← Back to team overview

simple-scan-team team mailing list archive

  1. simple-scan-team team
  2. Mailing list archive
  3. Message #00414

[Bug 931496] Re: Simple scan crashes when a PDF is saved

  Thread PreviousDate PreviousThread Next 
Added the attached printfs. Here's the output:

** WARNING **: scanner.vala:1204: Scan completed with 1584 lines, expected 2250 lines
allocated: data_length = 711000, height = 2250, width = 1264
shift_count: offset 711000 >= data_length 711000 (x = 1263, width = 1264)
simple-scan: malloc.c:2453: sYSMALLOc: Assertion `(old_top == (((mbinptr) (((char *) &((av)->bins[((1) - 1) * 2])) - __builtin_offsetof (struct malloc_chunk, fd)))) && old_size == 0) || ((unsigned long) (old_size) >= (unsigned long)((((__builtin_offsetof (struct malloc_chunk, fd_nextsize))+((2 * (sizeof(size_t))) - 1)) & ~((2 * (sizeof(size_t))) - 1))) && ((old_top)->size & 0x1) && ((unsigned long)old_end & pagemask) == 0)' failed.
Aborted (core dumped)

This is a buffer overrun by one byte. You can see clearly that all the
other color depths (besides DeviceGray) add an extra byte to account for
this overflow. Only the DeviceGray one does not, adding one to the
data_length calculations for DeviceGray fixes the problem.

Please let me know if you want any other printfs or information in
specific places.


** Patch added: "debug-printfs.patch"
   https://bugs.launchpad.net/simple-scan/+bug/931496/+attachment/2794022/+files/debug-printfs.patch

-- 
You received this bug notification because you are a member of Simple
Scan Development Team, which is the registrant for Simple Scan.
https://bugs.launchpad.net/bugs/931496

Title:
  Simple scan crashes when a PDF is saved

Status in Simple Scan:
  Incomplete

Bug description:
  When saving a PDF memory corruption occurs and simple scan crashes in
  random code (for me in the deflate functionality). Checked this using
  clean bzr checkout. BTW, I would have patched this much earlier if
  simple-scan was version control system that I was familiar with (like
  git) :S

  Can be verified with valgrind:

  ** WARNING **: scanner.vala:1204: Scan completed with 2250 lines, expected 2250 lines
  ==8804== Thread 1:
  ==8804== Invalid write of size 1
  ==8804==    at 0x40FCFA: book_save_pdf (book.c:1826)
  ==8804==    by 0x411F20: book_save (book.c:2533)
  ==8804==    by 0x44372F: simple_scan_save_document (ui.c:1638)
  ==8804==    by 0x447230: save_file_button_clicked_cb (ui.c:3002)
  ==8804==    by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
  ==8804==    by 0x66ADF59: g_closure_invoke (gclosure.c:774)
  ==8804==    by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302)
  ==8804==    by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033)
  ==8804==    by 0x66C7507: g_signal_emit_by_name (gsignal.c:3127)
  ==8804==    by 0x4F14CBC: button_clicked (gtktoolbutton.c:881)
  ==8804==    by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
  ==8804==    by 0x66ADF59: g_closure_invoke (gclosure.c:774)
  ==8804==  Address 0x2102c5c8 is 0 bytes after a block of size 711,000 alloc'd
  ==8804==    at 0x4A05BB4: calloc (vg_replace_malloc.c:467)
  ==8804==    by 0x6947193: standard_calloc (gmem.c:104)
  ==8804==    by 0x6947225: g_malloc0 (gmem.c:189)
  ==8804==    by 0x69474E2: g_malloc0_n (gmem.c:385)
  ==8804==    by 0x40F889: book_save_pdf (book.c:1674)
  ==8804==    by 0x411F20: book_save (book.c:2533)
  ==8804==    by 0x44372F: simple_scan_save_document (ui.c:1638)
  ==8804==    by 0x447230: save_file_button_clicked_cb (ui.c:3002)
  ==8804==    by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
  ==8804==    by 0x66ADF59: g_closure_invoke (gclosure.c:774)
  ==8804==    by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302)
  ==8804==    by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033)
  ==8804== 
  ==8804== Invalid read of size 1
  ==8804==    at 0x40FD0C: book_save_pdf (book.c:1827)
  ==8804==    by 0x411F20: book_save (book.c:2533)
  ==8804==    by 0x44372F: simple_scan_save_document (ui.c:1638)
  ==8804==    by 0x447230: save_file_button_clicked_cb (ui.c:3002)
  ==8804==    by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
  ==8804==    by 0x66ADF59: g_closure_invoke (gclosure.c:774)
  ==8804==    by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302)
  ==8804==    by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033)
  ==8804==    by 0x66C7507: g_signal_emit_by_name (gsignal.c:3127)
  ==8804==    by 0x4F14CBC: button_clicked (gtktoolbutton.c:881)
  ==8804==    by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
  ==8804==    by 0x66ADF59: g_closure_invoke (gclosure.c:774)
  ==8804==  Address 0x2102c5c8 is 0 bytes after a block of size 711,000 alloc'd
  ==8804==    at 0x4A05BB4: calloc (vg_replace_malloc.c:467)
  ==8804==    by 0x6947193: standard_calloc (gmem.c:104)
  ==8804==    by 0x6947225: g_malloc0 (gmem.c:189)
  ==8804==    by 0x69474E2: g_malloc0_n (gmem.c:385)
  ==8804==    by 0x40F889: book_save_pdf (book.c:1674)
  ==8804==    by 0x411F20: book_save (book.c:2533)
  ==8804==    by 0x44372F: simple_scan_save_document (ui.c:1638)
  ==8804==    by 0x447230: save_file_button_clicked_cb (ui.c:3002)
  ==8804==    by 0x66AFD53: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
  ==8804==    by 0x66ADF59: g_closure_invoke (gclosure.c:774)
  ==8804==    by 0x66C7C40: signal_emit_unlocked_R (gsignal.c:3302)
  ==8804==    by 0x66C6E51: g_signal_emit_valist (gsignal.c:3033)
  ==8804== 

  The problem is that due to a integer rounding error, one byte less is
  allocated in the image buffer than there should be. I don't understand
  the code completely, so this patch should be verified by the original
  author of the code. Attached.

To manage notifications about this bug go to:
https://bugs.launchpad.net/simple-scan/+bug/931496/+subscriptions

References

  Thread PreviousDate PreviousThread Next