Crash when opening a malformed GIF file
GIMP version: 2.10.2-1
Operating System: Arch Linux with kernel 4.16.13-1-ARCH
Package: From official Arch Linux packages
Description of the bug
When opening a malformed (?) GIF, GIMP crashes instead of reporting the error as it should. The specific GIF file is: 31153c919d3aa634e8e6cff82219fe7352dd8a37. Here is its hexdump:
0000000 4947 3846 6139 0001 0001 0180 0000 0000
0000010 ffff 21ff 04f9 0001 0100 2c00 0000 0000
0000020 0001 0001 0200 4c02 0001 003b
I got this file from scraping some images, and its original extension was .png, but its header is GIF89a
. It is similar to the example for an empty GIF on Wikipedia (same length and structure), and appears like a white pixel in Firefox.
Eye of Mate also fails to open the file, though it handles it gracefully.
Reproduction
Is the bug reproducible? Always
Reproduction steps:
- Open GIF file attached above
- Get "GIMP crashed with a fatal error: Aborted" message
…
Expected result: GIMP gives out an error message
Actual result: GIMP crashes
Additional information
Bug information given out by GIMP itself:
GNU Image Manipulation Program version 2.10.2
git-describe: GIMP_2_10_0-292-gbe7f9b433a
C compiler:
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-pc-linux-gnu/8.1.0/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: /build/gcc/src/gcc/configure --prefix=/usr --libdir=/usr/lib --libexecdir=/usr/lib --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=https://bugs.archlinux.org/ --enable-languages=c,c++,ada,fortran,go,lto,objc,obj-c++ --enable-shared --enable-threads=posix --enable-libmpx --with-system-zlib --with-isl --enable-__cxa_atexit --disable-libunwind-exceptions --enable-clocale=gnu --disable-libstdcxx-pch --disable-libssp --enable-gnu-unique-object --enable-linker-build-id --enable-lto --enable-plugin --enable-install-libiberty --with-linker-hash-style=gnu --enable-gnu-indirect-function --enable-multilib --disable-werror --enable-checking=release --enable-default-pie --enable-default-ssp
Thread model: posix
gcc version 8.1.0 (GCC)
using GEGL version 0.4.2 (compiled against version 0.4.2)
using GLib version 2.56.1 (compiled against version 2.56.1)
using GdkPixbuf version 2.36.12 (compiled against version 2.36.12)
using GTK+ version 2.24.32 (compiled against version 2.24.32)
using Pango version 1.42.1 (compiled against version 1.42.1)
using Fontconfig version 2.13.0 (compiled against version 2.13.0)
using Cairo version 1.15.12 (compiled against version 1.15.12)
> fatal error: Aborted
Stack trace:
# Stack traces obtained from PID 7144 - Thread 7144 #
Catchpoint 1 (syscall 'ptrace' [26])
[New LWP 7146]
[New LWP 7147]
[New LWP 7148]
[New LWP 7149]
[New LWP 7150]
[New LWP 7151]
[New LWP 7152]
[New LWP 7153]
[New LWP 7154]
[New LWP 7155]
[New LWP 7156]
[New LWP 7169]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
0x00007f6fc01b7514 in read () from /usr/lib/libpthread.so.0
=> 0x00007f6fc01b7514 <read+68>: 48 3d 00 f0 ff ff cmp rax,0xfffffffffffff000
Id Target Id Frame
* 1 Thread 0x7f6fc4da1d40 (LWP 7144) "gimp-2.10" 0x00007f6fc01b7514 in read () from /usr/lib/libpthread.so.0
2 Thread 0x7f6fb6a24700 (LWP 7146) "gmain" 0x00007f6fbfed8ea9 in poll () from /usr/lib/libc.so.6
3 Thread 0x7f6fb6223700 (LWP 7147) "gdbus" 0x00007f6fbfed8ea9 in poll () from /usr/lib/libc.so.6
4 Thread 0x7f6f958f0700 (LWP 7148) "async" 0x00007f6fbfede0f9 in syscall () from /usr/lib/libc.so.6
5 Thread 0x7f6f950ef700 (LWP 7149) "worker" 0x00007f6fbfede0f9 in syscall () from /usr/lib/libc.so.6
6 Thread 0x7f6f948ee700 (LWP 7150) "worker" 0x00007f6fbfede0f9 in syscall () from /usr/lib/libc.so.6
7 Thread 0x7f6f940ed700 (LWP 7151) "worker" 0x00007f6fbfede0f9 in syscall () from /usr/lib/libc.so.6
8 Thread 0x7f6f938ec700 (LWP 7152) "worker" 0x00007f6fbfede0f9 in syscall () from /usr/lib/libc.so.6
9 Thread 0x7f6f930eb700 (LWP 7153) "worker" 0x00007f6fbfede0f9 in syscall () from /usr/lib/libc.so.6
10 Thread 0x7f6f928ea700 (LWP 7154) "worker" 0x00007f6fbfede0f9 in syscall () from /usr/lib/libc.so.6
11 Thread 0x7f6f920e9700 (LWP 7155) "worker" 0x00007f6fbfede0f9 in syscall () from /usr/lib/libc.so.6
12 Thread 0x7f6f918e8700 (LWP 7156) "pool" 0x00007f6fbfede0f9 in syscall () from /usr/lib/libc.so.6
13 Thread 0x7f6f8bfff700 (LWP 7169) "swap writer" 0x00007f6fbfede0f9 in syscall () from /usr/lib/libc.so.6
Thread 13 (Thread 0x7f6f8bfff700 (LWP 7169)):
#0 0x00007f6fbfede0f9 in syscall () at /usr/lib/libc.so.6
#1 0x00007f6fc07ed411 in g_cond_wait () at /usr/lib/libglib-2.0.so.0
#2 0x00007f6fc1f79afe in () at /usr/lib/libgegl-0.4.so.0
#3 0x00007f6fc07cea2a in () at /usr/lib/libglib-2.0.so.0
#4 0x00007f6fc01ae075 in start_thread () at /usr/lib/libpthread.so.0
#5 0x00007f6fbfee353f in clone () at /usr/lib/libc.so.6
Thread 12 (Thread 0x7f6f918e8700 (LWP 7156)):
#0 0x00007f6fbfede0f9 in syscall () at /usr/lib/libc.so.6
#1 0x00007f6fc07ed52d in g_cond_wait_until () at /usr/lib/libglib-2.0.so.0
#2 0x00007f6fc0778903 in () at /usr/lib/libglib-2.0.so.0
#3 0x00007f6fc0778eee in g_async_queue_timeout_pop () at /usr/lib/libglib-2.0.so.0
#4 0x00007f6fc07cf541 in () at /usr/lib/libglib-2.0.so.0
#5 0x00007f6fc07cea2a in () at /usr/lib/libglib-2.0.so.0
#6 0x00007f6fc01ae075 in start_thread () at /usr/lib/libpthread.so.0
#7 0x00007f6fbfee353f in clone () at /usr/lib/libc.so.6
Thread 11 (Thread 0x7f6f920e9700 (LWP 7155)):
#0 0x00007f6fbfede0f9 in syscall () at /usr/lib/libc.so.6
#1 0x00007f6fc07ed411 in g_cond_wait () at /usr/lib/libglib-2.0.so.0
#2 0x00005650e63c1e14 in ()
#3 0x00007f6fc07cea2a in () at /usr/lib/libglib-2.0.so.0
#4 0x00007f6fc01ae075 in start_thread () at /usr/lib/libpthread.so.0
#5 0x00007f6fbfee353f in clone () at /usr/lib/libc.so.6
Thread 10 (Thread 0x7f6f928ea700 (LWP 7154)):
#0 0x00007f6fbfede0f9 in syscall () at /usr/lib/libc.so.6
#1 0x00007f6fc07ed411 in g_cond_wait () at /usr/lib/libglib-2.0.so.0
#2 0x00005650e63c1e14 in ()
#3 0x00007f6fc07cea2a in () at /usr/lib/libglib-2.0.so.0
#4 0x00007f6fc01ae075 in start_thread () at /usr/lib/libpthread.so.0
#5 0x00007f6fbfee353f in clone () at /usr/lib/libc.so.6
Thread 9 (Thread 0x7f6f930eb700 (LWP 7153)):
#0 0x00007f6fbfede0f9 in syscall () at /usr/lib/libc.so.6
#1 0x00007f6fc07ed411 in g_cond_wait () at /usr/lib/libglib-2.0.so.0
#2 0x00005650e63c1e14 in ()
#3 0x00007f6fc07cea2a in () at /usr/lib/libglib-2.0.so.0
#4 0x00007f6fc01ae075 in start_thread () at /usr/lib/libpthread.so.0
#5 0x00007f6fbfee353f in clone () at /usr/lib/libc.so.6
Thread 8 (Thread 0x7f6f938ec700 (LWP 7152)):
#0 0x00007f6fbfede0f9 in syscall () at /usr/lib/libc.so.6
#1 0x00007f6fc07ed411 in g_cond_wait () at /usr/lib/libglib-2.0.so.0
#2 0x00005650e63c1e14 in ()
#3 0x00007f6fc07cea2a in () at /usr/lib/libglib-2.0.so.0
#4 0x00007f6fc01ae075 in start_thread () at /usr/lib/libpthread.so.0
#5 0x00007f6fbfee353f in clone () at /usr/lib/libc.so.6
Thread 7 (Thread 0x7f6f940ed700 (LWP 7151)):
#0 0x00007f6fbfede0f9 in syscall () at /usr/lib/libc.so.6
#1 0x00007f6fc07ed411 in g_cond_wait () at /usr/lib/libglib-2.0.so.0
#2 0x00005650e63c1e14 in ()
#3 0x00007f6fc07cea2a in () at /usr/lib/libglib-2.0.so.0
#4 0x00007f6fc01ae075 in start_thread () at /usr/lib/libpthread.so.0
#5 0x00007f6fbfee353f in clone () at /usr/lib/libc.so.6
Thread 6 (Thread 0x7f6f948ee700 (LWP 7150)):
#0 0x00007f6fbfede0f9 in syscall () at /usr/lib/libc.so.6
#1 0x00007f6fc07ed411 in g_cond_wait () at /usr/lib/libglib-2.0.so.0
#2 0x00005650e63c1e14 in ()
#3 0x00007f6fc07cea2a in () at /usr/lib/libglib-2.0.so.0
#4 0x00007f6fc01ae075 in start_thread () at /usr/lib/libpthread.so.0
#5 0x00007f6fbfee353f in clone () at /usr/lib/libc.so.6
Thread 5 (Thread 0x7f6f950ef700 (LWP 7149)):
#0 0x00007f6fbfede0f9 in syscall () at /usr/lib/libc.so.6
#1 0x00007f6fc07ed411 in g_cond_wait () at /usr/lib/libglib-2.0.so.0
#2 0x00005650e63c1e14 in ()
#3 0x00007f6fc07cea2a in () at /usr/lib/libglib-2.0.so.0
#4 0x00007f6fc01ae075 in start_thread () at /usr/lib/libpthread.so.0
#5 0x00007f6fbfee353f in clone () at /usr/lib/libc.so.6
Thread 4 (Thread 0x7f6f958f0700 (LWP 7148)):
#0 0x00007f6fbfede0f9 in syscall () at /usr/lib/libc.so.6
#1 0x00007f6fc07ed411 in g_cond_wait () at /usr/lib/libglib-2.0.so.0
#2 0x00005650e63c1bc7 in ()
#3 0x00007f6fc07cea2a in () at /usr/lib/libglib-2.0.so.0
#4 0x00007f6fc01ae075 in start_thread () at /usr/lib/libpthread.so.0
#5 0x00007f6fbfee353f in clone () at /usr/lib/libc.so.6
Thread 3 (Thread 0x7f6fb6223700 (LWP 7147)):
#0 0x00007f6fbfed8ea9 in poll () at /usr/lib/libc.so.6
#1 0x00007f6fc07a6523 in () at /usr/lib/libglib-2.0.so.0
#2 0x00007f6fc07a68e2 in g_main_loop_run () at /usr/lib/libglib-2.0.so.0
#3 0x00007f6fc0fb3348 in () at /usr/lib/libgio-2.0.so.0
#4 0x00007f6fc07cea2a in () at /usr/lib/libglib-2.0.so.0
#5 0x00007f6fc01ae075 in start_thread () at /usr/lib/libpthread.so.0
#6 0x00007f6fbfee353f in clone () at /usr/lib/libc.so.6
Thread 2 (Thread 0x7f6fb6a24700 (LWP 7146)):
#0 0x00007f6fbfed8ea9 in poll () at /usr/lib/libc.so.6
#1 0x00007f6fc07a6523 in () at /usr/lib/libglib-2.0.so.0
#2 0x00007f6fc07a663e in g_main_context_iteration () at /usr/lib/libglib-2.0.so.0
#3 0x00007f6fc07a6692 in () at /usr/lib/libglib-2.0.so.0
#4 0x00007f6fc07cea2a in () at /usr/lib/libglib-2.0.so.0
#5 0x00007f6fc01ae075 in start_thread () at /usr/lib/libpthread.so.0
#6 0x00007f6fbfee353f in clone () at /usr/lib/libc.so.6
Thread 1 (Thread 0x7f6fc4da1d40 (LWP 7144)):
#0 0x00007f6fc01b7514 in read () at /usr/lib/libpthread.so.0
#1 0x00007f6fc3d2a6bc in gimp_stack_trace_print () at /usr/lib/libgimpbase-2.0.so.0
#2 0x00005650e60f0d40 in ()
#3 0x00005650e60f1198 in ()
#4 0x00005650e60f1909 in ()
#5 0x00007f6fc01b8a80 in <signal handler called> () at /usr/lib/libpthread.so.0
#6 0x00007f6fbfe2186b in raise () at /usr/lib/libc.so.6
#7 0x00007f6fbfe0c40e in abort () at /usr/lib/libc.so.6
#8 0x00007f6fbfe0c2e0 in _nl_load_domain.cold.0 () at /usr/lib/libc.so.6
#9 0x00007f6fbfe1a112 in () at /usr/lib/libc.so.6
#10 0x00007f6fc1a380dc in () at /usr/lib/libbabl-0.1.so.0
#11 0x00007f6fc1a3a22b in () at /usr/lib/libbabl-0.1.so.0
#12 0x00007f6fc1a3ccf9 in babl_palette_set_palette () at /usr/lib/libbabl-0.1.so.0
#13 0x00005650e641a590 in ()
#14 0x00007f6fc0a80a4d in g_closure_invoke () at /usr/lib/libgobject-2.0.so.0
#15 0x00007f6fc0a93f18 in () at /usr/lib/libgobject-2.0.so.0
#16 0x00007f6fc0a9c6f6 in g_signal_emit_valist () at /usr/lib/libgobject-2.0.so.0
#17 0x00007f6fc0a9d130 in g_signal_emit () at /usr/lib/libgobject-2.0.so.0
#18 0x00005650e633f18d in ()
#19 0x00005650e639041d in gimp_procedure_execute ()
#20 0x00005650e63896da in gimp_pdb_execute_procedure_by_name_args ()
#21 0x00005650e639470f in gimp_plug_in_handle_message ()
#22 0x00005650e639308b in ()
#23 0x00007f6fc07a61d6 in g_main_context_dispatch () at /usr/lib/libglib-2.0.so.0
#24 0x00007f6fc07a65b1 in () at /usr/lib/libglib-2.0.so.0
#25 0x00007f6fc07a68e2 in g_main_loop_run () at /usr/lib/libglib-2.0.so.0
#26 0x00005650e63a40c2 in gimp_plug_in_manager_call_run ()
#27 0x00005650e639ce71 in ()
#28 0x00005650e639041d in gimp_procedure_execute ()
#29 0x00005650e63896da in gimp_pdb_execute_procedure_by_name_args ()
#30 0x00005650e6389bab in gimp_pdb_execute_procedure_by_name ()
#31 0x00005650e64891c3 in file_open_image ()
#32 0x00005650e648a15d in file_open_with_proc_and_display ()
#33 0x00005650e648aa13 in file_open_from_command_line ()
#34 0x00005650e60f04be in app_run ()
#35 0x00005650e60efdf1 in main ()