39822 – Valgrind errors loading jpeg

Bug 39822 - Valgrind errors loading jpeg

Summary: Valgrind errors loading jpeg

Status:	RESOLVED NOTOURBUG

Alias:	None

Product:	LibreOffice
Classification:	Unclassified
Component:	Writer (show other bugs)
Version: (earliest affected)	Master old -3.6
Hardware:	x86 (IA32) Linux (All)

Importance:	medium major
Assignee:	Not Assigned

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2011-08-03 22:22 UTC by Marc-André Laverdière
Modified:	2011-08-04 01:06 UTC (History)
CC List:	0 users

See Also:
Crash report or crash signature:

Attachments
Image which creates the problem (8.00 KB, image/jpeg) 2011-08-03 22:22 UTC, Marc-André Laverdière	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marc-André Laverdière 2011-08-03 22:22:54 UTC

Created attachment 49899 [details]
Image which creates the problem

ODF editing is freezing. Valgrinding is showing errors loading one of the images.

Unzipping and loading the pictures independently yielded the following valgrind trace. I removed some of the crud at the top.

==31875== For counts of detected and suppressed errors, rerun with: -v
==31875== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 15 from 8)
==31835== Invalid read of size 8
==31835==    at 0x422F86CA: ??? (in /usr/lib/libjpeg.so.62.0.0)
==31835==  Address 0x17e43e10 is 37,496 bytes inside a block of size 37,500 alloc'd
==31835==    at 0x4006D69: malloc (vg_replace_malloc.c:236)
==31835==    by 0x403C3CD: rtl_allocateMemory_SYSTEM (alloc_global.c:294)
==31835==    by 0x403C44A: rtl_allocateMemory (alloc_global.c:324)
==31835==    by 0x4A5AD9A: JPEGReader::CreateBitmap(void*) (jpeg.cxx:403)
==31835==    by 0x495E047: ReadJPEG (jpegc.c:158)
==31835==    by 0x4A5B3D9: JPEGReader::Read(Graphic&) (jpeg.cxx:545)
==31835==    by 0x4A5B69D: ImportJPEG(SvStream&, Graphic&, void*, long) (jpeg.cxx:752)
==31835==    by 0x4A47EA3: GraphicFilter::ImportGraphic(Graphic&, String const&, SvStream&, unsigned short, unsigned short*, unsigned long, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>*, WMF_APMFILEHEADER*) (filter.cxx:1481)
==31835==    by 0x4A48A5E: GraphicFilter::ImportGraphic(Graphic&, String const&, SvStream&, unsigned short, unsigned short*, unsigned long, WMF_APMFILEHEADER*) (filter.cxx:1309)
==31835==    by 0x4A48AD9: GraphicFilter::ImportGraphic(Graphic&, INetURLObject const&, unsigned short, unsigned short*, unsigned long) (filter.cxx:1300)
==31835==    by 0x4A48C28: GraphicFilter::LoadGraphic(String const&, String const&, Graphic&, GraphicFilter*, unsigned short*) (filter.cxx:2240)
==31835==    by 0xF656F7A: SwView::InsertGraphic(String const&, String const&, unsigned char, GraphicFilter*, Graphic*, unsigned char) (view2.cxx:226)
==31835==    by 0xF65AA1C: SwView::InsertGraphicDlg(SfxRequest&) (view2.cxx:423)
==31835==    by 0xF65CCC0: SwView::Execute(SfxRequest&) (view2.cxx:1150)
==31835==    by 0xF655163: SfxStubSwViewExecute(SfxShell*, SfxRequest&) (swslots.hxx:11714)
==31835==    by 0x4510F98: SfxDispatcher::Call_Impl(SfxShell&, SfxSlot const&, SfxRequest&, unsigned char) (shell.hxx:202)
==31835==    by 0x4511351: SfxDispatcher::PostMsgHandler(SfxRequest*) (dispatch.cxx:1521)
==31835==    by 0x461D31A: SfxHintPoster::Event(SfxHint*) (link.hxx:140)
==31835==    by 0x461D26E: SfxHintPoster::LinkStubDoEvent_Impl(void*, void*) (hintpost.cxx:78)
==31835==    by 0x53EA15E: ImplWindowFrameProc(Window*, SalFrame*, unsigned short, void const*) (link.hxx:140)
==31835==    by 0x7F8B34F: SalDisplay::DispatchInternalEvent() (salframe.hxx:294)
==31835==    by 0x7EFE718: GtkXLib::userEventFn(void*) (gtkdata.cxx:883)
==31835==    by 0x4DCF85D0: g_idle_dispatch (gmain.c:4558)
==31835==    by 0x4DCFC5BE: g_main_context_dispatch (gmain.c:2441)
==31835==    by 0x4DCFCD2F: g_main_context_iterate (gmain.c:3092)
==31835==    by 0x4DCFD06E: g_main_context_iteration (gmain.c:3155)
==31835==    by 0x7EFCF48: GtkXLib::Yield(bool, bool) (gtkdata.cxx:935)
==31835==    by 0x7F8E2BE: X11SalInstance::Yield(bool, bool) (salinst.cxx:280)
==31835==    by 0x52174CA: ImplYield(bool, bool) (svapp.cxx:447)
==31835==    by 0x521516D: Application::Yield(bool) (svapp.cxx:481)
==31835==    by 0x521519E: Application::Execute() (svapp.cxx:424)
==31835==    by 0x407E13F: desktop::Desktop::Main() (app.cxx:1912)
==31835==    by 0x521AB90: ImplSVMain() (svmain.cxx:181)
==31835==    by 0x521ACE1: SVMain() (svmain.cxx:218)
==31835==    by 0x4093FDA: soffice_main (sofficemain.cxx:68)
==31835==    by 0x8048ADF: main (main.c:36)
==31835== 
==31835== Conditional jump or move depends on uninitialised value(s)
==31835==    at 0x4118FF11: XcursorImageHash (xlib.c:292)
==31835==    by 0x41190098: XcursorNoticePutBitmap (xlib.c:363)
==31835==    by 0x41437E23: _XNoticePutBitmap (CrGlCur.c:204)
==31835==    by 0x41450019: XPutImage (PutImage.c:1040)
==31835==    by 0x7FAD7F8: ImplSalDDB::ImplSalDDB(_XImage*, unsigned long, int, SalTwoRect const&) (salbmp.cxx:1006)
==31835==    by 0x7FAE524: X11SalBitmap::ImplGetDDB(unsigned long, int, long, SalTwoRect const&) const (salbmp.cxx:751)
==31835==    by 0x7FAE5D9: X11SalBitmap::ImplDraw(unsigned long, int, long, SalTwoRect const&, _XGC* const&) const (salbmp.cxx:773)
==31835==    by 0x7FB0623: X11SalGraphics::drawMaskedBitmap(SalTwoRect const*, SalBitmap const&, SalBitmap const&) (salgdi2.cxx:727)
==31835==    by 0x7FB0873: X11SalGraphics::drawBitmap(SalTwoRect const*, SalBitmap const&, SalBitmap const&) (salgdi2.cxx:677)
==31835==    by 0x535CDF2: SalGraphics::DrawBitmap(SalTwoRect const*, SalBitmap const&, SalBitmap const&, OutputDevice const*) (salgdilayout.cxx:629)
==31835==    by 0x52D6887: OutputDevice::ImplDrawBitmapEx(Point const&, Size const&, Point const&, Size const&, BitmapEx const&, unsigned long) (outdev2.cxx:976)
==31835==    by 0x52D6C43: OutputDevice::DrawBitmapEx(Point const&, Size const&, BitmapEx const&) (outdev2.cxx:768)
==31835==    by 0x4A7FFEB: GraphicManager::ImplCreateOutput(OutputDevice*, Point const&, Size const&, BitmapEx const&, GraphicAttr const&, unsigned long, BitmapEx*) (grfmgr2.cxx:623)
==31835==    by 0x4A80CCA: GraphicManager::ImplDraw(OutputDevice*, Point const&, Size const&, GraphicObject&, GraphicAttr const&, unsigned long, unsigned char&) (grfmgr2.cxx:343)
==31835==    by 0x4A81119: GraphicManager::DrawObj(OutputDevice*, Point const&, Size const&, GraphicObject&, GraphicAttr const&, unsigned long, unsigned char&) (grfmgr2.cxx:260)
==31835==    by 0x4A7B0D9: GraphicObject::Draw(OutputDevice*, Point const&, Size const&, GraphicAttr const*, unsigned long) (grfmgr.cxx:607)
==31835==    by 0xFBA05A2: drawinglayer::RenderBitmapPrimitive2D_GraphicManager(OutputDevice&, BitmapEx const&, basegfx::B2DHomMatrix const&) (vclhelperbitmaprender.cxx:99)
==31835==    by 0xFBAA4C7: drawinglayer::processor2d::VclProcessor2D::RenderBitmapPrimitive2D(drawinglayer::primitive2d::BitmapPrimitive2D const&) (vclprocessor2d.cxx:437)
==31835==    by 0xFBA94FD: drawinglayer::processor2d::VclPixelProcessor2D::processBasePrimitive2D(drawinglayer::primitive2d::BasePrimitive2D const&) (vclpixelprocessor2d.cxx:195)
==31835==    by 0xFB9774F: drawinglayer::processor2d::BaseProcessor2D::process(com::sun::star::uno::Sequence<com::sun::star::uno::Reference<com::sun::star::graphic::XPrimitive2D> > const&) (baseprocessor2d.cxx:76)
==31835==    by 0xFBA9FC1: drawinglayer::processor2d::VclPixelProcessor2D::processBasePrimitive2D(drawinglayer::primitive2d::BasePrimitive2D const&) (vclpixelprocessor2d.cxx:614)
==31835==    by 0xFB9774F: drawinglayer::processor2d::BaseProcessor2D::process(com::sun::star::uno::Sequence<com::sun::star::uno::Reference<com::sun::star::graphic::XPrimitive2D> > const&) (baseprocessor2d.cxx:76)
==31835==    by 0x1038EA24: sdr::overlay::OverlayManager::ImpDrawMembers(basegfx::B2DRange const&, OutputDevice&) const (overlaymanager.cxx:91)
==31835==    by 0x1038EB82: sdr::overlay::OverlayManager::completeRedraw(Region const&, OutputDevice*) const (overlaymanager.cxx:281)
==31835==    by 0x1038A56A: sdr::overlay::OverlayManagerBuffered::completeRedraw(Region const&, OutputDevice*) const (overlaymanagerbuffered.cxx:438)
==31835==    by 0x103A6FC3: SdrPaintWindow::DrawOverlay(Region const&, bool) (sdrpaintwindow.cxx:286)
==31835==    by 0x1044D06D: SdrPaintView::EndCompleteRedraw(SdrPaintWindow&, bool) (svdpntv.cxx:943)
==31835==    by 0x10319AFB: FmFormView::EndCompleteRedraw(SdrPaintWindow&, bool) (fmview.cxx:500)
==31835==    by 0x1044CC99: SdrPaintView::EndDrawLayers(SdrPaintWindow&, bool) (svdpntv.cxx:981)
==31835==    by 0xF4B4F62: ViewShell::DLPostPaint2(bool) (viewsh.cxx:181)
==31835==    by 0xF4B56B8: ViewShell::Paint(Rectangle const&) (viewsh.cxx:1670)
==31835==    by 0xF1822CE: SwCrsrShell::Paint(Rectangle const&) (crsrsh.cxx:1169)
==31835==    by 0xF5DBDD2: SwEditWin::Paint(Rectangle const&) (edtwin2.cxx:536)
==31835==    by 0x53DCA23: Window::ImplCallPaint(Region const*, unsigned short) (window.cxx:2422)
==31835==    by 0x53DCAD9: Window::ImplCallPaint(Region const*, unsigned short) (window.cxx:2446)
==31835==    by 0x53DCAD9: Window::ImplCallPaint(Region const*, unsigned short) (window.cxx:2446)
==31835==    by 0x53DCAD9: Window::ImplCallPaint(Region const*, unsigned short) (window.cxx:2446)
==31835==    by 0x53DCAD9: Window::ImplCallPaint(Region const*, unsigned short) (window.cxx:2446)
==31835==    by 0x53DCAD9: Window::ImplCallPaint(Region const*, unsigned short) (window.cxx:2446)
==31835==    by 0x53DCAD9: Window::ImplCallPaint(Region const*, unsigned short) (window.cxx:2446)
==31835==    by 0x53DD8F1: Window::ImplCallOverlapPaint() (window.cxx:2483)
==31835==    by 0x53DD93A: Window::ImplHandlePaintHdl(void*) (window.cxx:2503)
==31835==    by 0x521B149: Timer::Timeout() (link.hxx:140)
==31835==    by 0x521B1F8: Timer::ImplTimerCallbackProc() (timer.cxx:146)
==31835==    by 0x7F8FBF7: X11SalData::Timeout() const (saltimer.hxx:66)
==31835==    by 0x7EFE63E: GtkXLib::timeoutFn(void*) (gtkdata.cxx:811)
==31835==    by 0x4DCFDEAF: g_timeout_dispatch (gmain.c:3895)
==31835==    by 0x4DCFC5BE: g_main_context_dispatch (gmain.c:2441)
==31835==    by 0x4DCFCD2F: g_main_context_iterate (gmain.c:3092)
==31835==    by 0x4DCFD06E: g_main_context_iteration (gmain.c:3155)
==31835== 
==31835== 
==31835== HEAP SUMMARY:
==31835==     in use at exit: 2,351,368 bytes in 36,985 blocks
==31835==   total heap usage: 1,314,047 allocs, 1,277,062 frees, 114,403,313 bytes allocated
==31835== 
==31835== LEAK SUMMARY:
==31835==    definitely lost: 6,101 bytes in 81 blocks
==31835==    indirectly lost: 57,400 bytes in 2,114 blocks
==31835==      possibly lost: 69,962 bytes in 939 blocks
==31835==    still reachable: 2,217,905 bytes in 33,851 blocks
==31835==         suppressed: 0 bytes in 0 blocks
==31835== Rerun with --leak-check=full to see details of leaked memory
==31835== 
==31835== For counts of detected and suppressed errors, rerun with: -v
==31835== Use --track-origins=yes to see where uninitialised values come from
==31835== ERROR SUMMARY: 1865 errors from 10 contexts (suppressed: 418 from 15)
==31810== 
==31810== HEAP SUMMARY:
==31810==     in use at exit: 2,234 bytes in 57 blocks
==31810==   total heap usage: 970 allocs, 913 frees, 1,584,546 bytes allocated
==31810== 
==31810== LEAK SUMMARY:
==31810==    definitely lost: 124 bytes in 1 blocks
==31810==    indirectly lost: 0 bytes in 0 blocks
==31810==      possibly lost: 0 bytes in 0 blocks
==31810==    still reachable: 2,110 bytes in 56 blocks
==31810==         suppressed: 0 bytes in 0 blocks
==31810== Rerun with --leak-check=full to see details of leaked memory
==31810== 
==31810== For counts of detected and suppressed errors, rerun with: -v
==31810== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 31 from 11)

Comment 1 David Tardon 2011-08-03 23:35:11 UTC

I see the same thing with gthumb, so it is not bug in LibreOffice. I will pass the image to the maintainer of libjpeg-turbo in Fedora.

Comment 2 Caolán McNamara 2011-08-04 01:06:26 UTC

I suspect this may be similar in nature to https://bugzilla.redhat.com/show_bug.cgi?id=678518