[Swfdec] [Bug 16395] New: glib abort for "double free or corruption" in jpeg code

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Tue Jun 17 05:04:02 PDT 2008


http://bugs.freedesktop.org/show_bug.cgi?id=16395

           Summary: glib abort for "double free or corruption" in jpeg code
           Product: swfdec
           Version: git
          Platform: Other
               URL: http://speed.pointroll.com/PointRoll/Media/Banners/Veriz
                    on/581557/728x90_Initial_11_14_AtomFilms_113007.swf?PRAd
                    =1103047&PRplcmt=621649&PRImpID=EF4612B965EB434C9F7E380A
                    1A4C4DCB
        OS/Version: All
            Status: NEW
          Severity: blocker
          Priority: medium
         Component: library
        AssignedTo: swfdec at lists.freedesktop.org
        ReportedBy: riccardo at datahost.it
         QAContact: swfdec at lists.freedesktop.org


Loading stream:
http://speed.pointroll.com/PointRoll/Media/Banners/Verizon/581557/728x90_Initial_11_14_AtomFilms_113007.swf?PRAd=1103047&PRplcmt=621649&PRImpID=EF4612B965EB434C9F7E380A1A4C4DCB
unhandled event 19
SWFDEC: WARN : swfdec_swf_decoder.c(342): swfdec_swf_decoder_parse_one: tag
function not implemented for 73 DefineFontAlignZones
SWFDEC: WARN : swfdec_swf_decoder.c(342): swfdec_swf_decoder_parse_one: tag
function not implemented for 73 DefineFontAlignZones
SWFDEC: WARN : swfdec_swf_decoder.c(342): swfdec_swf_decoder_parse_one: tag
function not implemented for 73 DefineFontAlignZones
SWFDEC: WARN : swfdec_as_interpret.c(879): swfdec_action_call_method: no
function named "broadcastMessage" on object SwfdecAsNativeFunction
*** glibc detected *** /usr/lib/iceweasel/firefox-bin: double free or
corruption (out): 0x0a8d6500 ***
======= Backtrace: =========
/lib/libc.so.6[0xb71f88a5]
/lib/libc.so.6(cfree+0x9c)[0xb71fa74c]
/usr/lib/libglib-2.0.so.0(g_free+0x31)[0xb74465b1]
/usr/local/lib/libswfdec-0.7.so.0[0xb1aeaf76]
/usr/local/lib/libswfdec-0.7.so.0[0xb1aeb485]
/usr/local/lib/libswfdec-0.7.so.0[0xb1aeb4fe]
/usr/local/lib/libswfdec-0.7.so.0[0xb1a95670]
/usr/local/lib/libswfdec-0.7.so.0(swfdec_image_create_surface+0x36d)[0xb1a965fd]
/usr/local/lib/libswfdec-0.7.so.0(swfdec_image_create_surface_transformed+0x109)[0xb1a96a09]
/usr/local/lib/libswfdec-0.7.so.0[0xb1aa7017]
/usr/local/lib/libswfdec-0.7.so.0(swfdec_pattern_get_pattern+0x8a)[0xb1aa6e1a]
/usr/local/lib/libswfdec-0.7.so.0[0xb1aa735e]
/usr/local/lib/libswfdec-0.7.so.0(swfdec_draw_paint+0x7e)[0xb1a8e55e]
/usr/local/lib/libswfdec-0.7.so.0[0xb1aba71e]
/usr/local/lib/libswfdec-0.7.so.0(swfdec_graphic_render+0x2c)[0xb1a94c0c]
/usr/local/lib/libswfdec-0.7.so.0[0xb1a94fe5]
/usr/local/lib/libswfdec-0.7.so.0(swfdec_movie_render+0x283)[0xb1a9ce43]
/usr/local/lib/libswfdec-0.7.so.0[0xb1a9f89d]
/usr/local/lib/libswfdec-0.7.so.0(swfdec_movie_render+0x283)[0xb1a9ce43]
/usr/local/lib/libswfdec-0.7.so.0[0xb1a9f89d]
/usr/local/lib/libswfdec-0.7.so.0(swfdec_movie_render+0x283)[0xb1a9ce43]
/usr/local/lib/libswfdec-0.7.so.0(swfdec_player_render_with_renderer+0x24c)[0xb1aad11c]
/usr/local/lib/libswfdec-0.7.so.0(swfdec_player_render+0xaf)[0xb1aad3cf]
/usr/local/lib/mozilla/plugins/libswfdecmozilla.so(swfmoz_player_render+0x1a3)[0xb348a373]
/usr/local/lib/mozilla/plugins/libswfdecmozilla.so[0xb348ad8d]
/usr/lib/libglib-2.0.so.0[0xb743ce01]
/usr/lib/libglib-2.0.so.0(g_main_context_dispatch+0x178)[0xb743e978]
/usr/lib/libglib-2.0.so.0[0xb7441bce]
/usr/lib/libglib-2.0.so.0(g_main_loop_run+0x1e7)[0xb7441f57]
/usr/lib/libgtk-x11-2.0.so.0(gtk_main+0xb9)[0xb7b65ae9]
/usr/lib/iceweasel/firefox-bin[0x82dbcea]
/usr/lib/iceweasel/firefox-bin[0x880a8b2]
/usr/lib/iceweasel/firefox-bin[0x807f781]
/usr/lib/iceweasel/firefox-bin[0x807b2fa]
/lib/libc.so.6(__libc_start_main+0xe5)[0xb71a4455]
/usr/lib/iceweasel/firefox-bin[0x807b261]
======= Memory map: ========
08048000-08b8b000 r-xp 00000000 03:01 4248606    /usr/lib/iceweasel/firefox-bin
08b8b000-08ba3000 rw-p 00b43000 03:01 4248606    /usr/lib/iceweasel/firefox-bin
08ba3000-0b036000 rw-p 08ba3000 00:00 0          [heap]
b06ac000-b06ad000 ---p b06ac000 00:00 0 
b06ad000-b0eac000 rw-p b06ad000 00:00 0 
b0eac000-b0ead000 ---p b0eac000 00:00 0 
b0ead000-b16ac000 rw-p b0ead000 00:00 0 
b16d3000-b1700000 r--p 00000000 03:01 4293757   
/usr/share/fonts/liberation/LiberationSans-Italic.ttf
b1700000-b1721000 rw-p b1700000 00:00 0 
b1721000-b1800000 ---p b1721000 00:00 0 
b1812000-b183a000 r--p 00000000 03:01 4293755   
/usr/share/fonts/liberation/LiberationSans-Bold.ttf
b183a000-b1862000 r--p 00000000 03:01 4293772   
/usr/share/fonts/liberation/LiberationSans-Regular.ttf
b1862000-b1885000 r--p 00000000 03:01 3949896    /home/rm/.fonts/VERDANA.TTF
b1885000-b1928000 r-xp 00000000 03:01 4211621   
/usr/lib/libgstreamer-0.10.so.0.16.0
b1928000-b192c000 rw-p 000a3000 03:01 4211621   
/usr/lib/libgstreamer-0.10.so.0.16.0
b192c000-b1936000 r-xp 00000000 03:01 262322    
/usr/lib/libgstpbutils-0.10.so.0.13.0
b1936000-b1937000 rw-p 0000a000 03:01 262322    
/usr/lib/libgstpbutils-0.10.so.0.13.0
b1937000-b1995000 r-xp 00000000 03:01 4210725    /usr/lib/libgio-2.0.so.0.0.0
b1995000-b1997000 rw-p 0005e000 03:01 4210725    /usr/lib/libgio-2.0.so.0.0.0
b1997000-b19cb000 r-xp 00000000 03:01 4212360    /usr/lib/libsoup-2.4.so.1.1.0
b19cb000-b19cd000 rw-p 00033000 03:01 4212360    /usr/lib/libsoup-2.4.so.1.1.0
b19cd000-b1a22000 r-xp 00000000 03:01 3146131    /usr/lib/liboil-0.3.so.0.2.0
b1a22000-b1a39000 rw-p 00055000 03:01 3146131    /usr/lib/liboil-0.3.so.0.2.0
b1a39000-b1a3b000 rw-p b1a39000 00:00 0 
b1a3b000-b1b19000 r-xp 00000000 03:01 4243660   
/usr/local/lib/libswfdec-0.7.so.0.0.0
b1b19000-b1b20000 rw-p 000de000 03:01 4243660   
/usr/local/lib/libswfdec-0.7.so.0.0.0
b1b20000-b1b2c000 r-xp 00000000 03:01 4243895   
/usr/local/lib/libswfdec-gtk-0.7.so.0.0.0
b1b2c000-b1b2d000 rw-p 0000b000 03:01 4243895   
/usr/local/lib/libswfdec-gtk-0.7.so.0.0.0
b1b2d000-b1b39000 r--p 00000000 03:01 933983    
/usr/share/fonts/truetype/ttf-bitstream-vera/VeraMoBd.ttf
b1b39000-b1b3f000 r--p 00000000 03:01 4222177   
/usr/share/locale/it/LC_MESSAGES/gstreamer-0.10.mo
b1b3f000-b1b40000 ---p b1b3f000 00:00 0 
b1b40000-b233f000 rw-p b1b40000 00:00 0 
b233f000-b2384000 r-xp 00000000 03:01 4243745    /usr/lib/nss/libnssckbi.so
b2384000-b238f000 rw-p 00045000 03:01 4243745    /usr/lib/nss/libnssckbi.so
b238f000-b23c9000 r-xp 00000000 03:01 4243739    /usr/lib/nss/libfreebl3.so
b23c9000-b23ca000 rw-p 00039000 03:01 4243739    /usr/lib/nss/libfreebl3.so
b23ca000-b23eb000 r-xp 00000000 03:01 4243744    /usr/lib/nss/libnssdbm3.so
b23eb000-b23ec000 rw-p 00021000 03:01 4243744    /usr/lib/nss/libnssdbm3.so
b23ec000-b2445000 r-xp 00000000 03:01 4213364    /usr/lib/libsqlite3.so.0.8.6
b2445000-b2447000 rw-p 00058000 03:01 4213364    /usr/lib/libsqlite3.so.0.8.6
b2447000-b2478000 r-xp 00000000 03:01 4243743    /usr/lib/nss/libsoftokn3.so
b2478000-b2479000 rw-p 00031000 03:01 4243743    /usr/lib/nss/libsoftokn3.so
b2479000-b247a000 ---p b2479000 00:00 0 
b247a000-b2c79000 rw-p b247a000 00:00 0 
b2c79000-b2c7a000 ---p b2c79000 00:00 0 
b2c7a000-b3479000 rw-p b2c7a000 00:00 0 
b3479000-b347d000 r-xp 00000000 03:01 4220586    /lib/libnss_dns-2.7.so
b347d000-b347f000 rw-p 00003000 03:01 4220586    /lib/libnss_dns-2.7.so
b3480000-b348d000 r-xp 00000000 03:01 4243853   
/usr/local/lib/mozilla/plugins/libswfdecmozilla.so
b348d000-b348e000 rw-p 0000d000 03:01 4243853   
/usr/local/lib/mozilla/plugins/libswfdecmozilla.so
b348e000-b3490000 r-xp 00000000 03:01 4248610   
/usr/lib/iceweasel/plugins/libunixprintplugin.so
b3490000-b3491000 rw-p 00001000 03:01 4248610   
/usr/lib/iceweasel/plugins/libunixprintplugin.so
b3491000-b3495000 r-xp 00000000 03:01 4243730   
/usr/lib/iceweasel/components/libmozgnome.so
b3495000-b3496000 rw-p 00003000 03:01 4243730   
/usr/lib/iceweasel/components/libmozgnome.so
b3496000-b3497000 ---p b3496000 00:00 0 
b3497000-b3c96000 rw-p b3497000 00:00 0 
b3c96000-b3c97000 ---p b3c96000 00:00 0 
b3c97000-b4496000 rw-p b3c97000 00:00 0 
b4496000-b4497000 ---p b4496000 00:00 0 
b4497000-b4c96000 rw-p b4497000 00:00 0 
b4c96000-b4ca7000 r--p 00000000 03:01 4243524   
/usr/share/fonts/truetype/ttf-bitstream-vera/Vera.ttf
b4ca7000-b4cb6000 r-xp 00000000 03:01 4248578   
/usr/lib/iceweasel/components/libspellchecker.so
b4cb6000-b4cb7000 rw-p 0000f000 03:01 4248578   
/usr/lib/iceweasel/components/libspellchecker.so
b4cb7000-b4d17000 rw-s 00000000 00:08 24510474   /SYSV00000000 (deleted)
b4d17000-b4d26000 r--p 00000000 03:01 933989    
/usr/share/fonts/truetype/ttf-bitstream-vera/VeraSe.ttf
b4d26000-b4e2a000 rw-p b4d26000 00:00 0 
b4e2a000-b4ebf000 r--p 00000000 03:01 3129352   
/usr/share/fonts/truetype/ttf-dejavu/DejaVuSans.ttf
b4f6f000-b4f96000 r--p 00000000 03:01 4293758   
/usr/share/fonts/liberation/LiberationSans-BoldItalic.ttf
b4f96000-b4f9a000 r-xp 00000000 03:01 2375768   
/usr/lib/gtk-2.0/2.10.0/loaders/libpixbufloader-png.so
b4f9a000-b4f9b000 rw-p 00003000 03:01 2375768   
/usr/lib/gtk-2.0/2.10.0/loaders/libpixbufloader-png.so
b4f9c000-b4fa1000 r--p 00000000 03:01 4278247   
/usr/local/share/icons/hicolor/icon-theme.cache
b4fc3000-b504c000 r--p 00000000 03:01 4293107   
/usr/share/fonts/truetype/ttf-dejavu/DejaVuSans-Bold.ttf
b504c000-b504e000 r-xp 00000000 03:01 4309566   
/usr/lib/pango/1.6.0/modules/pango-basic-fc.so
b504e000-b504f000 rw-p 00001000 03:01 4309566   
/usr/lib/pango/1.6.0/modules/pango-basic-fc.so
b504f000-b5055000 r--s 00000000 03:01 1886415   
/var/cache/fontconfig/945677eb7aeaf62f1d50efc3fb3ec7d8-x86.cache-2
b5055000-b505c000 r--s 00000000 03:01 1886412   
/var/cache/fontconfig/6d41288fd70b0be22e8c3a91e032eec0-x86.cache-2
b505c000-b505f000 r--s 00000000 03:01 1886411   
/var/cache/fontconfig/de156ccd2eddbdc19d37a45b8b2aac9c-x86.cache-2
b505f000-b5060000 r--s 00000000 03:01 1886410   
/var/cache/fontconfig/9014f96f0c1b5f16acaea993532dcedf-x86.cache-2
b5060000-b5061000 r--s 00000000 03:01 1886408 
Program received signal SIGABRT, Aborted.
[Switching to Thread 0xb7012720 (LWP 14789)]
0xb71b85b6 in raise () from /lib/libc.so.6
(gdb) 
(gdb) 
(gdb) bt full
#0  0xb71b85b6 in raise () from /lib/libc.so.6
No symbol table info available.
#1  0xb71b9dd8 in abort () from /lib/libc.so.6
No symbol table info available.
#2  0xb71f2afd in __libc_message () from /lib/libc.so.6
No symbol table info available.
#3  0xb71f88a5 in malloc_printerr () from /lib/libc.so.6
No symbol table info available.
#4  0xb71fa74c in free () from /lib/libc.so.6
No symbol table info available.
#5  0xb74465b1 in g_free () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#6  0xb1aeaf76 in get_argb_420 (dec=0xabb8d58) at jpeg_rgb_decoder.c:284
        tmp = <value optimized out>
        tmp_u = <value optimized out>
        tmp_v = <value optimized out>
        tmp1 = <value optimized out>
        yp = (uint8_t *) 0xaae1fa0 'I' <repeats 96 times>, " "
        up = (uint8_t *) 0x9c1b220 '\177' <repeats 200 times>...
        vp = (uint8_t *) 0xa974e68 '\203' <repeats 200 times>...
        argbp = (uint32_t *) 0x9132aa0
        j = 250
        halfwidth = 1
#7  0xb1aeb485 in jpeg_decoder_get_argb_image (dec=0x0) at
jpeg_rgb_decoder.c:89
No locals.
#8  0xb1aeb4fe in jpeg_decode_argb (data=0xafb9a57 "����", length=515,
image=0xbfd7edc8, width=0xa8c85a0, height=0xa8c85a4) at jpeg_rgb_decoder.c:63
        dec = (JpegDecoder *) 0xabb8d58
        ret = <value optimized out>
#9  0xb1a95670 in swfdec_jpeg_decode_argb (renderer=0x974f520, data1=0xafb9a57
"����", length1=515, data2=0x0, length2=0, outdata=0xbfd7edc8,
width=0xa8c85a0, height=0xa8c85a4)
    at swfdec_image.c:164
        ret = 0
#10 0xb1a965fd in swfdec_image_create_surface (image=0xa8c8590,
renderer=0x974f520) at swfdec_image.c:245
        trans = {mask = 0, ra = 256, rb = 0, ga = 256, gb = 0, ba = 256, bb =
0, aa = 256, ab = 0}
        cached = <value optimized out>
        surface = <value optimized out>
        __PRETTY_FUNCTION__ = "swfdec_image_create_surface"
#11 0xb1a96a09 in swfdec_image_create_surface_transformed (image=0xa8c8590,
renderer=0x974f520, trans=0xbfd7f084) at swfdec_image.c:678
        mask = {mask = -1076367720, ra = -1314230530, rb = -1210402548, ga = 0,
gb = 0, ba = 0, bb = 1, aa = 14789, ab = -1314297589}
        cached = <value optimized out>
        surface = (cairo_surface_t *) 0x0
        source = <value optimized out>
        tdata = <value optimized out>
        sdata = <value optimized out>
        i = <value optimized out>
        n = <value optimized out>
        has_alpha = <value optimized out>
        __PRETTY_FUNCTION__ = "swfdec_image_create_surface_transformed"
#12 0xb1aa7017 in swfdec_image_pattern_get_pattern (pat=0xa987d20,
renderer=0x974f520, trans=0xbfd7f084) at swfdec_pattern.c:224
        pattern = (cairo_pattern_t *) 0x0
        surface = <value optimized out>
#13 0xb1aa6e1a in swfdec_pattern_get_pattern (pattern=0xa987d20,
renderer=0x974f520, trans=0xbfd7f084) at swfdec_pattern.c:553
        __PRETTY_FUNCTION__ = "swfdec_pattern_get_pattern"
#14 0xb1aa735e in swfdec_pattern_paint (draw=0xa987d20, cr=0xa9da9c0,
trans=0xbfd7f084) at swfdec_pattern.c:52
        pattern = <value optimized out>
#15 0xb1a8e55e in swfdec_draw_paint (draw=0xa987d20, cr=0xa9da9c0,
trans=0xbfd7f084) at swfdec_draw.c:129
        __PRETTY_FUNCTION__ = "swfdec_draw_paint"
#16 0xb1aba71e in swfdec_shape_render (graphic=0xac29928, cr=0xa9da9c0,
trans=0xbfd7f084, inval=0xbfd7f0a8) at swfdec_shape.c:63
        draw = (SwfdecDraw *) 0xa987d20
        walk = (GSList *) 0xa9d8328
#17 0xb1a94c0c in swfdec_graphic_render (graphic=0x39c5, cr=0xa9da9c0,
trans=0xbfd7f084, inval=0xbfd7f0a8) at swfdec_graphic.c:59
No locals.
#18 0xb1a94fe5 in swfdec_graphic_movie_render (movie=0xac72d60, cr=0xa9da9c0,
trans=0xbfd7f084, inval=0xbfd7f0a8) at swfdec_graphic_movie.c:50
No locals.
#19 0xb1a9ce43 in swfdec_movie_render (movie=0xac72d60, cr=0xa9da9c0,
color_transform=0xbfd7f254, inval=0xbfd7f278) at swfdec_movie.c:834
        trans = {mask = 0, ra = 256, rb = 0, ga = 256, gb = 0, ba = 256, bb =
0, aa = 256, ab = 0}
        rect = {x0 = -3000.0005030370862, y0 = -13213.866485822067, x1 =
3000.0005030370871, y1 = 13269.421947187724}
        group = 0
        __PRETTY_FUNCTION__ = "swfdec_movie_render"
---Type <return> to continue, or q <return> to quit---
#20 0xb1a9f89d in swfdec_movie_do_render (movie=0x9c0e708, cr=0xa9da9c0,
ctrans=0xbfd7f254, inval=0xbfd7f278) at swfdec_movie.c:1271
        child = (SwfdecMovie *) 0xac72d60
        g = (GList *) 0xac07540
        walk = <value optimized out>
        clips = (GSList *) 0x0
        clip = (ClipEntry *) 0x0
        ident = {xx = 1, yx = 0, xy = 0, yy = 1, x0 = 0, y0 = 0}
        __PRETTY_FUNCTION__ = "swfdec_movie_do_render"
        matrix = {xx = 0.050000000000000003, yx = 0, xy = 0, yy =
0.050000000000000003, x0 = 0, y0 = 0}
#21 0xb1a9ce43 in swfdec_movie_render (movie=0x9c0e708, cr=0xa9da9c0,
color_transform=0xbfd7f424, inval=0xbfd7f448) at swfdec_movie.c:834
        trans = {mask = 0, ra = 256, rb = 0, ga = 256, gb = 0, ba = 256, bb =
0, aa = 256, ab = 0}
        rect = {x0 = -3000.0005030370862, y0 = -13213.866485822067, x1 =
3000.0005030370871, y1 = 13269.421947187724}
        group = 0
        __PRETTY_FUNCTION__ = "swfdec_movie_render"
#22 0xb1a9f89d in swfdec_movie_do_render (movie=0x9c0e2b8, cr=0xa9da9c0,
ctrans=0xbfd7f424, inval=0xbfd7f448) at swfdec_movie.c:1271
        child = (SwfdecMovie *) 0x9c0e708
        g = (GList *) 0xac048d0
        walk = <value optimized out>
        clips = (GSList *) 0x0
        clip = (ClipEntry *) 0x0
        ident = {xx = 1, yx = 0, xy = 0, yy = 1, x0 = 0, y0 = 0}
        __PRETTY_FUNCTION__ = "swfdec_movie_do_render"
        matrix = {xx = 0.050000000000000003, yx = 0, xy = 0, yy =
0.050000000000000003, x0 = 0, y0 = 0}
#23 0xb1a9ce43 in swfdec_movie_render (movie=0x9c0e2b8, cr=0xa9da9c0,
color_transform=0xb1aff680, inval=0xbfd7f508) at swfdec_movie.c:834
        trans = {mask = 0, ra = 256, rb = 0, ga = 256, gb = 0, ba = 256, bb =
0, aa = 256, ab = 0}
        rect = {x0 = 0, y0 = -3857, x1 = 14560, y1 = 5677}
        group = 0
        __PRETTY_FUNCTION__ = "swfdec_movie_render"
#24 0xb1aad11c in swfdec_player_render_with_renderer (player=0xa412330,
cr=0xa9da9c0, renderer=0x974f520, x=0, y=0, width=1280, height=838) at
swfdec_player.c:3101
        priv = <value optimized out>
        walk = (GList *) 0xa6b8f20
        real = {x0 = 0, y0 = -3857, x1 = 14560, y1 = 5677}
        trans = {mask = 0, ra = 256, rb = 0, ga = 256, gb = 0, ba = 256, bb =
0, aa = 256, ab = 0}
        __PRETTY_FUNCTION__ = "swfdec_player_render_with_renderer"
#25 0xb1aad3cf in swfdec_player_render (player=0xa412330, cr=0xa9da9c0, x=0,
y=0, width=1280, height=838) at swfdec_player.c:3039
        __PRETTY_FUNCTION__ = "swfdec_player_render"
#26 0xb348a373 in swfmoz_player_render (player=0xa412330, cr=0xa9da9c0,
region=0xae6a0c0) at swfmoz_player.c:796
        rect = {x = 0, y = 0, width = 1280, height = 838}
        has_cr = 0
        __PRETTY_FUNCTION__ = "swfmoz_player_render"
#27 0xb348ad8d in swfmoz_player_idle_redraw (playerp=0xa412330) at
swfmoz_player.c:177
        region = (GdkRegion *) 0xae6a0c0
        __PRETTY_FUNCTION__ = "swfmoz_player_idle_redraw"


-- 
Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
You are the assignee for the bug.


More information about the Swfdec mailing list