Improving faces inserting

Adam Sjøgren asjo at koldfront.dk
Tue May 6 07:28:01 EDT 2008 

On Tue, 06 May 2008 12:19:34 +0900, Stephen wrote:

> Jerry James writes:
>> If it's an XEmacs problem, that should show us the offending
>> corruption or extra free().  Otherwise, we'll have to investigate the
>> possibility that libpng is at fault.

> Thanks, Jerry, there's a good chance it *is* libpng:

> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1382

> Note that this affects pretty much all libpng up to v1.2.26.

> Adam, can you send us a copy of the PNG in question?

Here is the header:

  Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAG1BMVEUAAAAuCAhQDg5yCwt8
	ISGTAwOOJCSkEBCmKChbrj7zAAAACXRSTlMAUY/ZzO/y/PnJVqgGAAAAAWJLR0QIht6VegAAAAlw
	SFlzAAAASAAAAEgARslrPgAAAVFJREFUOMvtUstuwjAQjGnVc3ieiaOiHguW4cwnVO7G5wYBvRa0
	bL+g7Wd31wjwSuXOoSMrSnY8O/tIUfzjGozpMko+Ot7fNES0njetJsx3xIgQAF60YMTXEcADPKv7
	/W2Y2QUw4ltOPBJBZSKHIe5UHgTaz4kJhNeLudlCjEgcBD6ZiSHJLUfi/mJyJ1cxRkkEEJpzrgf5
	RpQ+5C0uT0QHIR4IuTJWMQ4niVkD2hqTjyg+z5JFnHIvx3z8sNWJGHyxuC9x6YTGl3pbftwHTkXS
	ezYtcev5ZMKiDz3fbu08j50HH9RGTO0EwQfnqpzppHF48M5q4mkN4AI4ccp3ZeyQF+tDkA61+zC1
	7ZmhnTLfysYDS2i1yYmBZGKJg305Uea0co6Jhpdu8mp/ZlY6bCu7Uf2NlmVhfFrFYJwTveRz/HeU
	4ljZ+7T4G5PyCtErbgS/Ri5wcVnJR58AAAAfdEVYdGNvbW1lbnQAbWVudG9yX2xlZ2lvbl9iYWRn
	ZS5wbmd08oWCAAAAAElFTkSuQmCC

I don't know if the mailinglist likes attachments, so I will attach the
decoded png in another reply.

Oh, I can reproduce the crash by just reading the png-file into a
buffer (C-x C-f /tmp/face.png RET):

== =
$ /usr/bin/xemacs

Fatal error (11).

Your files have been auto-saved.
Use `M-x recover-session' to recover them.

Your version of XEmacs was distributed with a PROBLEMS file that  may describe
your crash, and with luck a workaround.  Please check it first, but do report
the crash anyway.  Please report this bug by invoking M-x report-emacs-bug,
or by selecting `Send Bug Report' from the Help menu.  If necessary, send
ordinary email to `xemacs-beta at xemacs.org'.  *MAKE SURE* to include the XEmacs
configuration from M-x describe-installation, or equivalently the file
Installation in the top of the build tree.

*Please* try *hard* to obtain a C stack backtrace; without it, we are unlikely
to be able to analyze the problem.  Locate the core file produced as a result
of this crash (often called `core' or `core.<process-id>', and located in
the directory in which you started XEmacs or your home directory), and type

  gdb /usr/bin/xemacs core

then type `where' at the debugger prompt.  No GDB on your system?  You may
have DBX, or XDB, or SDB.  (Ask your system administrator if you need help.)
If no core file was produced, enable them (often with `ulimit -c unlimited'
in case of future recurrance of the crash.

Lisp backtrace follows:

  # (unwind-protect ...)
  # (catch #<INTERNAL OBJECT (XEmacs bug?) (opaque-ptr, adr=0x102a3500) 0x10398548> ...)
  # (unwind-protect ...)
IHDR00¥,ä´³®$$¤¦(([®>ó[ptRNSQ¯ÙÌïòüùÉV¨bKG¦Þµz  pHYsHHFÉk>QIDAT8ËíRËnÂ0¬iÕsx¾©£¢
                                                                                ¶áÌ'TîÆç½´l¿ ígwðJåΡ#+Jv<;ûHQüã¬é2J>:Þß4D´¾7­&ÌwĨ^´`Ä×À<«ûým¸Ù0â[N
à8qÊweì°ëC°µû0µí¹¡½2ßÊÆKhµÉ©¡db©£}9Qæ´r®©¦·nòjfV:l+»Qý­¶ea|ZÅ`¼½äsüw´âXÙû´ø³ò\nÑ+n¿F.pqYÉG¿tEXtcommentmentor_legion_badge.pngtò¥¢IEND®B`¢"] nil nil 
no-error)
  # (unwind-protect ...)
  # bind (type end start)
  image-decode(1 532 png)
  image-decode-buffer()
  # bind (arg)
  image-mode()
  # bind (alist mode name keep-going)
  # (unwind-protect ...)
  # bind (just-from-file-name)
  set-auto-mode()
  byte-code("..." [set-auto-mode t] 1)
  # (condition-case ... . ((error (byte-code "ÁÂ!\"¨Ä§" ... 4))))
  # bind (find-file)
  normal-mode(t)
  # bind (nomodes after-find-file-from-revert-buffer noauto warn error)
  after-find-file(nil t)
  byte-code("..." [buffer-file-number number truename buffer-file-truename buf buffer-file-name set-buffer-major-mode erase-buffer nil (byte-code Ǥ
       Ã\"¨ª¥Ä Ã\"¨Â§" [rawfile filename insert-file-contents-literally t insert-file-contents] 3) ((file-error ...)) abbreviate-file-name file-nam
e-directory make-local-variable backup-inhibited t after-find-file find-file-use-truenames default-directory backup-enable-predicate rawfile error n
owarn] 3)
  # (condition-case ... . ((t (byte-code "!¨Ã   @       A\"§" ... 3))))
  # (unwind-protect ...)
  # bind (error number truename buf rawfile nowarn filename)
  find-file-noselect("/tmp/face.png")
  # bind (codesys filename)
  find-file("/tmp/face.png" nil)
  # bind (command-debug-status)
  call-interactively(find-file)
  # (condition-case ... . error)
  # (catch top-level ...)
Segmentation fault (core dumped)
$ 
== =

But this time I got a core-dump! Here is the backtrace from that:

== =
$ gdb /usr/bin/xemacs core 
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "powerpc-linux-gnu"...

warning: Can't read pathname for load map: Input/output error.
Reading symbols from /usr/lib/libXaw.so.7...done.
Loaded symbols for /usr/lib/libXaw.so.7
Reading symbols from /usr/lib/libtiff.so.4...done.
Loaded symbols for /usr/lib/libtiff.so.4
Reading symbols from /usr/lib/libpng12.so.0...done.
Loaded symbols for /usr/lib/libpng12.so.0
Reading symbols from /usr/lib/libjpeg.so.62...done.
Loaded symbols for /usr/lib/libjpeg.so.62
Reading symbols from /usr/lib/libcompface.so.1...done.
Loaded symbols for /usr/lib/libcompface.so.1
Reading symbols from /usr/lib/libXpm.so.4...done.
Loaded symbols for /usr/lib/libXpm.so.4
Reading symbols from /usr/lib/libXmu.so.6...done.
Loaded symbols for /usr/lib/libXmu.so.6
Reading symbols from /usr/lib/libXt.so.6...done.
Loaded symbols for /usr/lib/libXt.so.6
Reading symbols from /usr/lib/libXext.so.6...done.
Loaded symbols for /usr/lib/libXext.so.6
Reading symbols from /usr/lib/libX11.so.6...done.
Loaded symbols for /usr/lib/libX11.so.6
Reading symbols from /usr/lib/libSM.so.6...done.
Loaded symbols for /usr/lib/libSM.so.6
Reading symbols from /usr/lib/libICE.so.6...done.
Loaded symbols for /usr/lib/libICE.so.6
Reading symbols from /usr/lib/libdb-4.6.so...done.
Loaded symbols for /usr/lib/libdb-4.6.so
Reading symbols from /usr/lib/libgpm.so.1...done.
Loaded symbols for /usr/lib/libgpm.so.1
Reading symbols from /lib/libncurses.so.5...done.
Loaded symbols for /lib/libncurses.so.5
Reading symbols from /usr/lib/libldap_r-2.4.so.2...done.
Loaded symbols for /usr/lib/libldap_r-2.4.so.2
Reading symbols from /lib/libm.so.6...done.
Loaded symbols for /lib/libm.so.6
Reading symbols from /lib/libutil.so.1...done.
Loaded symbols for /lib/libutil.so.1
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/libdl.so.2...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /usr/lib/liblber-2.4.so.2...done.
Loaded symbols for /usr/lib/liblber-2.4.so.2
Reading symbols from /usr/lib/libz.so.1...done.
Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /usr/lib/libXau.so.6...done.
Loaded symbols for /usr/lib/libXau.so.6
Reading symbols from /usr/lib/libXdmcp.so.6...done.
Loaded symbols for /usr/lib/libXdmcp.so.6
Reading symbols from /lib/libpthread.so.0...done.
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /lib/libresolv.so.2...done.
Loaded symbols for /lib/libresolv.so.2
Reading symbols from /usr/lib/libsasl2.so.2...done.
Loaded symbols for /usr/lib/libsasl2.so.2
Reading symbols from /usr/lib/libgnutls.so.26...done.
Loaded symbols for /usr/lib/libgnutls.so.26
Reading symbols from /lib/ld.so.1...done.
Loaded symbols for /lib/ld.so.1
Reading symbols from /usr/lib/libtasn1.so.3...done.
Loaded symbols for /usr/lib/libtasn1.so.3
Reading symbols from /usr/lib/libgpg-error.so.0...done.
Loaded symbols for /usr/lib/libgpg-error.so.0
Reading symbols from /usr/lib/libgcrypt.so.11...done.
Loaded symbols for /usr/lib/libgcrypt.so.11
Reading symbols from /lib/libnss_files.so.2...done.
Loaded symbols for /lib/libnss_files.so.2
Reading symbols from /lib/libnss_compat.so.2...done.
Loaded symbols for /lib/libnss_compat.so.2
Reading symbols from /lib/libnsl.so.1...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /lib/libnss_nis.so.2...done.
Loaded symbols for /lib/libnss_nis.so.2
Reading symbols from /usr/lib/gconv/ISO8859-1.so...done.
Loaded symbols for /usr/lib/gconv/ISO8859-1.so
Reading symbols from /usr/lib/libXcursor.so.1...Reading symbols from /usr/lib/debug/usr/lib/libXcursor.so.1.0.2...done.
done.
Loaded symbols for /usr/lib/libXcursor.so.1
Reading symbols from /usr/lib/libXrender.so.1...done.
Loaded symbols for /usr/lib/libXrender.so.1
Reading symbols from /usr/lib/libXfixes.so.3...done.
Loaded symbols for /usr/lib/libXfixes.so.3
Core was generated by `/usr/bin/xemacs'.
Program terminated with signal 11, Segmentation fault.
[New process 3122]
#0  0x0f6c61b8 in kill () from /lib/libc.so.6
(gdb) bt
#0  0x0f6c61b8 in kill () from /lib/libc.so.6
#1  0x10090eb0 in fatal_error_signal (sig=11) at emacs.c:642
#2  <signal handler called>
#3  0x0f710d38 in ?? () from /lib/libc.so.6
#4  0x0f71094c in ?? () from /lib/libc.so.6
#5  0x0f71133c in free () from /lib/libc.so.6
#6  0x0fec8048 in png_free_default () from /usr/lib/libpng12.so.0
#7  0x0fec80c4 in png_free () from /usr/lib/libpng12.so.0
#8  0x0febc32c in png_read_destroy () from /usr/lib/libpng12.so.0
#9  0x0febc674 in png_destroy_read_struct () from /usr/lib/libpng12.so.0
#10 0x1015bd08 in png_instantiate_unwind (unwind_obj=273948456) at glyphs-eimage.c:854
#11 0x10092bb4 in unbind_to_hairy (count=33) at eval.c:4984
#12 0x10092d7c in unbind_to (count=33, value=1208397984) at eval.c:4959
#13 0x1015b828 in png_instantiate (image_instance=289652288, instantiator=289652256, pointer_fg=<value optimized out>, 
    pointer_bg=<value optimized out>, dest_mask=-1, domain=274205624) at glyphs-eimage.c:1051
#14 0x10155684 in instantiate_image_instantiator (governing_domain=273691440, domain=274205624, instantiator=289652256, pointer_fg=1208397984, 
    pointer_bg=1208397984, dest_mask=-1, glyph=<value optimized out>) at glyphs.c:776
#15 0x10157d10 in make_image_instance_1 (data=289652256, domain=274205624, dest_types=<value optimized out>) at glyphs.c:1476
#16 0x10095364 in call_with_suspended_errors_1 (opaque_arg=<value optimized out>) at eval.c:2113
#17 0x10093d30 in internal_catch (tag=<value optimized out>, func=0x10095120 <call_with_suspended_errors_1>, arg=272270952, threw=0xbfab43a8)
    at eval.c:1318
#18 0x1009c774 in call_with_suspended_errors (fun=0x10157b60 <make_image_instance_1>, retval=1208397984, class=1208375928, errb=
      {really_unlikely_name_to_have_accidentally_in_a_non_errb_structure = 0}, nargs=3) at eval.c:2205
#19 0x1014dadc in Fmake_image_instance (data=<value optimized out>, domain=<value optimized out>, dest_types=<value optimized out>, 
    noerror=<value optimized out>) at glyphs.c:1579
#20 0x1009709c in Ffuncall (nargs=<value optimized out>, args=0xbfab4504) at eval.c:3536
#21 0x1005edc0 in execute_optimized_program (program=<value optimized out>, stack_depth=<value optimized out>, constants_data=0x1143e4e0)
    at bytecode.c:748
#22 0x1005f6e4 in funcall_compiled_function (fun=290229444, nargs=3, args=0xbfab4688) at bytecode.c:519
#23 0x10096f90 in Ffuncall (nargs=<value optimized out>, args=0xbfab4684) at eval.c:3572
#24 0x1005edc0 in execute_optimized_program (program=<value optimized out>, stack_depth=<value optimized out>, constants_data=0x1143e480)
    at bytecode.c:748
#25 0x1005f6e4 in funcall_compiled_function (fun=290229360, nargs=0, args=0xbfab47f8) at bytecode.c:519
#26 0x10096f90 in Ffuncall (nargs=<value optimized out>, args=0xbfab47f4) at eval.c:3572
#27 0x1005edc0 in execute_optimized_program (program=<value optimized out>, stack_depth=<value optimized out>, constants_data=0x114dd370)
    at bytecode.c:748
#28 0x1005f6e4 in funcall_compiled_function (fun=290229668, nargs=0, args=0xbfab4958) at bytecode.c:519
#29 0x10096f90 in Ffuncall (nargs=<value optimized out>, args=0xbfab4954) at eval.c:3572
#30 0x1005edc0 in execute_optimized_program (program=<value optimized out>, stack_depth=<value optimized out>, constants_data=0x481c4edc)
    at bytecode.c:748
#31 0x1005f6e4 in funcall_compiled_function (fun=1209969480, nargs=0, args=0xbfab4ac8) at bytecode.c:519
#32 0x10096f90 in Ffuncall (nargs=<value optimized out>, args=0xbfab4ac4) at eval.c:3572
#33 0x1005edc0 in execute_optimized_program (program=<value optimized out>, stack_depth=<value optimized out>, constants_data=0x481c4f6c)
    at bytecode.c:748
#34 0x1005f288 in Fbyte_code (instructions=<value optimized out>, constants=1209814876, stack_depth=<value optimized out>) at bytecode.c:2407
#35 0x10099c48 in Feval (form=1209581812) at eval.c:3335
#36 0x1009cb8c in condition_case_1 (handlers=<value optimized out>, bfun=0x10098d90 <Feval>, barg=1209581812, 
    hfun=0x1009be40 <run_condition_case_handlers>, harg=1208361360) at eval.c:1652
#37 0x1005dd98 in execute_rare_opcode (stack_ptr=0xbfab4f74, program_ptr=<value optimized out>, opcode=<value optimized out>) at bytecode.c:1273
#38 0x1005f0e4 in execute_optimized_program (program=<value optimized out>, stack_depth=570565704, constants_data=0x481c4f98) at bytecode.c:658
#39 0x1005f6e4 in funcall_compiled_function (fun=1209969536, nargs=1, args=0xbfab50d8) at bytecode.c:519
#40 0x10096f90 in Ffuncall (nargs=<value optimized out>, args=0xbfab50d4) at eval.c:3572
#41 0x1005edc0 in execute_optimized_program (program=<value optimized out>, stack_depth=<value optimized out>, constants_data=0x481c7950)
    at bytecode.c:748
#42 0x1005f6e4 in funcall_compiled_function (fun=1209973428, nargs=2, args=0xbfab5248) at bytecode.c:519
#43 0x10096f90 in Ffuncall (nargs=<value optimized out>, args=0xbfab5244) at eval.c:3572
#44 0x1005edc0 in execute_optimized_program (program=<value optimized out>, stack_depth=<value optimized out>, constants_data=0x481b9f24)
    at bytecode.c:748
#45 0x1005f288 in Fbyte_code (instructions=<value optimized out>, constants=1209769748, stack_depth=<value optimized out>) at bytecode.c:2407
#46 0x10099c48 in Feval (form=1209491908) at eval.c:3335
#47 0x1009cb8c in condition_case_1 (handlers=<value optimized out>, bfun=0x10098d90 <Feval>, barg=1209491908, 
    hfun=0x1009be40 <run_condition_case_handlers>, harg=1208372832) at eval.c:1652
#48 0x1005dd98 in execute_rare_opcode (stack_ptr=0xbfab5794, program_ptr=<value optimized out>, opcode=<value optimized out>) at bytecode.c:1273
#49 0x1005f0e4 in execute_optimized_program (program=<value optimized out>, stack_depth=671229000, constants_data=0x481c8d40) at bytecode.c:658
#50 0x1005f6e4 in funcall_compiled_function (fun=1209975276, nargs=1, args=0xbfab590c) at bytecode.c:519
#51 0x10096f90 in Ffuncall (nargs=<value optimized out>, args=0xbfab5908) at eval.c:3572
#52 0x1005edc0 in execute_optimized_program (program=<value optimized out>, stack_depth=<value optimized out>, constants_data=0x481c903c)
    at bytecode.c:748
#53 0x1005f6e4 in funcall_compiled_function (fun=1209975668, nargs=2, args=0xbfab5a64) at bytecode.c:519
#54 0x10096f90 in Ffuncall (nargs=<value optimized out>, args=0xbfab5a60) at eval.c:3572
#55 0x1006112c in Fcall_interactively (function=1208365200, record_flag=1208397984, keys=1208397984) at callint.c:941
#56 0x1009b898 in Fcommand_execute (cmd=1208365200, record_flag=1208397984, keys=1208397984) at eval.c:2974
---Type <return> to continue, or q <return> to quit---
#57 0x10103444 in execute_command_event (command_builder=0x104a5e88, event=281964360) at event-stream.c:3924
#58 0x10103f20 in Fdispatch_event (event=281964360) at event-stream.c:4258
#59 0x1006bd0c in Fcommand_loop_1 () at cmdloop.c:583
#60 0x1009cb8c in condition_case_1 (handlers=<value optimized out>, bfun=0x1006bdd0 <command_loop_1>, barg=1208397984, 
    hfun=0x1006c340 <cmd_error>, harg=1208397984) at eval.c:1652
#61 0x1006c2e8 in command_loop_2 (dummy=<value optimized out>) at cmdloop.c:256
#62 0x10093d30 in internal_catch (tag=<value optimized out>, func=0x1006c270 <command_loop_2>, arg=1208397984, threw=0x0) at eval.c:1318
#63 0x1006cb48 in initial_command_loop (load_me=<value optimized out>) at cmdloop.c:305
#64 0x1008fef8 in xemacs_21_4_21_powerpc_unknown_linux (argc=1, argv=0xbfab65a4, envp=<value optimized out>, restart=0) at emacs.c:2460
#65 0x100908f4 in main (argc=<value optimized out>, argv=<value optimized out>, envp=<value optimized out>) at emacs.c:2829
(gdb) quit
$ 
== =


  Best regards,

    Adam

-- 
 "The unavoidable price of reliability is simplicity"         Adam Sjøgren
                                                         asjo at koldfront.dk

More information about the XEmacs-Beta mailing list