Bug 16395

Summary: glibc abort for "double free or corruption" in jpeg code
Product: swfdec Reporter: Riccardo Magliocchetti <riccardo.magliocchetti>
Component: libraryAssignee: swfdec ml <swfdec>
Status: RESOLVED FIXED QA Contact: swfdec ml <swfdec>
Severity: blocker    
Priority: medium    
Version: git   
Hardware: Other   
OS: All   
URL: http://speed.pointroll.com/PointRoll/Media/Banners/Verizon/581557/728x90_Initial_11_14_AtomFilms_113007.swf?PRAd=1103047&PRplcmt=621649&PRImpID=EF4612B965EB434C9F7E380A1A4C4DCB
Whiteboard:
i915 platform: i915 features:

Description Riccardo Magliocchetti 2008-06-17 05:04:01 UTC 
Loading stream: http://speed.pointroll.com/PointRoll/Media/Banners/Verizon/581557/728x90_Initial_11_14_AtomFilms_113007.swf?PRAd=1103047&PRplcmt=621649&PRImpID=EF4612B965EB434C9F7E380A1A4C4DCB
unhandled event 19
SWFDEC: WARN : swfdec_swf_decoder.c(342): swfdec_swf_decoder_parse_one: tag function not implemented for 73 DefineFontAlignZones
SWFDEC: WARN : swfdec_swf_decoder.c(342): swfdec_swf_decoder_parse_one: tag function not implemented for 73 DefineFontAlignZones
SWFDEC: WARN : swfdec_swf_decoder.c(342): swfdec_swf_decoder_parse_one: tag function not implemented for 73 DefineFontAlignZones
SWFDEC: WARN : swfdec_as_interpret.c(879): swfdec_action_call_method: no function named "broadcastMessage" on object SwfdecAsNativeFunction
*** glibc detected *** /usr/lib/iceweasel/firefox-bin: double free or corruption (out): 0x0a8d6500 ***
======= Backtrace: =========
/lib/libc.so.6[0xb71f88a5]
/lib/libc.so.6(cfree+0x9c)[0xb71fa74c]
/usr/lib/libglib-2.0.so.0(g_free+0x31)[0xb74465b1]
/usr/local/lib/libswfdec-0.7.so.0[0xb1aeaf76]
/usr/local/lib/libswfdec-0.7.so.0[0xb1aeb485]
/usr/local/lib/libswfdec-0.7.so.0[0xb1aeb4fe]
/usr/local/lib/libswfdec-0.7.so.0[0xb1a95670]
/usr/local/lib/libswfdec-0.7.so.0(swfdec_image_create_surface+0x36d)[0xb1a965fd]
/usr/local/lib/libswfdec-0.7.so.0(swfdec_image_create_surface_transformed+0x109)[0xb1a96a09]
/usr/local/lib/libswfdec-0.7.so.0[0xb1aa7017]
/usr/local/lib/libswfdec-0.7.so.0(swfdec_pattern_get_pattern+0x8a)[0xb1aa6e1a]
/usr/local/lib/libswfdec-0.7.so.0[0xb1aa735e]
/usr/local/lib/libswfdec-0.7.so.0(swfdec_draw_paint+0x7e)[0xb1a8e55e]
/usr/local/lib/libswfdec-0.7.so.0[0xb1aba71e]
/usr/local/lib/libswfdec-0.7.so.0(swfdec_graphic_render+0x2c)[0xb1a94c0c]
/usr/local/lib/libswfdec-0.7.so.0[0xb1a94fe5]
/usr/local/lib/libswfdec-0.7.so.0(swfdec_movie_render+0x283)[0xb1a9ce43]
/usr/local/lib/libswfdec-0.7.so.0[0xb1a9f89d]
/usr/local/lib/libswfdec-0.7.so.0(swfdec_movie_render+0x283)[0xb1a9ce43]
/usr/local/lib/libswfdec-0.7.so.0[0xb1a9f89d]
/usr/local/lib/libswfdec-0.7.so.0(swfdec_movie_render+0x283)[0xb1a9ce43]
/usr/local/lib/libswfdec-0.7.so.0(swfdec_player_render_with_renderer+0x24c)[0xb1aad11c]
/usr/local/lib/libswfdec-0.7.so.0(swfdec_player_render+0xaf)[0xb1aad3cf]
/usr/local/lib/mozilla/plugins/libswfdecmozilla.so(swfmoz_player_render+0x1a3)[0xb348a373]
/usr/local/lib/mozilla/plugins/libswfdecmozilla.so[0xb348ad8d]
/usr/lib/libglib-2.0.so.0[0xb743ce01]
/usr/lib/libglib-2.0.so.0(g_main_context_dispatch+0x178)[0xb743e978]
/usr/lib/libglib-2.0.so.0[0xb7441bce]
/usr/lib/libglib-2.0.so.0(g_main_loop_run+0x1e7)[0xb7441f57]
/usr/lib/libgtk-x11-2.0.so.0(gtk_main+0xb9)[0xb7b65ae9]
/usr/lib/iceweasel/firefox-bin[0x82dbcea]
/usr/lib/iceweasel/firefox-bin[0x880a8b2]
/usr/lib/iceweasel/firefox-bin[0x807f781]
/usr/lib/iceweasel/firefox-bin[0x807b2fa]
/lib/libc.so.6(__libc_start_main+0xe5)[0xb71a4455]
/usr/lib/iceweasel/firefox-bin[0x807b261]
======= Memory map: ========
08048000-08b8b000 r-xp 00000000 03:01 4248606    /usr/lib/iceweasel/firefox-bin
08b8b000-08ba3000 rw-p 00b43000 03:01 4248606    /usr/lib/iceweasel/firefox-bin
08ba3000-0b036000 rw-p 08ba3000 00:00 0          [heap]
b06ac000-b06ad000 ---p b06ac000 00:00 0 
b06ad000-b0eac000 rw-p b06ad000 00:00 0 
b0eac000-b0ead000 ---p b0eac000 00:00 0 
b0ead000-b16ac000 rw-p b0ead000 00:00 0 
b16d3000-b1700000 r--p 00000000 03:01 4293757    /usr/share/fonts/liberation/LiberationSans-Italic.ttf
b1700000-b1721000 rw-p b1700000 00:00 0 
b1721000-b1800000 ---p b1721000 00:00 0 
b1812000-b183a000 r--p 00000000 03:01 4293755    /usr/share/fonts/liberation/LiberationSans-Bold.ttf
b183a000-b1862000 r--p 00000000 03:01 4293772    /usr/share/fonts/liberation/LiberationSans-Regular.ttf
b1862000-b1885000 r--p 00000000 03:01 3949896    /home/rm/.fonts/VERDANA.TTF
b1885000-b1928000 r-xp 00000000 03:01 4211621    /usr/lib/libgstreamer-0.10.so.0.16.0
b1928000-b192c000 rw-p 000a3000 03:01 4211621    /usr/lib/libgstreamer-0.10.so.0.16.0
b192c000-b1936000 r-xp 00000000 03:01 262322     /usr/lib/libgstpbutils-0.10.so.0.13.0
b1936000-b1937000 rw-p 0000a000 03:01 262322     /usr/lib/libgstpbutils-0.10.so.0.13.0
b1937000-b1995000 r-xp 00000000 03:01 4210725    /usr/lib/libgio-2.0.so.0.0.0
b1995000-b1997000 rw-p 0005e000 03:01 4210725    /usr/lib/libgio-2.0.so.0.0.0
b1997000-b19cb000 r-xp 00000000 03:01 4212360    /usr/lib/libsoup-2.4.so.1.1.0
b19cb000-b19cd000 rw-p 00033000 03:01 4212360    /usr/lib/libsoup-2.4.so.1.1.0
b19cd000-b1a22000 r-xp 00000000 03:01 3146131    /usr/lib/liboil-0.3.so.0.2.0
b1a22000-b1a39000 rw-p 00055000 03:01 3146131    /usr/lib/liboil-0.3.so.0.2.0
b1a39000-b1a3b000 rw-p b1a39000 00:00 0 
b1a3b000-b1b19000 r-xp 00000000 03:01 4243660    /usr/local/lib/libswfdec-0.7.so.0.0.0
b1b19000-b1b20000 rw-p 000de000 03:01 4243660    /usr/local/lib/libswfdec-0.7.so.0.0.0
b1b20000-b1b2c000 r-xp 00000000 03:01 4243895    /usr/local/lib/libswfdec-gtk-0.7.so.0.0.0
b1b2c000-b1b2d000 rw-p 0000b000 03:01 4243895    /usr/local/lib/libswfdec-gtk-0.7.so.0.0.0
b1b2d000-b1b39000 r--p 00000000 03:01 933983     /usr/share/fonts/truetype/ttf-bitstream-vera/VeraMoBd.ttf
b1b39000-b1b3f000 r--p 00000000 03:01 4222177    /usr/share/locale/it/LC_MESSAGES/gstreamer-0.10.mo
b1b3f000-b1b40000 ---p b1b3f000 00:00 0 
b1b40000-b233f000 rw-p b1b40000 00:00 0 
b233f000-b2384000 r-xp 00000000 03:01 4243745    /usr/lib/nss/libnssckbi.so
b2384000-b238f000 rw-p 00045000 03:01 4243745    /usr/lib/nss/libnssckbi.so
b238f000-b23c9000 r-xp 00000000 03:01 4243739    /usr/lib/nss/libfreebl3.so
b23c9000-b23ca000 rw-p 00039000 03:01 4243739    /usr/lib/nss/libfreebl3.so
b23ca000-b23eb000 r-xp 00000000 03:01 4243744    /usr/lib/nss/libnssdbm3.so
b23eb000-b23ec000 rw-p 00021000 03:01 4243744    /usr/lib/nss/libnssdbm3.so
b23ec000-b2445000 r-xp 00000000 03:01 4213364    /usr/lib/libsqlite3.so.0.8.6
b2445000-b2447000 rw-p 00058000 03:01 4213364    /usr/lib/libsqlite3.so.0.8.6
b2447000-b2478000 r-xp 00000000 03:01 4243743    /usr/lib/nss/libsoftokn3.so
b2478000-b2479000 rw-p 00031000 03:01 4243743    /usr/lib/nss/libsoftokn3.so
b2479000-b247a000 ---p b2479000 00:00 0 
b247a000-b2c79000 rw-p b247a000 00:00 0 
b2c79000-b2c7a000 ---p b2c79000 00:00 0 
b2c7a000-b3479000 rw-p b2c7a000 00:00 0 
b3479000-b347d000 r-xp 00000000 03:01 4220586    /lib/libnss_dns-2.7.so
b347d000-b347f000 rw-p 00003000 03:01 4220586    /lib/libnss_dns-2.7.so
b3480000-b348d000 r-xp 00000000 03:01 4243853    /usr/local/lib/mozilla/plugins/libswfdecmozilla.so
b348d000-b348e000 rw-p 0000d000 03:01 4243853    /usr/local/lib/mozilla/plugins/libswfdecmozilla.so
b348e000-b3490000 r-xp 00000000 03:01 4248610    /usr/lib/iceweasel/plugins/libunixprintplugin.so
b3490000-b3491000 rw-p 00001000 03:01 4248610    /usr/lib/iceweasel/plugins/libunixprintplugin.so
b3491000-b3495000 r-xp 00000000 03:01 4243730    /usr/lib/iceweasel/components/libmozgnome.so
b3495000-b3496000 rw-p 00003000 03:01 4243730    /usr/lib/iceweasel/components/libmozgnome.so
b3496000-b3497000 ---p b3496000 00:00 0 
b3497000-b3c96000 rw-p b3497000 00:00 0 
b3c96000-b3c97000 ---p b3c96000 00:00 0 
b3c97000-b4496000 rw-p b3c97000 00:00 0 
b4496000-b4497000 ---p b4496000 00:00 0 
b4497000-b4c96000 rw-p b4497000 00:00 0 
b4c96000-b4ca7000 r--p 00000000 03:01 4243524    /usr/share/fonts/truetype/ttf-bitstream-vera/Vera.ttf
b4ca7000-b4cb6000 r-xp 00000000 03:01 4248578    /usr/lib/iceweasel/components/libspellchecker.so
b4cb6000-b4cb7000 rw-p 0000f000 03:01 4248578    /usr/lib/iceweasel/components/libspellchecker.so
b4cb7000-b4d17000 rw-s 00000000 00:08 24510474   /SYSV00000000 (deleted)
b4d17000-b4d26000 r--p 00000000 03:01 933989     /usr/share/fonts/truetype/ttf-bitstream-vera/VeraSe.ttf
b4d26000-b4e2a000 rw-p b4d26000 00:00 0 
b4e2a000-b4ebf000 r--p 00000000 03:01 3129352    /usr/share/fonts/truetype/ttf-dejavu/DejaVuSans.ttf
b4f6f000-b4f96000 r--p 00000000 03:01 4293758    /usr/share/fonts/liberation/LiberationSans-BoldItalic.ttf
b4f96000-b4f9a000 r-xp 00000000 03:01 2375768    /usr/lib/gtk-2.0/2.10.0/loaders/libpixbufloader-png.so
b4f9a000-b4f9b000 rw-p 00003000 03:01 2375768    /usr/lib/gtk-2.0/2.10.0/loaders/libpixbufloader-png.so
b4f9c000-b4fa1000 r--p 00000000 03:01 4278247    /usr/local/share/icons/hicolor/icon-theme.cache
b4fc3000-b504c000 r--p 00000000 03:01 4293107    /usr/share/fonts/truetype/ttf-dejavu/DejaVuSans-Bold.ttf
b504c000-b504e000 r-xp 00000000 03:01 4309566    /usr/lib/pango/1.6.0/modules/pango-basic-fc.so
b504e000-b504f000 rw-p 00001000 03:01 4309566    /usr/lib/pango/1.6.0/modules/pango-basic-fc.so
b504f000-b5055000 r--s 00000000 03:01 1886415    /var/cache/fontconfig/945677eb7aeaf62f1d50efc3fb3ec7d8-x86.cache-2
b5055000-b505c000 r--s 00000000 03:01 1886412    /var/cache/fontconfig/6d41288fd70b0be22e8c3a91e032eec0-x86.cache-2
b505c000-b505f000 r--s 00000000 03:01 1886411    /var/cache/fontconfig/de156ccd2eddbdc19d37a45b8b2aac9c-x86.cache-2
b505f000-b5060000 r--s 00000000 03:01 1886410    /var/cache/fontconfig/9014f96f0c1b5f16acaea993532dcedf-x86.cache-2
b5060000-b5061000 r--s 00000000 03:01 1886408 
Program received signal SIGABRT, Aborted.
[Switching to Thread 0xb7012720 (LWP 14789)]
0xb71b85b6 in raise () from /lib/libc.so.6
(gdb) 
(gdb) 
(gdb) bt full
#0  0xb71b85b6 in raise () from /lib/libc.so.6
No symbol table info available.
#1  0xb71b9dd8 in abort () from /lib/libc.so.6
No symbol table info available.
#2  0xb71f2afd in __libc_message () from /lib/libc.so.6
No symbol table info available.
#3  0xb71f88a5 in malloc_printerr () from /lib/libc.so.6
No symbol table info available.
#4  0xb71fa74c in free () from /lib/libc.so.6
No symbol table info available.
#5  0xb74465b1 in g_free () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#6  0xb1aeaf76 in get_argb_420 (dec=0xabb8d58) at jpeg_rgb_decoder.c:284
	tmp = <value optimized out>
	tmp_u = <value optimized out>
	tmp_v = <value optimized out>
	tmp1 = <value optimized out>
	yp = (uint8_t *) 0xaae1fa0 'I' <repeats 96 times>, " "
	up = (uint8_t *) 0x9c1b220 '\177' <repeats 200 times>...
	vp = (uint8_t *) 0xa974e68 '\203' <repeats 200 times>...
	argbp = (uint32_t *) 0x9132aa0
	j = 250
	halfwidth = 1
#7  0xb1aeb485 in jpeg_decoder_get_argb_image (dec=0x0) at jpeg_rgb_decoder.c:89
No locals.
#8  0xb1aeb4fe in jpeg_decode_argb (data=0xafb9a57 "����", length=515, image=0xbfd7edc8, width=0xa8c85a0, height=0xa8c85a4) at jpeg_rgb_decoder.c:63
	dec = (JpegDecoder *) 0xabb8d58
	ret = <value optimized out>
#9  0xb1a95670 in swfdec_jpeg_decode_argb (renderer=0x974f520, data1=0xafb9a57 "����", length1=515, data2=0x0, length2=0, outdata=0xbfd7edc8, width=0xa8c85a0, height=0xa8c85a4)
    at swfdec_image.c:164
	ret = 0
#10 0xb1a965fd in swfdec_image_create_surface (image=0xa8c8590, renderer=0x974f520) at swfdec_image.c:245
	trans = {mask = 0, ra = 256, rb = 0, ga = 256, gb = 0, ba = 256, bb = 0, aa = 256, ab = 0}
	cached = <value optimized out>
	surface = <value optimized out>
	__PRETTY_FUNCTION__ = "swfdec_image_create_surface"
#11 0xb1a96a09 in swfdec_image_create_surface_transformed (image=0xa8c8590, renderer=0x974f520, trans=0xbfd7f084) at swfdec_image.c:678
	mask = {mask = -1076367720, ra = -1314230530, rb = -1210402548, ga = 0, gb = 0, ba = 0, bb = 1, aa = 14789, ab = -1314297589}
	cached = <value optimized out>
	surface = (cairo_surface_t *) 0x0
	source = <value optimized out>
	tdata = <value optimized out>
	sdata = <value optimized out>
	i = <value optimized out>
	n = <value optimized out>
	has_alpha = <value optimized out>
	__PRETTY_FUNCTION__ = "swfdec_image_create_surface_transformed"
#12 0xb1aa7017 in swfdec_image_pattern_get_pattern (pat=0xa987d20, renderer=0x974f520, trans=0xbfd7f084) at swfdec_pattern.c:224
	pattern = (cairo_pattern_t *) 0x0
	surface = <value optimized out>
#13 0xb1aa6e1a in swfdec_pattern_get_pattern (pattern=0xa987d20, renderer=0x974f520, trans=0xbfd7f084) at swfdec_pattern.c:553
	__PRETTY_FUNCTION__ = "swfdec_pattern_get_pattern"
#14 0xb1aa735e in swfdec_pattern_paint (draw=0xa987d20, cr=0xa9da9c0, trans=0xbfd7f084) at swfdec_pattern.c:52
	pattern = <value optimized out>
#15 0xb1a8e55e in swfdec_draw_paint (draw=0xa987d20, cr=0xa9da9c0, trans=0xbfd7f084) at swfdec_draw.c:129
	__PRETTY_FUNCTION__ = "swfdec_draw_paint"
#16 0xb1aba71e in swfdec_shape_render (graphic=0xac29928, cr=0xa9da9c0, trans=0xbfd7f084, inval=0xbfd7f0a8) at swfdec_shape.c:63
	draw = (SwfdecDraw *) 0xa987d20
	walk = (GSList *) 0xa9d8328
#17 0xb1a94c0c in swfdec_graphic_render (graphic=0x39c5, cr=0xa9da9c0, trans=0xbfd7f084, inval=0xbfd7f0a8) at swfdec_graphic.c:59
No locals.
#18 0xb1a94fe5 in swfdec_graphic_movie_render (movie=0xac72d60, cr=0xa9da9c0, trans=0xbfd7f084, inval=0xbfd7f0a8) at swfdec_graphic_movie.c:50
No locals.
#19 0xb1a9ce43 in swfdec_movie_render (movie=0xac72d60, cr=0xa9da9c0, color_transform=0xbfd7f254, inval=0xbfd7f278) at swfdec_movie.c:834
	trans = {mask = 0, ra = 256, rb = 0, ga = 256, gb = 0, ba = 256, bb = 0, aa = 256, ab = 0}
	rect = {x0 = -3000.0005030370862, y0 = -13213.866485822067, x1 = 3000.0005030370871, y1 = 13269.421947187724}
	group = 0
	__PRETTY_FUNCTION__ = "swfdec_movie_render"
---Type <return> to continue, or q <return> to quit---
#20 0xb1a9f89d in swfdec_movie_do_render (movie=0x9c0e708, cr=0xa9da9c0, ctrans=0xbfd7f254, inval=0xbfd7f278) at swfdec_movie.c:1271
	child = (SwfdecMovie *) 0xac72d60
	g = (GList *) 0xac07540
	walk = <value optimized out>
	clips = (GSList *) 0x0
	clip = (ClipEntry *) 0x0
	ident = {xx = 1, yx = 0, xy = 0, yy = 1, x0 = 0, y0 = 0}
	__PRETTY_FUNCTION__ = "swfdec_movie_do_render"
	matrix = {xx = 0.050000000000000003, yx = 0, xy = 0, yy = 0.050000000000000003, x0 = 0, y0 = 0}
#21 0xb1a9ce43 in swfdec_movie_render (movie=0x9c0e708, cr=0xa9da9c0, color_transform=0xbfd7f424, inval=0xbfd7f448) at swfdec_movie.c:834
	trans = {mask = 0, ra = 256, rb = 0, ga = 256, gb = 0, ba = 256, bb = 0, aa = 256, ab = 0}
	rect = {x0 = -3000.0005030370862, y0 = -13213.866485822067, x1 = 3000.0005030370871, y1 = 13269.421947187724}
	group = 0
	__PRETTY_FUNCTION__ = "swfdec_movie_render"
#22 0xb1a9f89d in swfdec_movie_do_render (movie=0x9c0e2b8, cr=0xa9da9c0, ctrans=0xbfd7f424, inval=0xbfd7f448) at swfdec_movie.c:1271
	child = (SwfdecMovie *) 0x9c0e708
	g = (GList *) 0xac048d0
	walk = <value optimized out>
	clips = (GSList *) 0x0
	clip = (ClipEntry *) 0x0
	ident = {xx = 1, yx = 0, xy = 0, yy = 1, x0 = 0, y0 = 0}
	__PRETTY_FUNCTION__ = "swfdec_movie_do_render"
	matrix = {xx = 0.050000000000000003, yx = 0, xy = 0, yy = 0.050000000000000003, x0 = 0, y0 = 0}
#23 0xb1a9ce43 in swfdec_movie_render (movie=0x9c0e2b8, cr=0xa9da9c0, color_transform=0xb1aff680, inval=0xbfd7f508) at swfdec_movie.c:834
	trans = {mask = 0, ra = 256, rb = 0, ga = 256, gb = 0, ba = 256, bb = 0, aa = 256, ab = 0}
	rect = {x0 = 0, y0 = -3857, x1 = 14560, y1 = 5677}
	group = 0
	__PRETTY_FUNCTION__ = "swfdec_movie_render"
#24 0xb1aad11c in swfdec_player_render_with_renderer (player=0xa412330, cr=0xa9da9c0, renderer=0x974f520, x=0, y=0, width=1280, height=838) at swfdec_player.c:3101
	priv = <value optimized out>
	walk = (GList *) 0xa6b8f20
	real = {x0 = 0, y0 = -3857, x1 = 14560, y1 = 5677}
	trans = {mask = 0, ra = 256, rb = 0, ga = 256, gb = 0, ba = 256, bb = 0, aa = 256, ab = 0}
	__PRETTY_FUNCTION__ = "swfdec_player_render_with_renderer"
#25 0xb1aad3cf in swfdec_player_render (player=0xa412330, cr=0xa9da9c0, x=0, y=0, width=1280, height=838) at swfdec_player.c:3039
	__PRETTY_FUNCTION__ = "swfdec_player_render"
#26 0xb348a373 in swfmoz_player_render (player=0xa412330, cr=0xa9da9c0, region=0xae6a0c0) at swfmoz_player.c:796
	rect = {x = 0, y = 0, width = 1280, height = 838}
	has_cr = 0
	__PRETTY_FUNCTION__ = "swfmoz_player_render"
#27 0xb348ad8d in swfmoz_player_idle_redraw (playerp=0xa412330) at swfmoz_player.c:177
	region = (GdkRegion *) 0xae6a0c0
	__PRETTY_FUNCTION__ = "swfmoz_player_idle_redraw"
Comment 1 Benjamin Otte 2008-06-22 09:01:31 UTC 
fixed in 0.6 and master.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.