Bug#591512: Same bug upstream in seamonkey 2.0.6

[BERTRAND Joel]

        Hello,

        I have reproduced the same bug with seamonkey 2.0.6. Backtrace is :
Core was generated by 
`/export/home/bertrand/seamonkey/install/lib/seamonkey-2.0.6/seamonkey-bin'.
Program terminated with signal 10, Bus error.
#0  read_tag_XYZType (src=0xff8687b8, index=..., tag_id=1918392666)
    at ../../../../comm-1.9.1/mozilla/gfx/qcms/iccread.c:322
322                     if (type != XYZ_TYPE)
(gdb) bt
#0  read_tag_XYZType (src=0xff8687b8, index=..., tag_id=1918392666)
    at ../../../../comm-1.9.1/mozilla/gfx/qcms/iccread.c:322
#1  0xf581455c in qcms_profile_from_memory (mem=<value optimized out>,
    size=7261) at ../../../../comm-1.9.1/mozilla/gfx/qcms/iccread.c:707
#2  0xf5803a28 in nsJPEGDecoder::ProcessData (this=0xeaa77800,
    data=0xeae68004 
"\2*5*h*\233*\317+\2+6+i+\235+\321,\5,9,n,\242,\327-\f-A-v-\253-\341.\26.L.\202.\267.\356/$/Z/\221/\307/\376\60\65\60l0\244\60\333\61\22\61J1\202\61\272\61\362\62*2c2\233\62\324\63\r3F3\177\63\270\63\361\64+4e4\236\64\330\65\23\65M5\207\65\302\65\375\66\67\66r6\256\66\351\67$7`7\234\67\327\70\24\70P8\214\70\310\71\5\71B9\177\71\274\71\371:6:t:\262:\357;-;k;\252;\350<'<e<\244<\343=\"=a=\241=\340> 
>`>\240>\340?!?a?\242?\...@#@d@"...,
    count=<value optimized out>, writeCount=0xff8689b4)
    at 
../../../../../../comm-1.9.1/mozilla/modules/libpr0n/decoders/jpeg/nsJPEGDecoder.cpp:344

#3  0xf5803c64 in ReadDataOut (in=0xeab4b6a8, closure=0xeaa77800,
    fromRawSegment=0xeae68004 
"\2*5*h*\233*\317+\2+6+i+\235+\321,\5,9,n,\242,\327-\f-A-v-\253-\341.\26.L.\202.\267.\356/$/Z/\221/\307/\376\60\65\60l0\244\60\333\61\22\61J1\202\61\272\61\362\62*2c2\233\62\324\63\r3F3\177\63\270\63\361\64+4e4\236\64\330\65\23\65M5\207\65\302\65\375\66\67\66r6\256\66\351\67$7`7\234\67\327\70\24\70P8\214\70\310\71\5\71B9\177\71\274\71\371:6:t:\262:\357;-;k;\252;\350<'<e<\244<\343=\"=a=\241=\340> 
>`>\240>\340?!?a?\242?\...@#@d@"...,
    toOffset=4096, count=4096, writeCount=0xff8689b4)
    at 
../../../../../../comm-1.9.1/mozilla/modules/libpr0n/decoders/jpeg/nsJPEG---Type 
<return> to continue, or q <return> to quit---
Decoder.cpp:253
#4  0xf7de17dc in nsInputStreamTee::WriteSegmentFun (in=0xeab4b6a8,
    closure=0xeab4ee80,
    fromSegment=0xeae68004 
"\2*5*h*\233*\317+\2+6+i+\235+\321,\5,9,n,\242,\327-\f-A-v-\253-\341.\26.L.\202.\267.\356/$/Z/\221/\307/\376\60\65\60l0\244\60\333\61\22\61J1\202\61\272\61\362\62*2c2\233\62\324\63\r3F3\177\63\270\63\361\64+4e4\236\64\330\65\23\65M5\207\65\302\65\375\66\67\66r6\256\66\351\67$7`7\234\67\327\70\24\70P8\214\70\310\71\5\71B9\177\71\274\71\371:6:t:\262:\357;-;k;\252;\350<'<e<\244<\343=\"=a=\241=\340> 
>`>\240>\340?!?a?\242?\...@#@d@"..., offset=4096,
    count=4096, writeCount=0xff8689b4)
    at ../../../../comm-1.9.1/mozilla/xpcom/io/nsInputStreamTee.cpp:102
#5  0xf7de5354 in nsPipeInputStream::ReadSegments (this=0xeab4b6a8,
    writer=0xf7de17b4 
<nsInputStreamTee::WriteSegmentFun(nsIInputStream*, void*, char const*, 
unsigned int, unsigned int, unsigned int*)>, closure=0xeab4ee80,
    count=6562, readCount=0xff868c14)
    at ../../../../comm-1.9.1/mozilla/xpcom/io/nsPipe3.cpp:799
#6  0xf7de1620 in nsInputStreamTee::ReadSegments (this=0xeab4ee80,
    writer=0xf5803c4c <ReadDataOut>, closure=0xeaa77800, count=6562,
    bytesRead=0xff868c14)
    at ../../../../comm-1.9.1/mozilla/xpcom/io/nsInputStreamTee.cpp:156
#7  0xf5802d48 in nsJPEGDecoder::WriteFrom (this=0xeaa77800, 
inStr=0xeab4ee80,
    count=10658, writeCount=0xff868c14)
    at 
../../../../../../comm-1.9.1/mozilla/modules/libpr0n/decoders/jpeg/nsJPEG---Type 
<return> to continue, or q <return> to quit---
Decoder.cpp:271
#8  0xf57fbb94 in imgRequest::OnDataAvailable (this=0xeab4b600,
    aRequest=0xead8650c, ctxt=0x0, inStr=0xeab4ee80, sourceOffset=0,
    count=10658)
    at 
../../../../../comm-1.9.1/mozilla/modules/libpr0n/src/imgRequest.cpp:995
#9  0xf57f66ec in ProxyListener::OnDataAvailable (this=0xf5bf2ed0,
    aRequest=0xead8650c, ctxt=0x0, inStr=0xeab4ee80, sourceOffset=0,
    count=10658)
    at 
../../../../../comm-1.9.1/mozilla/modules/libpr0n/src/imgLoader.cpp:1603
#10 0xf5944f50 in nsStreamListenerTee::OnDataAvailable (this=0xeab4e7e0,
    request=0xead8650c, context=0x0, input=0xeab4b6a8, offset=0, 
count=10658)
    at 
../../../../../comm-1.9.1/mozilla/netwerk/base/src/nsStreamListenerTee.cpp:97
#11 0xf599b63c in nsHttpChannel::OnDataAvailable (this=0xead864e0,
    request=0xead7c750, ctxt=0x0, input=0xeab4b6a8, offset=0, count=10658)
    at 
../../../../../../comm-1.9.1/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp:5047
#12 0xf592b6a4 in nsInputStreamPump::OnStateTransfer (this=0xead7c750)
    at 
../../../../../comm-1.9.1/mozilla/netwerk/base/src/nsInputStreamPump.cpp:508
#13 0xf592b86c in nsInputStreamPump::OnInputStreamReady (this=0xead7c750,
    stream=0xeab4b6a8)
    at 
../../../../../comm-1.9.1/mozilla/netwerk/base/src/nsInputStreamPump.cpp:---Type 
<return> to continue, or q <return> to quit---
398
#14 0xf7de62a0 in nsInputStreamReadyEvent::Run (this=0xead9e600)
    at ../../../../comm-1.9.1/mozilla/xpcom/io/nsStreamUtils.cpp:111
#15 0xf7dfc6f4 in nsThread::ProcessNextEvent (this=0xf667ef20, mayWait=1,
    result=0xff868ffc)
    at ../../../../comm-1.9.1/mozilla/xpcom/threads/nsThread.cpp:521
#16 0xf7dc5da4 in NS_ProcessNextEvent_P (thread=0xf667ef20, mayWait=1)
    at nsThreadUtils.cpp:247
#17 0xf4ef41e0 in nsBaseAppShell::Run (this=0xf2288570)
    at 
../../../../../comm-1.9.1/mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:170
#18 0xf419cc2c in nsAppStartup::Run (this=0xf21485f0)
    at 
../../../../../../comm-1.9.1/mozilla/toolkit/components/startup/src/nsAppStartup.cpp:193
#19 0xf7e6ede8 in XRE_main (argc=<value optimized out>,
    argv=<value optimized out>, aAppData=<value optimized out>)
    at ../../../../comm-1.9.1/mozilla/toolkit/xre/nsAppRunner.cpp:3321
#20 0x000116cc in main (argc=1, argv=0xff8696a4)
    at ../../../comm-1.9.1/suite/app/nsSuiteApp.cpp:103
Current language:  auto; currently c
(gdb)

Faulty subroutine is :

#define XYZ_TYPE   0x58595a20 // 'XYZ '
#define CURVE_TYPE 0x63757276 // 'curv'
#define LUT16_TYPE 0x6d667432 // 'mft2'
#define LUT8_TYPE  0x6d667431 // 'mft1'

static struct XYZNumber read_tag_XYZType(struct mem_source *src, struct 
tag_index index, uint32_t tag_id)
{
    struct XYZNumber num = {0};
    struct tag *tag = find_tag(index, tag_id);
    if (tag) {
        uint32_t offset = tag->offset;

        uint32_t type = read_u32(src, offset);
        if (type != XYZ_TYPE)
            invalid_source(src, "unexpected type, expected XYZ");
        num.X = read_s15Fixed16Number(src, offset+8);
        num.Y = read_s15Fixed16Number(src, offset+12);
        num.Z = read_s15Fixed16Number(src, offset+16);
    } else {
        invalid_source(src, "missing xyztag");
    }
    return num;
}

I don't understand why type or define are not aligned.

        Regards,

        JKB



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org