simple-scan-team team mailing list archive
-
simple-scan-team team
-
Mailing list archive
-
Message #00384
[Bug 931496] Re: Simple scan crashes when a PDF is saved
I've been playing around with this patch but I can't actually find any
case where it can overwrite this buffer.
This is interesting however:
** WARNING **: scanner.vala:1204: Scan completed with 2250 lines, expected 2250 lines
(the log message is actually wrong and is showing the same variable there - fixed in trunk)
Could you perhaps throw some printfs in there to dump out what the size
of the buffer was, what the other variables were and check on each write
and log if it does overflow? I'm concerned if this isn't the cause
we're just hiding another problem.
** Changed in: simple-scan
Status: New => Incomplete
--
You received this bug notification because you are a member of Simple
Scan Development Team, which is the registrant for Simple Scan.
https://bugs.launchpad.net/bugs/931496
Title:
Simple scan crashes when a PDF is saved
Status in Simple Scan:
Incomplete
Bug description:
When saving a PDF memory corruption occurs and simple scan crashes in
random code (for me in the deflate functionality). Checked this using
clean bzr checkout. BTW, I would have patched this much earlier if
simple-scan was version control system that I was familiar with (like
git) :S
Can be verified with valgrind:
** WARNING **: scanner.vala:1204: Scan completed with 2250 lines, expected 2250 lines
==8804== Thread 1:
==8804== Invalid write of size 1
==8804== at 0x40FCFA: book_save_pdf (book.c:1826)
==8804== by 0x411F20: book_save (book.c:2533)
==8804== by 0x44372F: simple_scan_save_document (ui.c:1638)
==8804== by 0x447230: save_file_button_clicked_cb (ui.c:3002)
==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774)
==8804== by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302)
==8804== by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033)
==8804== by 0x66C7507: g_signal_emit_by_name (gsignal.c:3127)
==8804== by 0x4F14CBC: button_clicked (gtktoolbutton.c:881)
==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774)
==8804== Address 0x2102c5c8 is 0 bytes after a block of size 711,000 alloc'd
==8804== at 0x4A05BB4: calloc (vg_replace_malloc.c:467)
==8804== by 0x6947193: standard_calloc (gmem.c:104)
==8804== by 0x6947225: g_malloc0 (gmem.c:189)
==8804== by 0x69474E2: g_malloc0_n (gmem.c:385)
==8804== by 0x40F889: book_save_pdf (book.c:1674)
==8804== by 0x411F20: book_save (book.c:2533)
==8804== by 0x44372F: simple_scan_save_document (ui.c:1638)
==8804== by 0x447230: save_file_button_clicked_cb (ui.c:3002)
==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774)
==8804== by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302)
==8804== by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033)
==8804==
==8804== Invalid read of size 1
==8804== at 0x40FD0C: book_save_pdf (book.c:1827)
==8804== by 0x411F20: book_save (book.c:2533)
==8804== by 0x44372F: simple_scan_save_document (ui.c:1638)
==8804== by 0x447230: save_file_button_clicked_cb (ui.c:3002)
==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774)
==8804== by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302)
==8804== by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033)
==8804== by 0x66C7507: g_signal_emit_by_name (gsignal.c:3127)
==8804== by 0x4F14CBC: button_clicked (gtktoolbutton.c:881)
==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774)
==8804== Address 0x2102c5c8 is 0 bytes after a block of size 711,000 alloc'd
==8804== at 0x4A05BB4: calloc (vg_replace_malloc.c:467)
==8804== by 0x6947193: standard_calloc (gmem.c:104)
==8804== by 0x6947225: g_malloc0 (gmem.c:189)
==8804== by 0x69474E2: g_malloc0_n (gmem.c:385)
==8804== by 0x40F889: book_save_pdf (book.c:1674)
==8804== by 0x411F20: book_save (book.c:2533)
==8804== by 0x44372F: simple_scan_save_document (ui.c:1638)
==8804== by 0x447230: save_file_button_clicked_cb (ui.c:3002)
==8804== by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==8804== by 0x66ADF59: g_closure_invoke (gclosure.c:774)
==8804== by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302)
==8804== by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033)
==8804==
The problem is that due to a integer rounding error, one byte less is
allocated in the image buffer than there should be. I don't understand
the code completely, so this patch should be verified by the original
author of the code. Attached.
To manage notifications about this bug go to:
https://bugs.launchpad.net/simple-scan/+bug/931496/+subscriptions
References