FS#46161 - [jasper] After upgrading to 1.900.1-14 shotwell crashes on startup

Attached to Project: Arch Linux
Opened by Bernhard V (vodi) - Monday, 31 August 2015, 13:07 GMT
Last edited by Jan de Groot (JGC) - Wednesday, 04 May 2016, 10:10 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Eric Belanger (Snowman)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No


After upgrading to 1.900.1-14 shotwell crashes on startup
Shotwell version 1:0.22.0-2

Console output:

shotwell: jas_stream.c:1044: mem_write: Assertion `ret == cnt' failed.

Steps to reproduce:
* Upgrade to jasper 1.900.1-14
* Open shotwell
* Shotwell crashes on "Auto-importing photos ... (0%)"

I've downgraded to 1.900.1-13 and shotwell runs normally.
This task depends upon

Closed by  Jan de Groot (JGC)
Wednesday, 04 May 2016, 10:10 GMT
Reason for closing:  Fixed
Additional comments about closing:  1.900.1-15
Comment by Dominique (xd0m) - Monday, 31 August 2015, 13:54 GMT
Same behaviour when using a file manager (tested with Nautilus 3.16.2 and PCManFM 1.2.3-1) and Jasper 1.900.1-14.
When accessing an external disk I get:
nautilus: jas_stream.c:1044: mem_write: Assertion `ret == cnt' failed.
[1] 13760 abort (core dumped) nautilus
Error disappears after downgrading to 1.900.1-13
Comment by Jan Hradek (jan.hradek) - Sunday, 20 September 2015, 08:40 GMT
The problem is the ASA patch "jasper-1.900.1-CVE-2015-5203.patch" added in 1.900.1-14. This patch is supposed to "Prevent integer conversion errors." security vulnerability. Due to this patch, Geeqie (among others like Ristretto) can't display JP2 (JPC, etc.) files anymore. I dug from geeqie through gdk-pixbuf2 to jasper and finally this patch as the culprit.

The problem is that the function jas_stream_memopen has been changed:

-jas_stream_t *jas_stream_memopen(char *buf, int bufsize);
+jas_stream_t *jas_stream_memopen(char *buf, size_t bufsize);

size_t is basically *unsigned* long integer, but this function offers a feature where if the bufsize is *negative* the buffer starts as very small and is allowed to grow as needed. gdk-pixbuf2 uses this feature for all image formats handled by jasper. However as size_t represents only positive numbers, a conversion takes place to some very high number and the allocation fails. Also, as the function checks the sign, which is now always positive or zero, this feature becomes *completely* unavailable.

IMO the right solution would be to add a parameter to the function whether the buffer is allowed to grow or not, but that would require patching all the dependent packages. The quick solution is to downgrade to 1.900.1-13 and live with the security hole :P.

Comment by Jens Adam (byte) - Thursday, 11 February 2016, 18:09 GMT