← Back to team overview

simple-scan-team team mailing list archive

  1. simple-scan-team team
  2. Mailing list archive
  3. Message #00384

[Bug 931496] Re: Simple scan crashes when a PDF is saved

  Thread PreviousDate PreviousThread Next 
I've been playing around with this patch but I can't actually find any
case where it can overwrite this buffer.

This is interesting however:
** WARNING **: scanner.vala:1204: Scan completed with 2250 lines, expected 2250 lines
(the log message is actually wrong and is showing the same variable there - fixed in trunk)

Could you perhaps throw some printfs in there to dump out what the size
of the buffer was, what the other variables were and check on each write
and log if it does overflow?  I'm concerned if this isn't the cause
we're just hiding another problem.

** Changed in: simple-scan
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Simple
Scan Development Team, which is the registrant for Simple Scan.
https://bugs.launchpad.net/bugs/931496

Title:
  Simple scan crashes when a PDF is saved

Status in Simple Scan:
  Incomplete

Bug description:
  When saving a PDF memory corruption occurs and simple scan crashes in
  random code (for me in the deflate functionality). Checked this using
  clean bzr checkout. BTW, I would have patched this much earlier if
  simple-scan was version control system that I was familiar with (like
  git) :S

  Can be verified with valgrind:

  ** WARNING **: scanner.vala:1204: Scan completed with 2250 lines, expected 2250 lines
  ==8804== Thread 1:
  ==8804== Invalid write of size 1
  ==8804==    at 0x40FCFA: book_save_pdf (book.c:1826)
  ==8804==    by 0x411F20: book_save (book.c:2533)
  ==8804==    by 0x44372F: simple_scan_save_document (ui.c:1638)
  ==8804==    by 0x447230: save_file_button_clicked_cb (ui.c:3002)
  ==8804==    by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
  ==8804==    by 0x66ADF59: g_closure_invoke (gclosure.c:774)
  ==8804==    by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302)
  ==8804==    by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033)
  ==8804==    by 0x66C7507: g_signal_emit_by_name (gsignal.c:3127)
  ==8804==    by 0x4F14CBC: button_clicked (gtktoolbutton.c:881)
  ==8804==    by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
  ==8804==    by 0x66ADF59: g_closure_invoke (gclosure.c:774)
  ==8804==  Address 0x2102c5c8 is 0 bytes after a block of size 711,000 alloc'd
  ==8804==    at 0x4A05BB4: calloc (vg_replace_malloc.c:467)
  ==8804==    by 0x6947193: standard_calloc (gmem.c:104)
  ==8804==    by 0x6947225: g_malloc0 (gmem.c:189)
  ==8804==    by 0x69474E2: g_malloc0_n (gmem.c:385)
  ==8804==    by 0x40F889: book_save_pdf (book.c:1674)
  ==8804==    by 0x411F20: book_save (book.c:2533)
  ==8804==    by 0x44372F: simple_scan_save_document (ui.c:1638)
  ==8804==    by 0x447230: save_file_button_clicked_cb (ui.c:3002)
  ==8804==    by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
  ==8804==    by 0x66ADF59: g_closure_invoke (gclosure.c:774)
  ==8804==    by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302)
  ==8804==    by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033)
  ==8804== 
  ==8804== Invalid read of size 1
  ==8804==    at 0x40FD0C: book_save_pdf (book.c:1827)
  ==8804==    by 0x411F20: book_save (book.c:2533)
  ==8804==    by 0x44372F: simple_scan_save_document (ui.c:1638)
  ==8804==    by 0x447230: save_file_button_clicked_cb (ui.c:3002)
  ==8804==    by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
  ==8804==    by 0x66ADF59: g_closure_invoke (gclosure.c:774)
  ==8804==    by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302)
  ==8804==    by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033)
  ==8804==    by 0x66C7507: g_signal_emit_by_name (gsignal.c:3127)
  ==8804==    by 0x4F14CBC: button_clicked (gtktoolbutton.c:881)
  ==8804==    by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
  ==8804==    by 0x66ADF59: g_closure_invoke (gclosure.c:774)
  ==8804==  Address 0x2102c5c8 is 0 bytes after a block of size 711,000 alloc'd
  ==8804==    at 0x4A05BB4: calloc (vg_replace_malloc.c:467)
  ==8804==    by 0x6947193: standard_calloc (gmem.c:104)
  ==8804==    by 0x6947225: g_malloc0 (gmem.c:189)
  ==8804==    by 0x69474E2: g_malloc0_n (gmem.c:385)
  ==8804==    by 0x40F889: book_save_pdf (book.c:1674)
  ==8804==    by 0x411F20: book_save (book.c:2533)
  ==8804==    by 0x44372F: simple_scan_save_document (ui.c:1638)
  ==8804==    by 0x447230: save_file_button_clicked_cb (ui.c:3002)
  ==8804==    by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
  ==8804==    by 0x66ADF59: g_closure_invoke (gclosure.c:774)
  ==8804==    by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302)
  ==8804==    by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033)
  ==8804== 

  The problem is that due to a integer rounding error, one byte less is
  allocated in the image buffer than there should be. I don't understand
  the code completely, so this patch should be verified by the original
  author of the code. Attached.

To manage notifications about this bug go to:
https://bugs.launchpad.net/simple-scan/+bug/931496/+subscriptions

References

  Thread PreviousDate PreviousThread Next