file-gif-load: segmentation fault on opening huge gif
Environment/Versions
- GIMP version: 2.99.18
- Package: Flatpak and built from source
- Operating System: Linux
Description of the bug
When testing #4268 (closed), I was able to create a gif that is 60000 * 60000 pixels when following those instructions. However, opening that gif leads to a segmentation fault in file-gif-load.
I have put the created gif here: Crashtest.gif
Reproduction
Is the bug reproducible? Always
Reproduction steps:
- Open Crashtest.gif
- Segmentation fault in file-gif-load
…
Expected result: Opening the file
Actual result: Segmentation fault
Additional information
/usr/local/lib/x86_64-linux-gnu/gimp/2.99/plug-ins/file-gif-load/file-gif-load: fatal error: Segmentation fault
/usr/local/lib/x86_64-linux-gnu/gimp/2.99/plug-ins/file-gif-load/file-gif-load (pid:41562): [E]xit, show [S]tack trace or [P]roceed: s
26 ../sysdeps/unix/sysv/linux/read.c: No such file or directory.
# Stack traces obtained from PID 41562 - Thread 41562 #
[New LWP 41563]
[New LWP 41564]
[New LWP 41565]
[New LWP 41566]
[New LWP 41567]
[New LWP 41568]
[New LWP 41569]
[New LWP 41570]
[New LWP 41571]
[New LWP 41572]
[New LWP 41573]
[New LWP 41574]
[New LWP 41575]
[New LWP 41576]
[New LWP 41577]
[New LWP 41578]
[New LWP 41579]
[New LWP 41580]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
__GI___libc_read (nbytes=255, buf=0x7ffec43296d0, fd=10) at ../sysdeps/unix/sysv/linux/read.c:26
Id Target Id Frame
* 1 Thread 0x7f7e8626adc0 (LWP 41562) "file-gif-load" __GI___libc_read (nbytes=255, buf=0x7ffec43296d0, fd=10) at ../sysdeps/unix/sysv/linux/read.c:26
2 Thread 0x7f7e85bff6c0 (LWP 41563) "pool-spawner" syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
3 Thread 0x7f7e853fe6c0 (LWP 41564) "gmain" 0x00007f7e872ffabf in __GI___poll (fds=0x55d9233fd000, nfds=1, timeout=-1) at ../sysdeps/unix/sysv/linux/poll.c:29
4 Thread 0x7f7e84bfd6c0 (LWP 41565) "gdbus" 0x00007f7e872ffabf in __GI___poll (fds=0x7f7e7c000b90, nfds=2, timeout=-1) at ../sysdeps/unix/sysv/linux/poll.c:29
5 Thread 0x7f7e77fff6c0 (LWP 41566) "worker" syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
6 Thread 0x7f7e777fe6c0 (LWP 41567) "worker" syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
7 Thread 0x7f7e76ffd6c0 (LWP 41568) "worker" syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
8 Thread 0x7f7e767fc6c0 (LWP 41569) "worker" syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
9 Thread 0x7f7e6ffff6c0 (LWP 41570) "worker" syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
10 Thread 0x7f7e75ffb6c0 (LWP 41571) "worker" syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
11 Thread 0x7f7e757fa6c0 (LWP 41572) "worker" syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
12 Thread 0x7f7e74ff96c0 (LWP 41573) "worker" syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
13 Thread 0x7f7e6f7fe6c0 (LWP 41574) "worker" syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
14 Thread 0x7f7e6effd6c0 (LWP 41575) "worker" syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
15 Thread 0x7f7e6e7fc6c0 (LWP 41576) "worker" syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
16 Thread 0x7f7e6dffb6c0 (LWP 41577) "worker" syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
17 Thread 0x7f7e6d7fa6c0 (LWP 41578) "worker" syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
18 Thread 0x7f7e6cff96c0 (LWP 41579) "worker" syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
19 Thread 0x7f7e57fff6c0 (LWP 41580) "worker" syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
#0 __GI___libc_read (nbytes=255, buf=0x7ffec43296d0, fd=10) at ../sysdeps/unix/sysv/linux/read.c:26
sc_ret = -512
sc_cancel_oldtype = 0
sc_ret = <optimized out>
#1 __GI___libc_read (fd=10, buf=buf@entry=0x7ffec43296d0, nbytes=nbytes@entry=255) at ../sysdeps/unix/sysv/linux/read.c:24
#2 0x00007f7e878ae17b in gimp_stack_trace_print (prog_name=prog_name@entry=0x7ffec432d226 "/usr/local/lib/x86_64-linux-gnu/gimp/2.99/plug-ins/file-gif-load/file-gif-load", stream=0x7f7e873d8780 <_IO_2_1_stdout_>, trace=trace@entry=0x0) at ../libgimpbase/gimputils.c:1394
status = 1768370037
stack_printed = 0
gtrace = 0x0
gimp_pid = "41562\000\000\000P}N#\331U\000"
buffer = " ,N#\331U\000\000\360+N#\331U\000\000\020\2272\304\376\177\000\000\260\006\227\207~\177\000\000\001\000\000\000~\177\000\000\023\001\000\000\000\000\000\000", '\n' <repeats 32 times>, '\000' <repeats 32 times>, ": \000upper >= lower\000step || page |", '\000' <repeats 32 times>, "\037\005\000PUU@W\005\033\030\005IJR@W\000VQ@U\005YY"...
read_n = <optimized out>
sync_fd = {8, 9}
out_fd = {10, 11}
fork_pid = <optimized out>
pid = 41562
eintr_count = 0
tid = <optimized out>
#3 0x00007f7e878ae850 in gimp_stack_trace_query (prog_name=0x7ffec432d226 "/usr/local/lib/x86_64-linux-gnu/gimp/2.99/plug-ins/file-gif-load/file-gif-load") at ../libgimpbase/gimputils.c:1557
buf = "s\n", '\000' <repeats 13 times>
#4 0x00007f7e878e6334 in gimp_plugin_sigfatal_handler (sig_num=<optimized out>) at ../libgimp/gimp.c:1036
sigset = {__val = {0, 140181417471672, 1, 140181416792632, 140181416764312, 140732190072000, 140732190071992, 140179166506219, 94391088556080, 72, 140179142606848, 0, 5, 0, 1, 140179142606849}}
#5 0x00007f7e87240510 in <signal handler called> () at /lib/x86_64-linux-gnu/libc.so.6
#6 0x000055d922b7f544 in ReadImage (fd=fd@entry=0x55d92344c6b0, file=file@entry=0x55d9233f29c0, len=60000, height=60000, cmap=cmap@entry=0x55d922b93528 <GifScreen+8>, ncols=<optimized out>, interlace=0, leftpos=0, toppos=0, screenwidth=60000, screenheight=60000, image=0x7ffec432a9a8, error=0x7ffec432ad18, number=<optimized out>, format=<optimized out>) at ../plug-ins/common/file-gif-load.c:1324
layer = 0x55d9234e13f0
buffer = <optimized out>
dest = <optimized out>
temp = 0x7f7cd96cde10 <error: Cannot access memory at address 0x7f7cd96cde10>
c = 2 '\002'
xpos = 0
ypos = 35792
pass = 0
cur_progress = 0
max_progress = 60000
v = 0
i = <optimized out>
j = <optimized out>
framename = <optimized out>
framename_ptr = <optimized out>
alpha_frame = <optimized out>
frame_number = 2
previous_disposal = 0
#7 0x000055d922b7fe8c in load_image (file=file@entry=0x55d9233f29c0, thumbnail=thumbnail@entry=0, error=error@entry=0x7ffec432ad18) at ../plug-ins/common/file-gif-load.c:545
fd = 0x55d92344c6b0
buf = "\000\000\000\000`\352`\352\000zL#\331U\000"
c = 44 ','
localColorMap = {"\020\200@#\331U\000\000\300\035L#\331U", '\000' <repeats 34 times>, "\200\aL#\331U\000\000`6L#\331U\000\0000\\L#\331U\000\000\220fL#\331U", '\000' <repeats 34 times>, "\360LK#\331U\000\000pUK#\331U\000\000\340?K#\331U\000\000\020\027L#\331U", '\000' <repeats 34 times>, "\300\304@#\331U\000\000`\001A#\331U\000\0000\002A#\331U\000\000"..., "\000\000\000\000\000\000\000\000\020", '\000' <repeats 159 times>, "\005\000\000\000\000\000\000\000\360!?#\331U\000\000\340MJ#\331U\000\000\003\000\000\000\000\000\000\000"..., "\200|=\207~\177\000\0000!?#\331U\000\0000!?#\331U\000\000\003\000\000\000\000\000\000\000\340MJ#\331U\000\000\003\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\316\234U\207~\177\000\000\340MJ#\331U\000\000\364|U\207~\177\000\000\000\000\000\000\000\000\000\000\340MJ#\331U\000\000\003", '\000' <repeats 15 times>, "\n", '\000' <repeats 15 times>, "\001\000\000\000\000\000\000\000\211\255U\207~\177", '\000' <repeats 26 times>, "\200MJ#\331U\000\000\340MJ#\331U", '\000' <repeats 26 times>...}
grayScale = 0
useGlobalColormap = <optimized out>
bitPixel = <optimized out>
imageCount = <optimized out>
image = 0x55d9234e0cd0
status = <optimized out>
saved_parasite = 0
#8 0x000055d922b805b2 in gif_load (procedure=0x55d923450060, run_mode=<optimized out>, file=0x55d9233f29c0, metadata=<optimized out>, flags=0x7ffec432ad64, config=<optimized out>, run_data=0x0) at ../plug-ins/common/file-gif-load.c:238
return_vals = <optimized out>
image = <optimized out>
error = 0x0
#9 0x00007f7e878ed9b0 in gimp_load_procedure_run (procedure=0x55d923450060, args=<optimized out>) at ../libgimp/gimploadprocedure.c:244
plug_in = <optimized out>
load_proc = 0x55d923450060
remaining = 0x55d9233dec40
return_values = <optimized out>
config = 0x55d9233df360
image = 0x0
metadata = 0x55d9234a4700
mimetype = <optimized out>
flags = GIMP_METADATA_LOAD_ALL
status = GIMP_PDB_EXECUTION_ERROR
run_mode = GIMP_RUN_INTERACTIVE
file = 0x55d9233f29c0
i = <optimized out>
__func__ = "gimp_load_procedure_run"
#10 0x00007f7e878f5e48 in _gimp_procedure_run_array (procedure=procedure@entry=0x55d923450060, args=args@entry=0x55d923450480) at ../libgimp/gimpprocedure.c:2047
return_vals = <optimized out>
error = 0x0
i = <optimized out>
__func__ = "_gimp_procedure_run_array"
#11 0x00007f7e878f27de in gimp_plug_in_proc_run_internal (plug_in=plug_in@entry=0x55d9233f1cf0, proc_run=proc_run@entry=0x55d9233f3100, procedure=procedure@entry=0x55d923450060, proc_return=proc_return@entry=0x7ffec432aeb0) at ../libgimp/gimpplugin.c:1413
arguments = 0x55d923450480
return_values = 0x0
gettext_domain = 0x55d923450480 "\002"
catalog_dir = 0x55d9234504a0 "`"
#12 0x00007f7e878f2e86 in gimp_plug_in_proc_run (proc_run=0x55d9233f3100, plug_in=0x55d9233f1cf0) at ../libgimp/gimpplugin.c:1345
proc_return = {name = 0x0, n_params = 0, params = 0x7f7e87920d8f}
procedure = 0x55d923450060
msg = {type = 5, data = 0x55d9233f3100}
__func__ = "_gimp_plug_in_run"
#13 gimp_plug_in_loop (plug_in=0x55d9233f1cf0) at ../libgimp/gimpplugin.c:1253
msg = {type = 5, data = 0x55d9233f3100}
__func__ = "_gimp_plug_in_run"
#14 _gimp_plug_in_run (plug_in=0x55d9233f1cf0) at ../libgimp/gimpplugin.c:844
__func__ = "_gimp_plug_in_run"
#15 0x00007f7e878e6a71 in gimp_main (plug_in_type=<optimized out>, argc=<optimized out>, argv=<optimized out>) at ../libgimp/gimp.c:531
read_channel = 0x55d9233dd9e0
write_channel = 0x55d9233e1580
basename = <optimized out>
protocol_version = <optimized out>
__func__ = "gimp_main"
#16 0x00007f7e8722b6ca in __libc_start_call_main (main=main@entry=0x55d922b7e4b0 <main>, argc=argc@entry=7, argv=argv@entry=0x7ffec432b1f8) at ../sysdeps/nptl/libc_start_call_main.h:58
self = <optimized out>
result = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140732190077432, 2051657799415898058, 0, 140732190077496, 94391078759784, 140181417635840, -2052098262840238134, -2124012783118704694}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x7ffec432b1f8, 0x7ffec432b1f8}, data = {prev = 0x0, cleanup = 0x0, canceltype = -1003310600}}}
not_first_call = <optimized out>
#17 0x00007f7e8722b785 in __libc_start_main_impl (main=0x55d922b7e4b0 <main>, argc=7, argv=0x7ffec432b1f8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffec432b1e8) at ../csu/libc-start.c:360
#18 0x000055d922b7e501 in _start ()
[Inferior 1 (process 41562) detached]