Project

General

Profile

Bug #11267

Colorchecker crashes with 49+ patches

Added by Roman Lebedev almost 3 years ago. Updated almost 3 years ago.

Status:
Fixed
Priority:
Medium
Category:
-
Target version:
Start date:
10/27/2016
Due date:
% Done:

100%

Estimated time:
Affected Version:
git master branch
System:
all
bitness:
64-bit
hardware architecture:
amd64/x86

Description

I have fixed most of the problem, but this still happens.
With git master, add p->num_patches = 65; at the very beginning of commit_params() in colorchecker.c
(line numbers may differ)

colorchecker.c commit_params p->num_patches = 65
colorchecker.c commit_params MAX_PATCHES = 49
colorchecker.c commit_params d->num_patches = 49
=================================================================
==5932==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61400012f638 at pc 0x7f6e08f3743a bp 0x7ffd6e663c70 sp 0x7ffd6e663c68
READ of size 8 at 0x61400012f638 thread T0
==5932==AddressSanitizer: while reporting a bug found another one. Ignoring.
==5932==AddressSanitizer: while reporting a bug found another one. Ignoring.
    #0 0x7f6e08f37439 in dsvd /home/lebedevri/darktable/src/iop/svd.h:213
    #1 0x7f6e08f453c6 in commit_params._omp_fn.2 /home/lebedevri/darktable/src/iop/colorchecker.c:592
    #2 0x7f6e277b6d0e in GOMP_parallel (/usr/lib/x86_64-linux-gnu/libgomp.so.1+0xdd0e)
    #3 0x7f6e08f3aa1e in commit_params /home/lebedevri/darktable/src/iop/colorchecker.c:541
    #4 0x7f6e08f3aaf6 in init_pipe /home/lebedevri/darktable/src/iop/colorchecker.c:624
    #5 0x7f6e2f6e33ac in dt_iop_init_pipe /home/lebedevri/darktable/src/develop/imageop.c:483
    #6 0x7f6e2f71df18 in dt_dev_pixelpipe_create_nodes /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:233
    #7 0x7f6e2f8edf81 in _get_image_dimension /home/lebedevri/darktable/src/common/cups_print.c:406
    #8 0x7f6e2f8eeaa7 in dt_get_print_layout /home/lebedevri/darktable/src/common/cups_print.c:531
    #9 0x7f6e10093c19 in _update_slider /home/lebedevri/darktable/src/libs/print_settings.c:506
    #10 0x7f6e1009557d in _lock_callback /home/lebedevri/darktable/src/libs/print_settings.c:635
    #11 0x7f6e2d0e11a3  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x101a3)
    #12 0x7f6e2d0fb8bc in g_signal_emit_valist (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2a8bc)
    #13 0x7f6e2d0fbfae in g_signal_emit (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2afae)
    #14 0x7f6e2eaba59c  (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x32959c)
    #15 0x7f6e2d0e11a3  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x101a3)
    #16 0x7f6e2d0fb8bc in g_signal_emit_valist (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2a8bc)
    #17 0x7f6e2d0fbfae in g_signal_emit (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2afae)
    #18 0x7f6e2eaba372 in gtk_toggle_button_set_active (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x329372)
    #19 0x7f6e1009aa26 in gui_init /home/lebedevri/darktable/src/libs/print_settings.c:1189
    #20 0x7f6e2f87f890 in dt_lib_load_modules /home/lebedevri/darktable/src/libs/lib.c:744
    #21 0x7f6e2f8824ae in dt_lib_init /home/lebedevri/darktable/src/libs/lib.c:1053
    #22 0x7f6e2f5bd6d2 in dt_init /home/lebedevri/darktable/src/common/darktable.c:993
    #23 0x55b221585e96 in main /home/lebedevri/darktable/src/main.c:24
    #24 0x7f6e274292b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #25 0x55b221585d69 in _start (/opt/darktable/bin/darktable+0xd69)

0x61400012f638 is located 8 bytes to the left of 424-byte region [0x61400012f640,0x61400012f7e8)
allocated by thread T0 here:
    #0 0x7f6e2fcb2d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
    #1 0x7f6e08f4534a in commit_params._omp_fn.2 /home/lebedevri/darktable/src/iop/colorchecker.c:588
    #2 0x7f6e277b6d0e in GOMP_parallel (/usr/lib/x86_64-linux-gnu/libgomp.so.1+0xdd0e)
    #3 0x61a00001327f  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/lebedevri/darktable/src/iop/svd.h:213 in dsvd
Shadow bytes around the buggy address:
  0x0c288001de70: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c288001de80: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c288001de90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c288001dea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c288001deb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
=>0x0c288001dec0: fa fa fa fa fa fa fa[fa]00 00 00 00 00 00 00 00
  0x0c288001ded0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c288001dee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c288001def0: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c288001df00: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c288001df10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5932==ABORTING

I'm not sure what is going on.

Associated revisions

Revision b1a4a90a (diff)
Added by Roman Lebedev almost 3 years ago

Colorchecker iop: mess with dsvd(). Seems to fix #11267.

History

#1 Updated by Roman Lebedev almost 3 years ago

  • % Done changed from 0 to 100
  • Status changed from New to Fixed

#2 Updated by Roman Lebedev almost 3 years ago

  • Target version set to 2.2.0

Also available in: Atom PDF

Go to top