem_pthread.dylib`_pthread_body + 138
    frame #7: 0x00007fff936b572a libsystem_pthread.dylib`_pthread_start + 137
    frame #8: 0x00007fff936b9fc9 libsystem_pthread.dylib`thread_start + 13

  thread #7: tid = 0x2c9b00, 0x00007fff93cabe22 libsystem_kernel.dylib`__wait4 + 10, name = 'Thread (pooled)'
    frame #0: 0x00007fff93cabe22 libsystem_kernel.dylib`__wait4 + 10
    frame #1: 0x0000000104663c8e libkdeui.5.dylib`KCrash::startProcess(int, char const**, bool) [inlined] startProcessInternal(argc=<unavailable>, directly=<unavailable>) + 265 at kcrash.cpp:556
    frame #2: 0x0000000104663b85 libkdeui.5.dylib`KCrash::startProcess(argc=<unavailable>, argv=<unavailable>, waitAndExit=<unavailable>) + 21 at kcrash.cpp:538
    frame #3: 0x0000000104662db9 libkdeui.5.dylib`KCrash::defaultCrashHandler(sig=<unavailable>) + 1209 at kcrash.cpp:441
    frame #4: 0x00007fff886f35aa libsystem_platform.dylib`_sigtramp + 26
    frame #5: 0x0000000101bdd584 libdigikamcore.4.6.0.dylib`Digikam::DImg::rotate(this=<unavailable>, angle=<unavailable>) + 548 at dimg.cpp:2395
    frame #6: 0x0000000101bdda54 libdigikamcore.4.6.0.dylib`Digikam::DImg::rotateAndFlip(this=<unavailable>, orientation=<unavailable>) + 100 at dimg.cpp:2669
    frame #7: 0x0000000101d93984 libdigikamcore.4.6.0.dylib`Digikam::LoadSaveThread::exifRotate(image=0x00007f8d6a80cc20, filePath=0x00007f8d6a80ca18) + 52 at loadsavethread.cpp:335
    frame #8: 0x0000000101da5b25 libdigikamcore.4.6.0.dylib`Digikam::PreviewLoadingTask::execute(this=0x00007f8d6a80ca00) + 3285 at previewtask.cpp:375
    frame #9: 0x0000000101d92dd0 libdigikamcore.4.6.0.dylib`Digikam::LoadSaveThread::run(this=0x00007f8d6e146020) + 368 at loadsavethread.cpp:136
    frame #10: 0x0000000101dbd5ca libdigikamcore.4.6.0.dylib`Digikam::DynamicThread::DynamicThreadPriv::run(this=0x00007f8d6e145f00) + 74 at dynamicthread.cpp:186
    frame #11: 0x0000000105da41db QtCore`QThreadPoolThread::run(this=0x00007f8d6d5e57a0) + 203 at qthreadpool.cpp:108
    frame #12: 0x0000000105db1a32 QtCore`QThreadPrivate::start(arg=<unavailable>) + 418 at qthread_unix.cpp:349
    frame #13: 0x00007fff936b5899 libsystem_pthread.dylib`_pthread_body + 138
    frame #14: 0x00007fff936b572a libsystem_pthread.dylib`_pthread_start + 137
    frame #15: 0x00007fff936b9fc9 libsystem_pthread.dylib`thread_start + 13

  thread #8: tid = 0x2c9b01, 0x00007fff93cab716 libsystem_kernel.dylib`__psynch_cvwait + 10, name = 'Thread (pooled)'
    frame #0: 0x00007fff93cab716 libsystem_kernel.dylib`__psynch_cvwait + 10
    frame #1: 0x00007fff936b7c3b libsystem_pthread.dylib`_pthread_cond_wait + 727
    frame #2: 0x0000000105db30b9 QtCore`QWaitConditionPrivate::wait(this=0x00007f8d6d5e6b30, time=30000) + 185
    frame #3: 0x0000000105db2f2f QtCore`QWaitCondition::wait(this=0x00007f8d6d5e6810, mutex=0x00007f8d696a0418, time=30000) + 111 at qwaitcondition_unix.cpp:158
    frame #4: 0x0000000105da4341 QtCore`QThreadPoolThread::run(this=0x00007f8d6d5e6800) + 561 at qthreadpool.cpp:142
    frame #5: 0x0000000105db1a32 QtCore`QThreadPrivate::start(arg=<unavailable>) + 418 at qthread_unix.cpp:349
    frame #6: 0x00007fff936b5899 libsystem_pthread.dylib`_pthread_body + 138
    frame #7: 0x00007fff936b572a libsystem_pthread.dylib`_pthread_start + 137
    frame #8: 0x00007fff936b9fc9 libsystem_pthread.dylib`thread_start + 13

  thread #9: tid = 0x2cadb8, 0x00007fff93cabe6a libsystem_kernel.dylib`__workq_kernreturn + 10
    frame #0: 0x00007fff93cabe6a libsystem_kernel.dylib`__workq_kernreturn + 10
    frame #1: 0x00007fff936b6f08 libsystem_pthread.dylib`_pthread_wqthread + 330
    frame #2: 0x00007fff936b9fb9 libsystem_pthread.dylib`start_wqthread + 13

  thread #10: tid = 0x2cadb9, 0x00007fff93cabe6a libsystem_kernel.dylib`__workq_kernreturn + 10
    frame #0: 0x00007fff93cabe6a libsystem_kernel.dylib`__workq_kernreturn + 10
    frame #1: 0x00007fff936b6f08 libsystem_pthread.dylib`_pthread_wqthread + 330
    frame #2: 0x00007fff936b9fb9 libsystem_pthread.dylib`start_wqthread + 13
(lldb) detach
Process 68916 detached
(lldb) (lldb) quit

Possible duplicates by query: bug 342210, bug 342202, bug 342191, bug 342149, bug 342143.

Reported using DrKonqi

Comment 1 RJVB 2014-12-26 20:17:30 UTC

Created attachment 90125 [details]
New crash information added by DrKonqi

digikam (4.6.0) on KDE Platform 4.14.3 using Qt 4.8.6

- What I was doing when the application crashed:

Trying to open an offending jpg image. The previous crash report was *not* due to an empty thumbnail (as console output had led me to believe), but to loading this particular image.

-- Backtrace (Reduced):

Comment 2 caulier.gilles 2014-12-26 22:41:18 UTC

It's not clear why it crash here.

Can you run digiKam in DGB to have abetter backtrace.

Also, can you identify which image crash application.

Gilles Caulier

Comment 3 RJVB 2014-12-26 22:56:35 UTC

Sorry, I can only run it in lldb, and doing so doesn't give a better backtrace:

```
(lldb) bt
* thread #1: tid = 0x2f7da0, 0x00000001000e451a libdigikamcore.4.6.0.dylib`Digikam::DImg::rotate(this=<unavailable>, angle=<unavailable>) + 794 at dimg.cpp:2395, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x11b5b1000)
  * frame #0: 0x00000001000e451a libdigikamcore.4.6.0.dylib`Digikam::DImg::rotate(this=<unavailable>, angle=<unavailable>) + 794 at dimg.cpp:2395
    frame #1: 0x00000001000e4a54 libdigikamcore.4.6.0.dylib`Digikam::DImg::rotateAndFlip(this=<unavailable>, orientation=<unavailable>) + 100 at dimg.cpp:2669
    frame #2: 0x000000010038f225 libdigikamcore.4.6.0.dylib`Digikam::EditorCore::slotImageLoaded(this=0x000000010b5680c0, loadingDescription=<unavailable>, img=<unavailable>) + 357 at editorcore.cpp:292
    frame #3: 0x000000010038ecae libdigikamcore.4.6.0.dylib`Digikam::EditorCore::qt_static_metacall(_o=0x000000010b5680c0, _c=<unavailable>, _id=<unavailable>, _a=<unavailable>) + 398 at editorcore.moc:88
    frame #4: 0x00000001033d2eae QtCore`QObject::event(this=0x000000010b5680c0, e=<unavailable>) + 638 at qobject.cpp:1222
    frame #5: 0x000000010216637b QtGui`QApplicationPrivate::notify_helper(this=<unavailable>, receiver=0x000000010b5680c0, e=0x0000000116a44320) + 251 at qapplication.cpp:4565
    frame #6: 0x0000000102167899 QtGui`QApplication::notify(this=<unavailable>, receiver=<unavailable>, e=0x0000000116a44320) + 905 at qapplication.cpp:3947
    frame #7: 0x00000001033bee46 QtCore`QCoreApplication::notifyInternal(this=<unavailable>, receiver=<unavailable>, event=<unavailable>) + 118 at qcoreapplication.cpp:953
    frame #8: 0x00000001033bf9ae QtCore`QCoreApplicationPrivate::sendPostedEvents(receiver=0x0000000116a44320, event_type=0, data=0x000000010b300fb0) + 686 at qcoreapplication.h:231
    frame #9: 0x00007fff924905b1 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
    frame #10: 0x00007fff92481c62 CoreFoundation`__CFRunLoopDoSources0 + 242
    frame #11: 0x00007fff924813ef CoreFoundation`__CFRunLoopRun + 831
    frame #12: 0x00007fff92480e75 CoreFoundation`CFRunLoopRunSpecific + 309
    frame #13: 0x00007fff8a987a0d HIToolbox`RunCurrentEventLoopInMode + 226
    frame #14: 0x00007fff8a9877b7 HIToolbox`ReceiveNextEventCommon + 479
    frame #15: 0x00007fff8a9875bc HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 65
    frame #16: 0x00007fff8eb7e24e AppKit`_DPSNextEvent + 1434
    frame #17: 0x00007fff8eb7d89b AppKit`-[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 122
    frame #18: 0x00007fff8eb7199c AppKit`-[NSApplication run] + 553
    frame #19: 0x000000010211cecb QtGui`QEventDispatcherMac::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) + 2059
    frame #20: 0x00000001033bc1df QtCore`QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) [inlined] QFlags<QEventLoop::ProcessEventsFlag>::QFlags(this=0x00007fff00000024) + 9 at qglobal.h:2359
    frame #21: 0x00000001033bc1d6 QtCore`QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) [inlined] QFlags<QEventLoop::ProcessEventsFlag>::QFlags(this=0x00007fff00000024) at qglobal.h:2359
    frame #22: 0x00000001033bc1d6 QtCore`QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) [inlined] QFlags<QEventLoop::ProcessEventsFlag>::operator|(f=<unavailable>) const + 59 at qeventloop.cpp:149
    frame #23: 0x00000001033bc19b QtCore`QEventLoop::exec(this=0x00007fff5fbff010, flags=(i = 0)) + 427 at qeventloop.cpp:204
    frame #24: 0x00000001033bf3f7 QtCore`QCoreApplication::exec() + 199 at qcoreapplication.cpp:1225
    frame #25: 0x000000010003a78e showfoto`main(argc=<unavailable>, argv=<unavailable>) + 2350 at main.cpp:90
    frame #26: 0x00007fff888d25fd libdyld.dylib`start + 1
```

When I declare all the local variables of interest static so they are not optimised away, line1 and line2 appear to be null pointers when the crash occurs. I don't trust this, though; their value doesn't change when I step through the loop in the debugger.

I'll upload the image on which this crash occurs. If you cannot reproduce the crash we may me dealing with a bug in the compiler or optimiser/vectoriser...

Comment 4 RJVB 2014-12-26 22:58:27 UTC

Created attachment 90127 [details]
image that crashes digikam 4.6 (and 4.4!) on OS X 10.9

Comment 5 RJVB 2014-12-27 20:39:18 UTC

Created attachment 90133 [details]
I think the code should do this

Salut Gilles,

I think the calculation of line2 is incorrect: the very first time it is effectively initialised to `data + h * w`, which is just outside the valid image data. I've attached a patch that makes this correction for 180° rotations, but maybe you ought to double-check the other cases too ... ;)
In any case I'm no longer seeing crashes with this patch.

And I stand corrected: as usual this (probably) wasn't a compiler bug but just another proof how testing with other compilers and on other platforms is an almost perfect way to find errors that somehow slip through on your usual platform.

Comment 6 Marcel Wiesweg 2014-12-28 19:03:33 UTC

Bug is confirmed by valgrind on Linux:

==9153== Thread 1:
==9153== Invalid read of size 4
==9153==    at 0x730A0A2: Digikam::DImg::rotate(Digikam::DImg::ANGLE) (dimg.cpp:2395)
==9153==    by 0x730A1A9: Digikam::DImg::rotateAndFlip(int) (dimg.cpp:2642)
==9153==    by 0x75AC8AA: Digikam::EditorCore::slotImageLoaded(Digikam::LoadingDescription const&, Digikam::DImg const&) (editorcore.cpp:292)
==9153==    by 0xEACA59D: QObject::event(QEvent*) (qobject.cpp:1231)
==9153==    by 0xD72A76B: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:4565)
==9153==    by 0xD730CAC: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:4351)
==9153==    by 0xD127BA9: KApplication::notify(QObject*, QEvent*) (in /usr/lib64/libkdeui.so.5.14.3)
==9153==    by 0xEAB22AC: QCoreApplication::notifyInternal(QObject*, QEvent*) (qcoreapplication.cpp:953)
==9153==    by 0xEAB557C: sendEvent (qcoreapplication.h:231)
==9153==    by 0xEAB557C: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.cpp:1577)
==9153==    by 0xEADF8FD: sendPostedEvents (qcoreapplication.h:236)
==9153==    by 0xEADF8FD: postEventSourceDispatch(_GSource*, int (*)(void*), void*) (qeventdispatcher_glib.cpp:300)
==9153==    by 0x13044A03: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4200.0)
==9153==    by 0x13044C47: ??? (in /usr/lib64/libglib-2.0.so.0.4200.0)
==9153==  Address 0x4a85d040 is 0 bytes after a block of size 31,961,088 alloc'd
==9153==    at 0x4C29D90: operator new[](unsigned long) (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==9153==    by 0x732D25C: new_failureTolerant<unsigned char> (dimgloader.h:183)
==9153==    by 0x732D25C: Digikam::DImgLoader::new_failureTolerant(unsigned long) (dimgloader.cpp:432)
==9153==    by 0x7301C76: Digikam::DImg::allocateData() (dimg.cpp:319)
==9153==    by 0x7306701: Digikam::DImg::detach() (dimg.cpp:224)
==9153==    by 0x73068D5: Digikam::DImg::copy() const (dimg.cpp:1520)
==9153==    by 0x74CFAFA: Digikam::SharedLoadingTask::execute() (loadsavetask.cpp:251)
==9153==    by 0x74BFB25: Digikam::LoadSaveThread::run() (loadsavethread.cpp:136)
==9153==    by 0x74EE7AD: Digikam::DynamicThread::DynamicThreadPriv::run() (dynamicthread.cpp:186)
==9153==    by 0xE9A46AD: QThreadPoolThread::run() (qthreadpool.cpp:108)
==9153==    by 0xE9B079E: QThreadPrivate::start(void*) (qthread_unix.cpp:349)
==9153==    by 0xEE220A3: start_thread (in /lib64/libpthread-2.19.so)
==9153==    by 0xF8B87FC: clone (in /lib64/libc-2.19.so)
==9153== 
==9153== Invalid write of size 4
==9153==    at 0x730A0B1: Digikam::DImg::rotate(Digikam::DImg::ANGLE) (dimg.cpp:2396)
==9153==    by 0x730A1A9: Digikam::DImg::rotateAndFlip(int) (dimg.cpp:2642)
==9153==    by 0x75AC8AA: Digikam::EditorCore::slotImageLoaded(Digikam::LoadingDescription const&, Digikam::DImg const&) (editorcore.cpp:292)
==9153==    by 0xEACA59D: QObject::event(QEvent*) (qobject.cpp:1231)
==9153==    by 0xD72A76B: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:4565)
==9153==    by 0xD730CAC: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:4351)
==9153==    by 0xD127BA9: KApplication::notify(QObject*, QEvent*) (in /usr/lib64/libkdeui.so.5.14.3)
==9153==    by 0xEAB22AC: QCoreApplication::notifyInternal(QObject*, QEvent*) (qcoreapplication.cpp:953)
==9153==    by 0xEAB557C: sendEvent (qcoreapplication.h:231)
==9153==    by 0xEAB557C: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.cpp:1577)
==9153==    by 0xEADF8FD: sendPostedEvents (qcoreapplication.h:236)
==9153==    by 0xEADF8FD: postEventSourceDispatch(_GSource*, int (*)(void*), void*) (qeventdispatcher_glib.cpp:300)
==9153==    by 0x13044A03: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4200.0)
==9153==    by 0x13044C47: ??? (in /usr/lib64/libglib-2.0.so.0.4200.0)
==9153==  Address 0x4a85d040 is 0 bytes after a block of size 31,961,088 alloc'd
==9153==    at 0x4C29D90: operator new[](unsigned long) (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==9153==    by 0x732D25C: new_failureTolerant<unsigned char> (dimgloader.h:183)
==9153==    by 0x732D25C: Digikam::DImgLoader::new_failureTolerant(unsigned long) (dimgloader.cpp:432)
==9153==    by 0x7301C76: Digikam::DImg::allocateData() (dimg.cpp:319)
==9153==    by 0x7306701: Digikam::DImg::detach() (dimg.cpp:224)
==9153==    by 0x73068D5: Digikam::DImg::copy() const (dimg.cpp:1520)
==9153==    by 0x74CFAFA: Digikam::SharedLoadingTask::execute() (loadsavetask.cpp:251)
==9153==    by 0x74BFB25: Digikam::LoadSaveThread::run() (loadsavethread.cpp:136)
==9153==    by 0x74EE7AD: Digikam::DynamicThread::DynamicThreadPriv::run() (dynamicthread.cpp:186)
==9153==    by 0xE9A46AD: QThreadPoolThread::run() (qthreadpool.cpp:108)
==9153==    by 0xE9B079E: QThreadPrivate::start(void*) (qthread_unix.cpp:349)
==9153==    by 0xEE220A3: start_thread (in /lib64/libpthread-2.19.so)
==9153==    by 0xF8B87FC: clone (in /lib64/libc-2.19.so)
==9153==

Comment 7 Marcel Wiesweg 2014-12-28 19:11:27 UTC

The fix is confirmed by valgrind as well. It's a one-byte-over mistake. Probably, the relevant buffer is usually a bit larger on Linux so that no crash occurs.

Comment 8 Marcel Wiesweg 2014-12-28 19:13:09 UTC

Git commit 94bc2463c9c1f6c9cebc4b2f2ff71ba2a54c9d9d by Marcel Wiesweg.
Committed on 28/12/2014 at 19:11.
Pushed by mwiesweg into branch 'master'.

Apply fix by RJVB <rjvbertin@gmail.com>: Correct incorrect read of one single byte beyond the buffer in the DImg 180°-rotation code

Thanks for your help.

M  +2    -2    libs/dimg/dimg.cpp

http://commits.kde.org/digikam/94bc2463c9c1f6c9cebc4b2f2ff71ba2a54c9d9d

Comment 9 Maik Qualmann 2014-12-28 20:14:34 UTC

Yes, the patch is correct. Rotation180 worked incorrectly, a column of pixels at the edge of the image has been copied to the other side. Now rotation180 working correctly.

Comment 10 caulier.gilles 2014-12-28 20:54:38 UTC

Git commit 68cdaee316491cb81a9e217ed25a2d6b77cf6332 by Gilles Caulier.
Committed on 28/12/2014 at 20:53.
Pushed by cgilles into branch 'frameworks'.

backport patch #94bc2463c9c1f6c9cebc4b2f2ff71ba2a54c9d9d from git/master to git/frameworks branch

M  +2    -2    libs/dimg/dimg.cpp

http://commits.kde.org/digikam/68cdaee316491cb81a9e217ed25a2d6b77cf6332