I have to walk away from this bug for a while. Maybe this
message can give someone else a head start.
It's quite a Heisenbug, disappearing when you put any
malloc in besides vanilla libc; I tried electric fence
and dmalloc, I understand valgrind is the same.
My comments refer to broken2.jp2. The bug reproduces easily
in an out-of-the-box build of jasper_1.701.0.orig.tar.gz.
I find that much easier to work with than a full Debian build,
with all its shared library gyrations.
tar -xvzf jasper_1.701.0.orig.tar.gz
cd jasper-1.701.0
./configure
make
gdb src/appl/imginfo
run -f /path/to/broken2.jp2
*** glibc detected *** double free or corruption (!prev):
0x000000000054ecb0 ***
Program received signal SIGABRT, Aborted.
0x00002b65b5d5907b in raise () from /lib/libc.so.6
I can trace the main file parsing loop that starts in
src/libjasper/jpc/jpc_dec.c:369. It makes its way through the
get, check, process, and destroy phases of "marker segments" of
type SOC, SIZ, COM, COD, QCD, and QCC. It crashes in the destroy
phase of a second QCC marker segment. Yes, I added a bunch of
printf's. They don't seem to affect the bug they way a different
malloc library does.
Just in case it's a hint to any jasper experts reading, the
two QCC headers printed by jpc_qcc_dumpparms() are
type = 0xff5d (QCC); len = 20;compno = 1; qntsty = 0; numguard = 2;
numstepsizes = 16
type = 0xff5d (QCC); len = 2068;compno = 2; qntsty = 0; numguard = 2;
numstepsizes = 2064
I have to admit that doesn't mean much to me.
- Larry
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
