Bug#569710: gimv crashes with glibc error (double free or corruption) when viewing .xcf (Gimp format) files which contain a selected area

M. W. van Tol Sat, 13 Feb 2010 09:24:24 -0800

Package: gimageview

Version: 0.2.27-1


The gimv imageviewer crashes badly when it encounters a .xcf file 
(which is the native format of The Gimp) when the file contains a
selected area. This happens both when the file is opened with the 
viewer, as well as when the file is in a directory that is opened in 
thumbnailview as soon as it tries to generate a thumbnail. I have 
attached two example .xcf files to illustrate the problem. They
contain exactly the same image (a red square), however in test2.xcf an
area is selected, something that The Gimp saves in .xcf files. Opening
test1.xcf is no problem for gimv. Trying to open test2.xcf resulted in
the following Glibc crashdump on my system:

$ gimv test2.xcf 
filename = /home/mwvantol/tmp/gimv/test2.xcf
*** glibc detected *** gimv: double free or corruption (!prev): 0x08220b38 ***
======= Backtrace: =========
/lib/libc.so.6[0xb7888845]
/lib/libc.so.6(cfree+0x9c)[0xb788a6ec]
/usr/lib/libglib-2.0.so.0(g_free+0x36)[0xb799e446]
/usr/lib/gimageview/image_loader/libgimv_xcf_loader.so(xcf_load_channel+0x232)[0xb7278e22]
/usr/lib/gimageview/image_loader/libgimv_xcf_loader.so(xcf_load_image+0x349)[0xb72786e9]
/usr/lib/gimageview/image_loader/libgimv_xcf_loader.so(xcf_load+0x55)[0xb7278325]
gimv(gimv_image_loader_load+0x22c)[0x808a7cc]
gimv[0x80913d1]
gimv(gimv_image_view_show_image+0x1e)[0x808eefe]
gimv[0x808d481]
/usr/lib/libgobject-2.0.so.0(g_cclosure_marshal_VOID__VOID+0x84)[0xb7a32064]
/usr/lib/libgobject-2.0.so.0(g_closure_invoke+0x1ab)[0xb7a2490b]
/usr/lib/libgobject-2.0.so.0[0xb7a383b0]
/usr/lib/libgobject-2.0.so.0(g_signal_emit_valist+0x7fe)[0xb7a3939e]
/usr/lib/libgobject-2.0.so.0(g_signal_emit+0x26)[0xb7a397e6]
/usr/lib/libgtk-x11-2.0.so.0(gtk_widget_map+0x9c)[0xb7e0c39c]
/usr/lib/libgtk-x11-2.0.so.0[0xb7d62561]
/usr/lib/libgtk-x11-2.0.so.0(gtk_container_forall+0x96)[0xb7c38ad6]
/usr/lib/libgtk-x11-2.0.so.0[0xb7c3ac1b]
/usr/lib/libgobject-2.0.so.0(g_cclosure_marshal_VOID__VOID+0x84)[0xb7a32064]
/usr/lib/libgobject-2.0.so.0[0xb7a23089]
/usr/lib/libgobject-2.0.so.0(g_closure_invoke+0xd8)[0xb7a24838]
/usr/lib/libgobject-2.0.so.0[0xb7a376c6]
/usr/lib/libgobject-2.0.so.0(g_signal_emit_valist+0x7fe)[0xb7a3939e]
/usr/lib/libgobject-2.0.so.0(g_signal_emit+0x26)[0xb7a397e6]
/usr/lib/libgtk-x11-2.0.so.0(gtk_widget_map+0x9c)[0xb7e0c39c]
/usr/lib/libgtk-x11-2.0.so.0[0xb7bf52c0]
/usr/lib/libgtk-x11-2.0.so.0(gtk_container_forall+0x96)[0xb7c38ad6]
/usr/lib/libgtk-x11-2.0.so.0[0xb7c3ac1b]
/usr/lib/libgobject-2.0.so.0(g_cclosure_marshal_VOID__VOID+0x84)[0xb7a32064]
/usr/lib/libgobject-2.0.so.0[0xb7a23089]
/usr/lib/libgobject-2.0.so.0(g_closure_invoke+0xd8)[0xb7a24838]
/usr/lib/libgobject-2.0.so.0[0xb7a376c6]
/usr/lib/libgobject-2.0.so.0(g_signal_emit_valist+0x7fe)[0xb7a3939e]
/usr/lib/libgobject-2.0.so.0(g_signal_emit+0x26)[0xb7a397e6]
/usr/lib/libgtk-x11-2.0.so.0(gtk_widget_map+0x9c)[0xb7e0c39c]
/usr/lib/libgtk-x11-2.0.so.0[0xb7bf52c0]
/usr/lib/libgtk-x11-2.0.so.0(gtk_container_forall+0x96)[0xb7c38ad6]
/usr/lib/libgtk-x11-2.0.so.0[0xb7c3ac1b]
/usr/lib/libgobject-2.0.so.0(g_cclosure_marshal_VOID__VOID+0x84)[0xb7a32064]
/usr/lib/libgobject-2.0.so.0[0xb7a23089]
/usr/lib/libgobject-2.0.so.0(g_closure_invoke+0xd8)[0xb7a24838]
/usr/lib/libgobject-2.0.so.0[0xb7a376c6]
/usr/lib/libgobject-2.0.so.0(g_signal_emit_valist+0x7fe)[0xb7a3939e]
/usr/lib/libgobject-2.0.so.0(g_signal_emit+0x26)[0xb7a397e6]
/usr/lib/libgtk-x11-2.0.so.0(gtk_widget_map+0x9c)[0xb7e0c39c]
/usr/lib/libgtk-x11-2.0.so.0[0xb7e1d5b5]
/usr/lib/libgobject-2.0.so.0(g_cclosure_marshal_VOID__VOID+0x84)[0xb7a32064]
/usr/lib/libgobject-2.0.so.0[0xb7a23089]
/usr/lib/libgobject-2.0.so.0(g_closure_invoke+0x1ab)[0xb7a2490b]
/usr/lib/libgobject-2.0.so.0[0xb7a376c6]
/usr/lib/libgobject-2.0.so.0(g_signal_emit_valist+0x7fe)[0xb7a3939e]
/usr/lib/libgobject-2.0.so.0(g_signal_emit+0x26)[0xb7a397e6]
/usr/lib/libgtk-x11-2.0.so.0(gtk_widget_map+0x9c)[0xb7e0c39c]
/usr/lib/libgtk-x11-2.0.so.0[0xb7e1d6be]
/usr/lib/libgobject-2.0.so.0(g_cclosure_marshal_VOID__VOID+0x84)[0xb7a32064]
/usr/lib/libgobject-2.0.so.0[0xb7a23089]
/usr/lib/libgobject-2.0.so.0(g_closure_invoke+0x1ab)[0xb7a2490b]
/usr/lib/libgobject-2.0.so.0[0xb7a376c6]
/usr/lib/libgobject-2.0.so.0(g_signal_emit_valist+0x7fe)[0xb7a3939e]
/usr/lib/libgobject-2.0.so.0(g_signal_emit+0x26)[0xb7a397e6]
/usr/lib/libgtk-x11-2.0.so.0(gtk_widget_show+0x9c)[0xb7e0cb6c]
gimv(gimv_image_win_open_window+0x42)[0x80999b2]
======= Memory map: ========
08048000-08112000 r-xp 00000000 03:02 521848     /usr/bin/gimv
08112000-0811f000 rw-p 000c9000 03:02 521848     /usr/bin/gimv
0811f000-08241000 rw-p 00000000 00:00 0          [heap]
b6d00000-b6d21000 rw-p 00000000 00:00 0 
b6d21000-b6e00000 ---p 00000000 00:00 0 
b6e57000-b6e63000 r-xp 00000000 03:02 732969     /lib/libgcc_s.so.1
b6e63000-b6e64000 rw-p 0000b000 03:02 732969     /lib/libgcc_s.so.1
b6e79000-b6e8a000 r--p 00000000 03:02 751074     
/usr/share/fonts/truetype/ttf-bitstream-vera/Vera.ttf
b6e8a000-b6e8c000 r-xp 00000000 03:02 293831     
/usr/lib/pango/1.6.0/modules/pango-basic-fc.so
b6e8c000-b6e8d000 rw-p 00001000 03:02 293831     
/usr/lib/pango/1.6.0/modules/pango-basic-fc.so
b6e8d000-b6e93000 r--s 00000000 03:02 33616      
/var/cache/fontconfig/945677eb7aeaf62f1d50efc3fb3ec7d8-x86.cache-2
b6e93000-b6e99000 r--s 00000000 03:02 35289      
/var/cache/fontconfig/e383d7ea5fbe662a33d9b44caf393297-x86.cache-2
b6e99000-b6e9d000 r--s 00000000 03:02 33641      
/var/cache/fontconfig/926e794c3d5e5dffcaf2fa83ef8d36c2-x86.cache-2
b6e9d000-b6ea0000 r--s 00000000 03:02 35287      
/var/cache/fontconfig/6eb3985aa4124903f6ff08ba781cd364-x86.cache-2
b6ea0000-b6ea7000 r--s 00000000 03:02 35286      
/var/cache/fontconfig/6d41288fd70b0be22e8c3a91e032eec0-x86.cache-2
b6ea7000-b6eaa000 r--s 00000000 03:02 33533      
/var/cache/fontconfig/de156ccd2eddbdc19d37a45b8b2aac9c-x86.cache-2
b6eaa000-b6eac000 r--s 00000000 03:02 33532      
/var/cache/fontconfig/ddd4086aec35a5275babba44bb759c3c-x86.cache-2
b6eac000-b6ead000 r--s 00000000 03:02 33531      
/var/cache/fontconfig/4794a0821666d79190d59a36cb4f44b5-x86.cache-2
b6ead000-b6ecf000 r--s 00000000 03:02 32994      
/var/cache/fontconfig/365b55f210c0a22e9a19e35191240f32-x86.cache-2
b6ecf000-b6ed1000 r--s 00000000 03:02 32962      
/var/cache/fontconfig/2c5ba8142dffc8bf0377700342b8ca1a-x86.cache-2
b6ed1000-b6ed4000 r--s 00000000 03:02 32961      
/var/cache/fontconfig/de9486f0b47a4d768a594cb4198cb1c6-x86.cache-2
b6ed4000-b6ed9000 r--s 00000000 03:02 32960      
/var/cache/fontconfig/105b9c7e6f0a4f82d8c9b6e39c52c6f9-x86.cache-2
b6ed9000-b6edc000 r--s 00000000 03:02 32959      
/var/cache/fontconfig/6386b86020ecc1ef9690bb720a13964f-x86.cache-2
b6edc000-b6ee2000 r--s 00000000 03:02 32955      
/var/cache/fontconfig/089dead882dea3570ffc31a9898cfb69-x86.cache-2
b6ee2000-b6eec000 r--s 00000000 03:02 32863      
/var/cache/fontconfig/cabbd14511b9e8a55e92af97fb3a0461-x86.cache-2
b6eec000-b6ef9000 r--s 00000000 03:02 32880      
/var/cache/fontconfig/e13b20fdb08344e0e664864cc2ede53d-x86.cache-2
b6ef9000-b6efb000 r--s 00000000 03:02 33640      
/var/cache/fontconfig/7ef2298fde41cc6eeb7af42e48b7d293-x86.cache-2
b6efb000-b6f09000 r--s 00000000 03:02 32912      
/var/cache/fontconfig/865f88548240fee46819705c6468c165-x86.cache-2
b6f09000-b6f69000 rw-s 00000000 00:07 23461899   /SYSV00000000 (deleted)
b6f69000-b6f6f000 r-xp 00000000 03:02 260850     
/usr/lib/gtk-2.0/2.10.0/loaders/libpixbufloader-xpm.so
b6f6f000-b6f70000 rw-p 00005000 03:02 260850     
/usr/lib/gtk-2.0/2.10.0/loaders/libpixbufloader-xpm.so
b6f70000-b6f71000 r-xp 00000000 03:02 838774     /usr/lib/gconv/ISO8859-1.so
b6f71000-b6f73000 rw-p 00001000 03:02 838774     /usr/lib/gconv/ISO8859-1.so
b6f73000-b6f8a000 r-xp 00000000 03:02 732979     /lib/libselinux.so.1
b6f8a000-b6f8c000 rw-p 00016000 03:02 732979     /lib/libselinux.so.1
b6f8c000-b6fed000 r-xp 00000000 03:02 603493     /usr/lib/libgio-2.0.so.0.0.0
b6fed000-b6fef000 rw-p 00061000 03:02 603493     /usr/lib/libgio-2.0.so.0.0.0
b6fef000-b7122000 r-xp 00000000 03:02 603960     /usr/lib/libxml2.so.2.6.32
b7122000-b7127000 rw-p 00132000 03:02 603960     /usr/lib/libxml2.so.2.6.32
b7127000-b7128000 rw-p 00000000 00:00 0 
b7128000-b7159000 r-xp 00000000 03:02 603376     /usr/lib/libcroco-0.6.so.3.0.1
b7159000-b715c000 rw-p 00030000 03:02 603376     /usr/lib/libcroco-0.6.so.3.0.1
b715c000-b718d000 r-xp 00000000 03:02 603767     /usr/lib/libgsf-1.so.114.0.8
b718d000-b7190000 rw-p 00030000 03:02 603767     /usr/lib/libgsf-1.so.114.0.8
b7190000-b7191000 rw-p 00000000 00:00 0 
b7191000-b71c1000 r-xp 00000000 03:02 603662     /usr/lib/librsvg-2.so.2.22.2
b71c1000-b71c2000 rw-p 00030000 03:02 603662     /usr/lib/librsvg-2.so.2.22.2
b71c2000-b71f2000 r-xp 00000000 03:02 604311     /usr/lib/liblcms.so.1.0.16
b71f2000-b71f3000 rw-p 00030000 03:02 604311     /usr/lib/liblcms.so.1.0.16
b71f3000-b71f6000 rw-p 00000000 00:00 0 
b71f6000-b7264000 r-xp 00000000 03:02 602998     /usr/lib/libmng.so.1.1.0.9
b7264000-b7267000 rw-p 0006e000 03:02 602998     /usr/lib/libmng.so.1.1.0.9
b7267000-b7269000 r-xp 00000000 03:02 1189771    
/usr/lib/gimageview/archiver/libgimv_zip_extarc.so
b7269000-b726a000 rw-p 00002000 03:02 1189771    
/usr/lib/gimageview/archiver/libgimv_zip_extarc.so
b726a000-b726d000 r-xp 00000000 03:02 1189769    
/usr/lib/gimageview/archiver/libgimv_tar_extarc.so
b726d000-b726e000 rw-p 00003000 03:02 1189769    
/usr/lib/gimageview/archiver/libgimv_tar_extarc.so
b726e000-b7270000 r-xp 00000000 03:02 1189767    
/usr/lib/gimageview/archiver/libgimv_rar_extarc.so
b7270000-Aborted


I have also tried getting more info using GDB, but the binary contains 
no debug symbols so the stacktrace you get there is not very useful: 

Program received signal SIGABRT, Aborted.
[Switching to Thread 0xb75336b0 (LWP 6147)]
0xb7959556 in raise () from /lib/libc.so.6
(gdb) bt
#0  0xb7959556 in raise () from /lib/libc.so.6
#1  0xb795ad78 in abort () from /lib/libc.so.6
#2  0xb7993aa5 in ?? () from /lib/libc.so.6
#3  0x00000007 in ?? ()
#4  0xbfaaafe4 in ?? ()
#5  0x00000400 in ?? ()
#6  0xb7a50068 in ?? () from /lib/libc.so.6
#7  0x00000017 in ?? ()
#8  0xbfaaf8c6 in ?? ()
#9  0x0000000d in ?? ()
#10 0xb7a50081 in ?? () from /lib/libc.so.6
#11 0x00000002 in ?? ()
#12 0xb7a50160 in ?? () from /lib/libc.so.6
#13 0x00000021 in ?? ()
#14 0xb7a50085 in ?? () from /lib/libc.so.6
#15 0x00000004 in ?? ()
#16 0xbfaab513 in ?? ()
#17 0x00000008 in ?? ()
#18 0xb7a5008b in ?? () from /lib/libc.so.6
#19 0x00000005 in ?? ()
#20 0xbfaaaef8 in ?? ()
#21 0xb76eb0f0 in _xcb_unlock_io () from /usr/lib/libxcb.so.1
#22 0xb7999845 in ?? () from /lib/libc.so.6
#23 0x00000002 in ?? ()
#24 0xb7a50068 in ?? () from /lib/libc.so.6
#25 0xbfaaf8c6 in ?? ()
#26 0xb7a50160 in ?? () from /lib/libc.so.6
#27 0xbfaab513 in ?? ()
#28 0xb7a50160 in ?? () from /lib/libc.so.6
#29 0x30000003 in ?? ()
#30 0x30323238 in ?? ()
#31 0x00383362 in ?? ()
#32 0xb7a68ff4 in ?? () from /lib/libc.so.6
#33 0xb7a6a160 in ?? () from /lib/libc.so.6
#34 0x00000001 in ?? ()
#35 0xbfaab548 in ?? ()
#36 0xb799b6ec in free () from /lib/libc.so.6
Backtrace stopped: frame did not save the PC
(gdb) 

I am using Debian 5.0.4 (stable) on i686 with kernel 2.6.30, (custom built 
using kernel-package and the linux-source-2.6.30 package version 
2.6.30-8squeeze1), libc6 version 2.7-18lenny2.

test1.xcf
Description: application/xcf

test2.xcf
Description: application/xcf

Bug#569710: gimv crashes with glibc error (double free or corruption) when viewing .xcf (Gimp format) files which contain a selected area

Reply via email to