Bug #1088
malloc or free error in XmpKey::key() reading QuickTime movie
0%
Description
There is a bug in Exiv2::XmpKey::key() called from QuickTimeVideo::userDataDecoder() that causes a memory allocation related crash on both OS X and Linux.
This bug existed in v 0.24 and persists in the svn/head (3839).
Backtrace on OS X with 0.24 svn-3839:
@Application Specific Information:abort() called
- error for object 0x7f8b2b407b68: incorrect checksum for freed object - object was probably modified after being freed.
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 libsystem_kernel.dylib 0x00007fff8dcee866 _pthread_kill + 10
1 libsystem_pthread.dylib 0x00007fff8e4dd35c pthread_kill + 92
2 libsystem_c.dylib 0x00007fff91d85b1a abort + 125
3 libsystem_malloc.dylib 0x00007fff91490690 szone_error + 587
4 libsystem_malloc.dylib 0x00007fff91495218 tiny_malloc_from_free_list + 1412
5 libsystem_malloc.dylib 0x00007fff914953c3 szone_malloc_should_clear + 320
6 libsystem_malloc.dylib 0x00007fff91497868 malloc_zone_malloc + 71
7 libsystem_malloc.dylib 0x00007fff9149827c malloc + 42
8 libc++.1.dylib 0x00007fff8d48128e operator new(unsigned long) + 30
9 libc++.1.dylib 0x00007fff8d4865ba std::_1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >::__init(char const*, unsigned long, unsigned long) + 64
10 libexiv2.13.dylib 0x0000000109de15fe Exiv2::XmpKey::key() const + 302 (string:1631)
11 libexiv2.13.dylib 0x0000000109e2feae Exiv2::Xmpdatum::key() const + 30 (xmp.cpp:184)
12 libexiv2.13.dylib 0x0000000109e3072f Exiv2::XmpData::findKey(Exiv2::XmpKey const&) + 79 (string:1683)
13 libexiv2.13.dylib 0x0000000109e30539 Exiv2::XmpData::operator[](std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) + 41 (xmp.cpp:317)
14 libexiv2.13.dylib 0x0000000109dee43f Exiv2::QuickTimeVideo::userDataDecoder(unsigned long) + 1983 (quicktimevideo.cpp:946)
15 libexiv2.13.dylib 0x0000000109de8834 Exiv2::QuickTimeVideo::tagDecoder(Exiv2::DataBuf&, unsigned long) + 932 (quicktimevideo.cpp:714)
16 libexiv2.13.dylib 0x0000000109de7e09 Exiv2::QuickTimeVideo::decodeBlock() + 169 (types.hpp:204)
17 libexiv2.13.dylib 0x0000000109de7ab2 Exiv2::QuickTimeVideo::readMetadata() + 834 (quicktimevideo.cpp:654)
18 exiv2 0x0000000109d067a7 Action::Print::printSummary() + 103 (actions.cpp:277)
19 exiv2 0x0000000109d065f1 Action::Print::run(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) + 65 (actions.cpp:240)
20 exiv2 0x0000000109cfa127 main + 615 (exiv2.cpp:172)
21 libdyld.dylib 0x00007fff91ef75fd start + 1
Thread 0 crashed with X86 Thread State (64-bit):
rax: 0x0000000000000000 rbx: 0x00007fff76091310 rcx: 0x00007fff55f06de8 rdx: 0x0000000000000000
rdi: 0x0000000000000303 rsi: 0x0000000000000006 rbp: 0x00007fff55f06e10 rsp: 0x00007fff55f06de8
r8: 0x0000000000000010 r9: 0x00000000fffffff0 r10: 0x0000000008000000 r11: 0x0000000000000206
r12: 0x000000010a0bb000 r13: 0x000000010a0bf000 r14: 0x0000000000000006 r15: 0x0000000000000000
rip: 0x00007fff8dcee866 rfl: 0x0000000000000206 cr2: 0x000000010a124000
@
On Ubuntu 14.04 (exiv2 0.24):
@- Error in `/usr/bin/exiv2': free(): invalid next size (normal): 0x0000000000642300 ***
Program received signal SIGABRT, Aborted.
0x00007ffff7016cc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7016cc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff701a0d8 in __GI_abort () at abort.c:89
#2 0x00007ffff7053394 in __libc_message (do_abort=do_abort@entry=1,
fmt=fmt@entry=0x7ffff7161b28 "*** Error in `%s': s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007ffff705f66e in malloc_printerr (ptr=<optimised out>, str=0x7ffff7161ca0 "free(): invalid next size (normal)", action=1)
at malloc.c:4996
#4 _int_free (av=<optimised out>, p=<optimised out>, have_lock=0) at malloc.c:3840
#5 0x00007ffff7a69ef4 in ?? () from /usr/lib/x86_64-linux-gnu/libexiv2.so.13
#6 0x00007ffff7a693f5 in Exiv2::QuickTimeVideo::userDataDecoder(unsigned long) () from /usr/lib/x86_64-linux-gnu/libexiv2.so.13
#7 0x00007ffff7a6880b in Exiv2::QuickTimeVideo::tagDecoder(Exiv2::DataBufx%x, unsigned long) ()
from /usr/lib/x86_64-linux-gnu/libexiv2.so.13
#8 0x00007ffff7a68b70 in Exiv2::QuickTimeVideo::decodeBlock() () from /usr/lib/x86_64-linux-gnu/libexiv2.so.13
#9 0x00007ffff7a68dbd in Exiv2::QuickTimeVideo::readMetadata() () from /usr/lib/x86_64-linux-gnu/libexiv2.so.13
#10 0x0000000000416308 in ?? ()
#11 0x000000000041846c in ?? ()
#12 0x00000000004057aa in ?? ()
#13 0x00007ffff7001ec5 in __libc_start_main (main=0x4056a0, argc=4, argv=0x7fffffffe3c8, init=<optimised out>,
fini=<optimised out>, rtld_fini=<optimised out>, stack_end=0x7fffffffe3b8) at libc-start.c:287
#14 0x0000000000405a7a in ?? ()
@
This does not happen with all QuickTime files : the ones recorded on an iPhone 4S are fine, but after saving some edits in QuickTime Player Pro they can provoke the crash.
I'm attaching an example video. This is a QuickTime reference movie that refers to sequences I cannot upload due to space constraints, but the same movie still causes the crash after "flattening" (i.e. including all clips into a standalone movie).
Files
History
Updated by René Bertin over 6 years ago
A more complete backtrace on Linux:
#0 0x00007ffff7016cc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff701a0d8 in __GI_abort () at abort.c:89
#2 0x00007ffff7053394 in __libc_message (do_abort=do_abort@entry=1,
fmt=fmt@entry=0x7ffff7161b28 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007ffff705f66e in malloc_printerr (ptr=<optimised out>, str=0x7ffff7161ca0 "free(): invalid next size (normal)", action=1)
at malloc.c:4996
#4 _int_free (av=<optimised out>, p=<optimised out>, have_lock=0) at malloc.c:3840
#5 0x00007ffff7a69ef4 in _M_dispose (__a=..., this=<optimised out>) at /usr/include/c++/4.8/bits/basic_string.h:249
#6 ~basic_string (this=0x7fffffffd9c0, __in_chrg=<optimised out>) at /usr/include/c++/4.8/bits/basic_string.h:539
#7 ~basic_stringbuf (this=0x7fffffffd978, __in_chrg=<optimised out>) at /usr/include/c++/4.8/sstream:64
#8 ~basic_ostringstream (this=0x7fffffffd970, __in_chrg=<optimised out>, __vtt_parm=<optimised out>)
at /usr/include/c++/4.8/sstream:453
#9 Exiv2::toString<unsigned char*> (arg=@0x7fffffffdc00: 0x641e80 "name") at types.hpp:480
#10 0x00007ffff7a693f5 in Exiv2::QuickTimeVideo::userDataDecoder (this=this@entry=0x63d6a0, size_external=size_external@entry=906)
at quicktimevideo.cpp:900
#11 0x00007ffff7a6880b in Exiv2::QuickTimeVideo::tagDecoder (this=this@entry=0x63d6a0, buf=..., size=size@entry=906)
at quicktimevideo.cpp:705
#12 0x00007ffff7a68b70 in Exiv2::QuickTimeVideo::decodeBlock (this=0x63d6a0) at quicktimevideo.cpp:672
#13 0x00007ffff7a68dbd in Exiv2::QuickTimeVideo::readMetadata (this=0x63d6a0) at quicktimevideo.cpp:645
#14 0x0000000000416308 in Action::Print::printSummary (this=this@entry=0x63c190) at actions.cpp:258
#15 0x000000000041846c in Action::Print::run (this=0x63c190, path="/Volumes/Debian/HDR/201505/Country@Varreddes/video.mov")
at actions.cpp:236
#16 0x00000000004057aa in main (argc=<optimised out>, argv=<optimised out>) at exiv2.cpp:171
Updated by Robin Mills about 6 years ago
- Status changed from New to Assigned
- Target version set to 0.26
Updated by Robin Mills about 5 years ago
- Status changed from Assigned to New
- Assignee deleted (
Abhinav Badola)
I'm going to defer this for v0.27. I'm also removing Abhinav as the assignee. I hope to have a team hangout in October 2016 to deal with assignments for v0.27.