Bug #647

Seg fault with Olympus E-P1 orf

Added by Udi Fuchs almost 8 years ago. Updated over 7 years ago.

Status:ClosedStart date:31 Aug 2009
Priority:NormalDue date:
Assignee:Andreas Huggel% Done:

100%

Category:tiff parser
Target version:0.19

Description

exiv2 crashes when trying to read these sample orf files.
Here are two testfiles:
http://rapidshare.com/files/271068787/p8010009.orf.html
http://rapidshare.com/files/271067347/p8010019.orf.html

(Forwarded from ufraw's bug tracker)

Udi


Related issues

Duplicated by Exiv2 - Bug #660: Exiv2 segfault with OLYMPUS E-P1 .ORF file. Closed 16 Dec 2009

Associated revisions

Revision 1897
Added by Andreas Huggel almost 8 years ago

#647: Fixed type of offset which may be negative.

Revision 1898
Added by Andreas Huggel almost 8 years ago

#647: Extended range check.

History

#1 Updated by Andreas Huggel almost 8 years ago

A simple check with the exiv2 command line tool is fine.
How do I reproduce the problem?

Andreas

ahuggel@mowgli> valgrind exiv2-0.18.2 -pa ../../pic/p8010009.orf
==20500== Memcheck, a memory error detector.
==20500== Copyright (C) 2002-2008, and GNU GPL'd, by Julian Seward et al.
==20500== Using LibVEX rev 1884, a library for dynamic binary translation.
==20500== Copyright (C) 2004-2008, and GNU GPL'd, by OpenWorks LLP.
==20500== Using valgrind-3.4.1-Debian, a dynamic binary instrumentation framework.
==20500== Copyright (C) 2000-2008, and GNU GPL'd, by Julian Seward et al.
==20500== For more details, rerun with: -v
==20500== 
Exif.Image.ImageWidth                        Long        1  4100
Exif.Image.ImageLength                       Long        1  3084
Exif.Image.BitsPerSample                     Short       1  16
Exif.Image.Compression                       Short       1  Uncompressed
Exif.Image.PhotometricInterpretation         Short       1  Black Is Zero
Exif.Image.ImageDescription                  Ascii      32  OLYMPUS DIGITAL CAMERA         
Exif.Image.Make                              Ascii      24  OLYMPUS IMAGING CORP.  
Exif.Image.Model                             Ascii      17  E-P1            
Exif.Image.StripOffsets                      Long        1  1449472
Exif.Image.Orientation                       Short       1  top, left
Exif.Image.SamplesPerPixel                   Short       1  1
Exif.Image.RowsPerStrip                      Long        1  3084
Exif.Image.StripByteCounts                   Long        1  10330357
Exif.Image.XResolution                       Rational    1  314
Exif.Image.YResolution                       Rational    1  314
Exif.Image.PlanarConfiguration               Short       1  1
Exif.Image.ResolutionUnit                    Short       1  inch
Exif.Image.Software                          Ascii      32  Version 1.0                    
Exif.Image.DateTime                          Ascii      20  2009:08:01 14:00:26
Exif.Image.ExifTag                           Long        1  266
Exif.Photo.ExposureTime                      Rational    1  1/2000 s
Exif.Photo.FNumber                           Rational    1  F5.4
Exif.Photo.ExposureProgram                   Short       1  Aperture priority
Exif.Photo.ISOSpeedRatings                   Short       1  200
Exif.Photo.ExifVersion                       Undefined   4  2.21
Exif.Photo.DateTimeOriginal                  Ascii      20  2009:08:01 14:00:26
Exif.Photo.DateTimeDigitized                 Ascii      20  2009:08:01 14:00:26
Exif.Photo.ExposureBiasValue                 SRational   1  0 EV
Exif.Photo.MaxApertureValue                  Rational    1  F3.5
Exif.Photo.MeteringMode                      Short       1  Multi-segment
Exif.Photo.LightSource                       Short       1  Unknown
Exif.Photo.Flash                             Short       1  No, auto
Exif.Photo.FocalLength                       Rational    1  38.0 mm
Exif.Photo.MakerNote                         Undefined 1446464  (Binary value suppressed)
Exif.MakerNote.Offset                        Long        1  3008
Exif.MakerNote.ByteOrder                     Ascii       3  II
Exif.Olympus2.ThumbnailImage                 Undefined 6328  (Binary value suppressed)
Exif.Olympus2.SpecialMode                    Long        3  Normal
Exif.Olympus2.CameraID                       Undefined  32  79 76 89 77 80 85 83 32 68 73 71 73 84 65 76 32 67 65 77 69 82 65 32 32 32 32 32 32 32 32 32 0 
Exif.Olympus2.Equipment                      Long        1  114
Exif.OlympusEq.EquipmentVersion              Undefined   4  1.00
Exif.OlympusEq.CameraType                    Ascii       6  S0019
Exif.OlympusEq.SerialNumber                  Ascii      32  H46511887                      
Exif.OlympusEq.InternalSerialNumber          Ascii      32  4087907009228001               
Exif.OlympusEq.FocalPlaneDiagonal            Rational    1  2160/100
Exif.OlympusEq.BodyFirmwareVersion           Long        1  4100
Exif.OlympusEq.LensType                      Byte        6  0 0 1 16 0 0 
Exif.OlympusEq.LensSerialNumber              Ascii      32  AAB222884
Exif.OlympusEq.0x0203                        Ascii      32  OLYMPUS M.14-42mm F3.5-5.6
Exif.OlympusEq.LensFirmwareVersion           Long        1  4101
Exif.OlympusEq.MaxApertureAtMinFocal         Short       1  925
Exif.OlympusEq.MaxApertureAtMaxFocal         Short       1  1273
Exif.OlympusEq.MinFocalLength                Short       1  14
Exif.OlympusEq.MaxFocalLength                Short       1  42
Exif.OlympusEq.MaxApertureAtCurrentFocal     Short       1  1257
Exif.OlympusEq.LensProperties                Short       1  49488

[... many more tags ...]

Exif.OlympusFi.InternalFlash                 Short       1  Off
Exif.OlympusFi.ManualFlash                   Short       2  0 1
Exif.OlympusFi.0x120a                        Short       1  0
Exif.OlympusFi.SensorTemperature             SShort      1  360
Exif.OlympusFi.0x1501                        Long        2  1612963726 1612963734
Exif.OlympusFi.0x1502                        Short       1  0
Exif.OlympusFi.ImageStabilization            Undefined  53  33 49 49 0 0 107 5 122 2 122 2 64 1 143 1 122 120 23 0 46 0 1 1 0 0 23 0 46 0 23 0 46 0 0 0 0 0 0 0 0 0 3 0 0 0 0 35 0 34 0 0 0 0 
Exif.OlympusFi.0x1700                        Byte        4  0 0 0 0 
Exif.Photo.UserComment                       Undefined 125  (Binary value suppressed)
Exif.Photo.FlashpixVersion                   Undefined   4  1.00
Exif.Photo.ColorSpace                        Short       1  sRGB
Exif.Photo.FileSource                        Undefined   1  Digital still camera
Exif.Photo.CFAPattern                        Undefined   8  2 0 2 0 0 1 1 2 
Exif.Photo.CustomRendered                    Short       1  Normal process
Exif.Photo.ExposureMode                      Short       1  Auto
Exif.Photo.WhiteBalance                      Short       1  Auto
Exif.Photo.DigitalZoomRatio                  Rational    1  1.0
Exif.Photo.SceneCaptureType                  Short       1  Standard
Exif.Photo.GainControl                       Short       1  Low gain up
Exif.Photo.Contrast                          Short       1  Normal
Exif.Photo.Saturation                        Short       1  Normal
Exif.Photo.Sharpness                         Short       1  Normal
Exif.Image.PrintImageMatching                Undefined 528  (Binary value suppressed)
==20500== 
==20500== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 23 from 1)
==20500== malloc/free: in use at exit: 0 bytes in 0 blocks.
==20500== malloc/free: 13,409 allocs, 13,409 frees, 9,827,735 bytes allocated.
==20500== For counts of detected errors, rerun with: -v
==20500== All heap blocks were freed -- no leaks are possible.

#2 Updated by Udi Fuchs almost 8 years ago

For me it crashes with both 0.18 (from Ubuntu 9.04 x86-64) and SVN trunk.

Maybe it is a 64 bit issue?

Here is the valgrind output for SVN:

valgrind .libs/lt-exiv2 p8010009.orf
1151 Memcheck, a memory error detector.
1151 Copyright (C) 2002-2008, and GNU GPL'd, by Julian Seward et al.
1151 Using LibVEX rev 1884, a library for dynamic binary translation.
1151 Copyright (C) 2004-2008, and GNU GPL'd, by OpenWorks LLP.
1151 Using valgrind-3.4.1-Debian, a dynamic binary instrumentation framework.
1151 Copyright (C) 2000-2008, and GNU GPL'd, by Julian Seward et al.
1151 For more details, rerun with: -v
1151
1151 Invalid read of size 1
1151 at 0x4C28F20: memmove (mc_replace_strmem.c:517)
1151 by 0x4F1CE28: void std::vector<unsigned char, std::allocator<unsigned char> >::_M_assign_aux<unsigned char const*>(unsigned char const*, unsigned char const*, std::forward_iterator_tag) (in /home/udi/sf/exiv2/src/.libs/libexiv2.so.5.3.1)
1151 by 0x4F185A4: Exiv2::DataValue::read(unsigned char const*, long, Exiv2::ByteOrder) (in .libs/libexiv2.so.5.3.1)
1151 by 0x4F12843: Exiv2::Internal::TiffReader::readTiffEntry(Exiv2::Internal::TiffEntryBase*) (in .libs/libexiv2.so.5.3.1)
1151 by 0x4F02CF3: Exiv2::Internal::TiffDirectory::doAccept(Exiv2::Internal::TiffVisitor&) (in .libs/libexiv2.so.5.3.1)
1151 by 0x4F02CA0: Exiv2::Internal::TiffSubIfd::doAccept(Exiv2::Internal::TiffVisitor&) (in .libs/libexiv2.so.5.3.1)
1151 by 0x4F02CF3: Exiv2::Internal::TiffDirectory::doAccept(Exiv2::Internal::TiffVisitor&) (in .libs/libexiv2.so.5.3.1)
1151 by 0x4EC049B: Exiv2::Internal::TiffIfdMakernote::doAccept(Exiv2::Internal::TiffVisitor&) (in .libs/libexiv2.so.5.3.1)
1151 by 0x4F02C18: Exiv2::Internal::TiffMnEntry::doAccept(Exiv2::Internal::TiffVisitor&) (in .libs/libexiv2.so.5.3.1)
1151 by 0x4F02CF3: Exiv2::Internal::TiffDirectory::doAccept(Exiv2::Internal::TiffVisitor&) (in .libs/libexiv2.so.5.3.1)
1151 by 0x4F02CA0: Exiv2::Internal::TiffSubIfd::doAccept(Exiv2::Internal::TiffVisitor&) (in .libs/libexiv2.so.5.3.1)
1151 by 0x4F02CF3: Exiv2::Internal::TiffDirectory::doAccept(Exiv2::Internal::TiffVisitor&) (in .libs/libexiv2.so.5.3.1)
1151 Address 0x10676a000 is not stack'd, malloc'd or (recently) free'd
1151
1151 Process terminating with default action of signal 11 (SIGSEGV)
1151 Access not within mapped region at address 0x10676A000
1151 at 0x4C28F20: memmove (mc_replace_strmem.c:517)
1151 by 0x4F1CE28: void std::vector<unsigned char, std::allocator<unsigned char> >::_M_assign_aux<unsigned char const*>(unsigned char const*, unsigned char const*, std::forward_iterator_tag) (in /home/udi/sf/exiv2/src/.libs/libexiv2.so.5.3.1)
1151 by 0x4F185A4: Exiv2::DataValue::read(unsigned char const*, long, Exiv2::ByteOrder) (in .libs/libexiv2.so.5.3.1)
1151 by 0x4F12843: Exiv2::Internal::TiffReader::readTiffEntry(Exiv2::Internal::TiffEntryBase*) (in .libs/libexiv2.so.5.3.1)
1151 by 0x4F02CF3: Exiv2::Internal::TiffDirectory::doAccept(Exiv2::Internal::TiffVisitor&) (in .libs/libexiv2.so.5.3.1)
1151 by 0x4F02CA0: Exiv2::Internal::TiffSubIfd::doAccept(Exiv2::Internal::TiffVisitor&) (in .libs/libexiv2.so.5.3.1)
1151 by 0x4F02CF3: Exiv2::Internal::TiffDirectory::doAccept(Exiv2::Internal::TiffVisitor&) (in .libs/libexiv2.so.5.3.1)
1151 by 0x4EC049B: Exiv2::Internal::TiffIfdMakernote::doAccept(Exiv2::Internal::TiffVisitor&) (in .libs/libexiv2.so.5.3.1)
1151 by 0x4F02C18: Exiv2::Internal::TiffMnEntry::doAccept(Exiv2::Internal::TiffVisitor&) (in .libs/libexiv2.so.5.3.1)
1151 by 0x4F02CF3: Exiv2::Internal::TiffDirectory::doAccept(Exiv2::Internal::TiffVisitor&) (in .libs/libexiv2.so.5.3.1)
1151 by 0x4F02CA0: Exiv2::Internal::TiffSubIfd::doAccept(Exiv2::Internal::TiffVisitor&) (in .libs/libexiv2.so.5.3.1)
1151 by 0x4F02CF3: Exiv2::Internal::TiffDirectory::doAccept(Exiv2::Internal::TiffVisitor&) (in .libs/libexiv2.so.5.3.1)
1151 If you believe this happened as a result of a stack overflow in your
1151 program's main thread (unlikely but possible), you can try to increase
1151 the size of the main thread stack using the --main-stacksize= flag.
1151 The main thread stack size used in this run was 8388608.
1151
1151 ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 8 from 1)
1151 malloc/free: in use at exit: 1,650,045 bytes in 995 blocks.
1151 malloc/free: 2,812 allocs, 1,817 frees, 1,734,769 bytes allocated.
1151 For counts of detected errors, rerun with: -v
1151 searching for pointers to 995 not-freed blocks.
1151 checked 1,914,168 bytes.
1151
1151 LEAK SUMMARY:
1151 definitely lost: 4,608 bytes in 1 blocks.
1151 possibly lost: 1,136 bytes in 25 blocks.
1151 still reachable: 1,644,301 bytes in 969 blocks.
1151 suppressed: 0 bytes in 0 blocks.
1151 Rerun with --leak-check=full to see details of leaked memory.
Segmentation fault

#3 Updated by Niels Kristian Bech Jensen almost 8 years ago

I don't have any problems on the 32-bit (i386) version of Ubuntu 9.04 so it seems likely to be a 64-bit problem.

Regards,
Niels Kristian

#4 Updated by Andreas Huggel almost 8 years ago

  • Assignee set to Andreas Huggel

Indeed. I can reproduce it now, on an amd64 machine.

#5 Updated by Andreas Huggel almost 8 years ago

r1897 is a quick fix for this issue, but there may be more with 64 bit systems.

#6 Updated by Udi Fuchs almost 8 years ago

r1897 solves the crash with the Olympus E-P1.

Udi

#7 Updated by Andreas Huggel almost 8 years ago

  • Category set to tiff parser
  • Status changed from New to Resolved
  • Target version set to 0.19

Thanks for the feedback. With the extended the range check considered done.

#8 Updated by Andreas Huggel almost 8 years ago

  • % Done changed from 0 to 100

#9 Updated by Andreas Huggel over 7 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF

Redmine Appliance - Powered by TurnKey Linux