Project

General

Profile

Bug #9457

segfault in dt_lightroom_import()

Added by Antoine Beaupré over 6 years ago. Updated about 6 years ago.

Status:
Fixed
Priority:
Medium
Assignee:
-
Category:
General
Start date:
06/07/2013
Due date:
% Done:

100%

Estimated time:
Affected Version:
1.2.1
System:
other GNU/Linux
bitness:
64-bit
hardware architecture:
amd64/x86

Description

So I did something that may be nasty but that I think shouldn't segfault DT.

I have modified the Xmp.dc.subject tag within a .jpg file (not in the sidecar file!) then removed and reimported that image in DT.

exiv2 -M 'add Xmp.dc.subject XmpBag "obitciwan"'  /home/anarcat/Photos/2013/02/24/IMG_0852_CR2.jpg

(remove and reimport the image in DT)

crash!

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffe9a26700 (LWP 3620)]
0x00007ffff7a72742 in dt_lightroom_import () from /usr/bin/../lib/darktable/libdarktable.so
(gdb) bt
#0  0x00007ffff7a72742 in dt_lightroom_import () from /usr/bin/../lib/darktable/libdarktable.so
#1  0x00007ffff7a6455f in ?? () from /usr/bin/../lib/darktable/libdarktable.so
#2  0x00007ffff7a66cb4 in dt_dev_read_history () from /usr/bin/../lib/darktable/libdarktable.so
#3  0x00007ffff7a677dc in dt_dev_load_image () from /usr/bin/../lib/darktable/libdarktable.so
#4  0x00007ffff7a39d4f in dt_imageio_export_with_flags () from /usr/bin/../lib/darktable/libdarktable.so
#5  0x00007ffff7a4485d in ?? () from /usr/bin/../lib/darktable/libdarktable.so
#6  0x00007ffff7a4655d in dt_mipmap_cache_read_get () from /usr/bin/../lib/darktable/libdarktable.so
#7  0x00007ffff7a63e9a in dt_image_load_job_run () from /usr/bin/../lib/darktable/libdarktable.so
#8  0x00007ffff7a5d688 in dt_control_run_job () from /usr/bin/../lib/darktable/libdarktable.so
#9  0x00007ffff7a5d77b in dt_control_work () from /usr/bin/../lib/darktable/libdarktable.so
#10 0x00007ffff4f43b50 in start_thread (arg=<optimized out>) at pthread_create.c:304
#11 0x00007ffff1d95a7d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#12 0x0000000000000000 in ?? ()

(I was trying to import tags from shotwell by hand to workaround a bug there where RAW images are not tagged properly, but where the metadata is stored only in the shotwell database. I would welcome advice on how to mass-add metadata to images in DT to finish my shotwell import.)

Here's the metadata on that file:

anarcat@marcos:darktable$ exiv2 -pa /home/anarcat/Photos/2013/02/24/IMG_0852_CR2.jpg
Exif.Image.ImageDescription                  Ascii      32
Exif.Image.Make                              Ascii       6  Canon
Exif.Image.Model                             Ascii      20  Canon PowerShot G12
Exif.Image.Orientation                       Short       1  haut, gauche
Exif.Image.XResolution                       Rational    1  180
Exif.Image.YResolution                       Rational    1  180
Exif.Image.ResolutionUnit                    Short       1  Pouce
Exif.Image.DateTime                          Ascii      20  2013:02:24 14:52:49
Exif.Image.YCbCrPositioning                  Short       1  Co-sited
Exif.Image.ExifTag                           Long        1  240
Exif.Photo.ExposureTime                      Rational    1  1/250 s
Exif.Photo.FNumber                           Rational    1  F4
Exif.Photo.ISOSpeedRatings                   Short       1  80
Exif.Photo.SensitivityType                   Short       1  4
Exif.Photo.ExifVersion                       Undefined   4  2.30
Exif.Photo.DateTimeOriginal                  Ascii      20  2013:02:24 14:52:49
Exif.Photo.DateTimeDigitized                 Ascii      20  2013:02:24 14:52:49
Exif.Photo.ComponentsConfiguration           Undefined   4  YCbCr
Exif.Photo.CompressedBitsPerPixel            Rational    1  3
Exif.Photo.ShutterSpeedValue                 SRational   1  1/251 s
Exif.Photo.ApertureValue                     Rational    1  F4
Exif.Photo.ExposureBiasValue                 SRational   1  0 EV
Exif.Photo.MaxApertureValue                  Rational    1  F4
Exif.Photo.MeteringMode                      Short       1  Multi-segments
Exif.Photo.Flash                             Short       1  Non, inhibé
Exif.Photo.FocalLength                       Rational    1  18.1 mm
Exif.Photo.MakerNote                         Undefined 2722  (Valeur binaire supprimée)
Exif.MakerNote.Offset                        Long        1  746
Exif.MakerNote.ByteOrder                     Ascii       3  II
Exif.CanonCs.Macro                           Short       1  Désactivé
Exif.CanonCs.Selftimer                       Short       1  Off
Exif.CanonCs.Quality                         Short       1  Fin
Exif.CanonCs.FlashMode                       Short       1  Désactivé
Exif.CanonCs.DriveMode                       Short       1  Temporisateur
Exif.CanonCs.FocusMode                       Short       1  Simple
Exif.CanonCs.ImageSize                       Short       1  Grande
Exif.CanonCs.EasyMode                        Short       1  Manuel
Exif.CanonCs.DigitalZoom                     Short       1  Aucun
Exif.CanonCs.Contrast                        Short       1  Normal
Exif.CanonCs.Saturation                      Short       1  Normal
Exif.CanonCs.Sharpness                       Short       1  Normal
Exif.CanonCs.ISOSpeed                        Short       1  Automatique
Exif.CanonCs.MeteringMode                    Short       1  Évaluatif
Exif.CanonCs.FocusType                       Short       1  Automatique
Exif.CanonCs.AFPoint                         Short       1  Sélection point AF manuelle
Exif.CanonCs.ExposureProgram                 Short       1  Programme (P)
Exif.CanonCs.LensType                        Short       1  (65535)
Exif.CanonCs.Lens                            Short       3  6.1 - 30.5 mm
Exif.CanonCs.MaxAperture                     Short       1  F4
Exif.CanonCs.MinAperture                     Short       1  F8
Exif.CanonCs.FlashActivity                   Short       1  Le flash ne s'est pas déclenché.
Exif.CanonCs.FlashDetails                    Short       1
Exif.CanonCs.FocusContinuous                 Short       1  Continue
Exif.CanonCs.AESetting                       Short       1  AE Normal
Exif.CanonCs.ImageStabilization              Short       1  Activé
Exif.CanonCs.DisplayAperture                 Short       1  0
Exif.CanonCs.ZoomSourceWidth                 Short       1  3648
Exif.CanonCs.ZoomTargetWidth                 Short       1  3648
Exif.CanonCs.SpotMeteringMode                Short       1  Centre
Exif.CanonCs.PhotoEffect                     Short       1  (65535)
Exif.CanonCs.ManualFlashOutput               Short       1  n/a
Exif.CanonCs.ColorTone                       Short       1  32767
Exif.CanonCs.SRAWQuality                     Short       1  (65535)
Exif.Canon.FocalLength                       Short       4  18.1 mm
Exif.CanonSi.ISOSpeed                        Short       1  100
Exif.CanonSi.MeasuredEV                      Short       1  13.25
Exif.CanonSi.TargetAperture                  Short       1  F4
Exif.CanonSi.TargetShutterSpeed              Short       1  1/251 s
Exif.CanonSi.WhiteBalance                    Short       1  Automatique
Exif.CanonSi.Sequence                        Short       1  0
Exif.CanonSi.AFPointUsed                     Short       1  0 focus points; none used
Exif.CanonSi.FlashBias                       Short       1  0 EV
Exif.CanonSi.SubjectDistance                 Short       1  6553
Exif.CanonSi.ApertureValue                   Short       1  F4
Exif.CanonSi.ShutterSpeedValue               Short       1  1/273 s
Exif.CanonSi.MeasuredEV2                     Short       1  -6.00
Exif.Canon.ImageType                         Ascii      23  IMG:PowerShot G12 JPEG
Exif.Canon.FirmwareVersion                   Ascii      22  Firmware Version 1.00
Exif.Canon.FileNumber                        Long        1  104-0852
Exif.Canon.OwnerName                         Ascii      32
Exif.Canon.CameraInfo                        Long      264  7 371 411 0 0 0 384 779 4294967256 0 0 0 0 577 793 4294967269 0 0 4294967294 2 0 4294967288 0 0 0 12 7 794 792 792 384 984 4294967269 0 0 792 792 0 0 1 0 10 0 0 0 0 0 0 0 0 0 82 1024 1024 4294967217 170 0 0 0 0 0 0 951 0 119 4294967283 0 0 0 0 0 0 1009 978 1056 1320 0 119 4294967283 160 873 1660 1867 873 0 0 0 1 373 999 794 603 4294967269 4294967277 192 1 0 0 1425 5 0 1160 1231 1306 1385 1506 0 0 0 1089 0 0 0 0 0 0 0 0 0 0 0 0 1087 65535 0 0 0 1824 228 748 93 1076 134 328 41 4091 4091 1 1 2 0 0 0 0 0 0 4294957949 11803 0 65486 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1361717501 1361717506 0 0 256 1179823616 2153121 1174405120 0 1179807744 15872 1174405120 0 1201961472 935712 1202897408 5061632 1174405120 4888571 1192269824 15689728 0 0 0 5 6 901481477
Exif.Canon.ModelID                           Long        1  (43122688)
Exif.Canon.AFInfo                            Short      49  98 2 9 1 3648 2736 100 100 18 0 0 0 0 0 0 0 0 18 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0
Exif.Canon.ThumbnailImageValidArea           Short       4  0 0 0 0
Exif.Canon.VRDOffset                         Long        1  0
Exif.Photo.UserComment                       Undefined 264  (Valeur binaire supprimée)
Exif.Photo.FlashpixVersion                   Undefined   4  1.00
Exif.Photo.ColorSpace                        Short       1  sRGB
Exif.Photo.PixelXDimension                   Short       1  3648
Exif.Photo.PixelYDimension                   Short       1  2736
Exif.Photo.InteroperabilityTag               Long        1  3774
Exif.Iop.InteroperabilityIndex               Ascii       4  R98
Exif.Iop.InteroperabilityVersion             Undefined   4  1.00
Exif.Iop.RelatedImageWidth                   Short       1  3648
Exif.Iop.RelatedImageLength                  Short       1  2736
Exif.Photo.FocalPlaneXResolution             Rational    1  12493.2
Exif.Photo.FocalPlaneYResolution             Rational    1  12493.2
Exif.Photo.FocalPlaneResolutionUnit          Short       1  Pouce
Exif.Photo.SensingMethod                     Short       1  Mono-CCD
Exif.Photo.FileSource                        Undefined   1  Appareil photo numérique
Exif.Photo.CustomRendered                    Short       1  Processus normal
Exif.Photo.ExposureMode                      Short       1  Automatique
Exif.Photo.WhiteBalance                      Short       1  Automatique
Exif.Photo.DigitalZoomRatio                  Rational    1  1.0
Exif.Photo.SceneCaptureType                  Short       1  Standard
Exif.Thumbnail.Compression                   Short       1  JPEG (ancienne version)
Exif.Thumbnail.XResolution                   Rational    1  180
Exif.Thumbnail.YResolution                   Rational    1  180
Exif.Thumbnail.ResolutionUnit                Short       1  Pouce
Exif.Thumbnail.JPEGInterchangeFormat         Long        1  5108
Exif.Thumbnail.JPEGInterchangeFormatLength   Long        1  3759
Xmp.dc.subject                               XmpBag      1  obitciwan

I attach a copy of the malicious file for extra fun.

Note that removing the tag doesn't fix the problem: the image actually needs to be removed from the database for DT to recover.

IMG_0852_CR2.jpg (2.07 MB) IMG_0852_CR2.jpg Antoine Beaupré, 06/07/2013 07:33 AM

Associated revisions

Revision 95a8a4b3 (diff)
Added by Pascal Obry about 6 years ago

Make sure a malformed XMP won't crash dt.

When trying to import a lr XMP exits if the XMP does not contain
a node.

Fixes #9457.

History

#1 Updated by Antoine Beaupré over 6 years ago

Actually, the problem is not with the image file, sorry! It's a corrupted sidecar file that i managed to create with exiv2 (wow):

<?xml version="1.0" encoding="UTF-8"?>

That is all there is in that file.

#2 Updated by Pascal Obry over 6 years ago

If I remember correctly this was reproducible before my work on lightroom import. In fact I had some crashes when removing and re-importing a photo. But maybe this is another issue altogether, the backtrace did point to lr import code.

#3 Updated by Pascal Obry about 6 years ago

  • bitness set to 64-bit
  • Status changed from New to Closed: invalid

As not really a dt issue, closing.

#4 Updated by Antoine Beaupré about 6 years ago

Wait what..? The backtrace clearly crashes in libdarktable.so, and it crashes badly:

#0  0x00007ffff7a72742 in dt_lightroom_import () from /usr/bin/../lib/darktable/libdarktable.so

Yes, maybe it is in the lightroom import code, but it seems to me that if darktable can be made to crash on arbitrary input, it is at the very least an annoying bug, but probably more a serious security issue that should be fixed.

#5 Updated by Tobias Ellinghaus about 6 years ago

  • % Done changed from 0 to 20
  • Status changed from Closed: invalid to Incomplete

Indeed, darktable shouldn't crash. However, I just tried with your image and the XMP you described and it didn't crash. Could you please try with 1.4rc1 or git?

#6 Updated by Pascal Obry about 6 years ago

Antoine Beaupré wrote:

Wait what..? The backtrace clearly crashes in libdarktable.so, and it crashes badly:

[...]

Yes, maybe it is in the lightroom import code, but it seems to me that if darktable can be made to crash on arbitrary input, it is at the very least an annoying bug, but probably more a serious security issue that should be fixed.

100% agreed, but can't reproduce...

#7 Updated by Pascal Obry about 6 years ago

  • % Done changed from 20 to 100
  • Status changed from Incomplete to Fixed

I had not named properly the XMP. I can reproduce and should now be fixed.

Also available in: Atom PDF

Go to top