[Bug 395554] [NEW] Abort due to double free or corruption

Lars Kr. Lundin launchpad at lklundin.dk
Sat Jul 4 17:02:07 UTC 2009


Public bug reported:

Binary package hint: jhead

Abort due to double free or corruption, image corrupted by the command.

$ jhead -mkexif -ts1992:09:05-13:00:00 -ft Narsaaq.jpg 
Modified: Narsaaq.jpg
Narsaaq.jpg
*** glibc detected *** jhead: double free or corruption (!prev): 0x0000000000bb0e00 ***
======= Backtrace: =========
/lib/libc.so.6[0x7fba5c5c0cb8]
/lib/libc.so.6(cfree+0x76)[0x7fba5c5c3276]
jhead[0x405287]
jhead[0x402445]
jhead[0x403f26]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7fba5c5675a6]
jhead[0x401639]
======= Memory map: ========
00400000-00411000 r-xp 00000000 08:03 39821                              /usr/bin/jhead
00610000-00611000 r--p 00010000 08:03 39821                              /usr/bin/jhead
00611000-00612000 rw-p 00011000 08:03 39821                              /usr/bin/jhead
00612000-00614000 rw-p 00612000 00:00 0 
00bb0000-00bd1000 rw-p 00bb0000 00:00 0                                  [heap]
7fba58000000-7fba58021000 rw-p 7fba58000000 00:00 0 
7fba58021000-7fba5c000000 ---p 7fba58021000 00:00 0 
7fba5c331000-7fba5c347000 r-xp 00000000 08:03 2579                       /lib/libgcc_s.so.1
7fba5c347000-7fba5c547000 ---p 00016000 08:03 2579                       /lib/libgcc_s.so.1
7fba5c547000-7fba5c548000 r--p 00016000 08:03 2579                       /lib/libgcc_s.so.1
7fba5c548000-7fba5c549000 rw-p 00017000 08:03 2579                       /lib/libgcc_s.so.1
7fba5c549000-7fba5c6b1000 r-xp 00000000 08:03 2557                       /lib/libc-2.9.so
7fba5c6b1000-7fba5c8b1000 ---p 00168000 08:03 2557                       /lib/libc-2.9.so
7fba5c8b1000-7fba5c8b5000 r--p 00168000 08:03 2557                       /lib/libc-2.9.so
7fba5c8b5000-7fba5c8b6000 rw-p 0016c000 08:03 2557                       /lib/libc-2.9.so
7fba5c8b6000-7fba5c8bb000 rw-p 7fba5c8b6000 00:00 0 
7fba5c8bb000-7fba5c93f000 r-xp 00000000 08:03 2590                       /lib/libm-2.9.so
7fba5c93f000-7fba5cb3e000 ---p 00084000 08:03 2590                       /lib/libm-2.9.so
7fba5cb3e000-7fba5cb3f000 r--p 00083000 08:03 2590                       /lib/libm-2.9.so
7fba5cb3f000-7fba5cb40000 rw-p 00084000 08:03 2590                       /lib/libm-2.9.so
7fba5cb40000-7fba5cb60000 r-xp 00000000 08:03 2537                       /lib/ld-2.9.so
7fba5cd3f000-7fba5cd41000 rw-p 7fba5cd3f000 00:00 0 
7fba5cd5b000-7fba5cd5f000 rw-p 7fba5cd5b000 00:00 0 
7fba5cd5f000-7fba5cd60000 r--p 0001f000 08:03 2537                       /lib/ld-2.9.so
7fba5cd60000-7fba5cd61000 rw-p 00020000 08:03 2537                       /lib/ld-2.9.so
7fff64d4b000-7fff64d60000 rw-p 7ffffffea000 00:00 0                      [stack]
7fff64dfe000-7fff64dff000 r-xp 7fff64dfe000 00:00 0                      [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted


Same command run via valgrind:

==22678== Memcheck, a memory error detector.
==22678== Copyright (C) 2002-2008, and GNU GPL'd, by Julian Seward et al.
==22678== Using LibVEX rev 1884, a library for dynamic binary translation.
==22678== Copyright (C) 2004-2008, and GNU GPL'd, by OpenWorks LLP.
==22678== Using valgrind-3.4.1-Debian, a dynamic binary instrumentation framework.
==22678== Copyright (C) 2000-2008, and GNU GPL'd, by Julian Seward et al.
==22678== For more details, rerun with: -v
==22678== 
==22678== Invalid read of size 1
==22678==    at 0x408955: (within /usr/bin/jhead)
==22678==    by 0x40890A: (within /usr/bin/jhead)
==22678==    by 0x408BE2: (within /usr/bin/jhead)
==22678==    by 0x405E22: (within /usr/bin/jhead)
==22678==    by 0x405F0A: (within /usr/bin/jhead)
==22678==    by 0x4020A2: (within /usr/bin/jhead)
==22678==    by 0x403F25: (within /usr/bin/jhead)
==22678==    by 0x50CF5A5: (below main) (in /lib/libc-2.9.so)
==22678==  Address 0x5423dd8 is 0 bytes after a block of size 160 alloc'd
==22678==    at 0x4C278AE: malloc (vg_replace_malloc.c:207)
==22678==    by 0x405B0B: (within /usr/bin/jhead)
==22678==    by 0x405F0A: (within /usr/bin/jhead)
==22678==    by 0x4020A2: (within /usr/bin/jhead)
==22678==    by 0x403F25: (within /usr/bin/jhead)
==22678==    by 0x50CF5A5: (below main) (in /lib/libc-2.9.so)
==22678== 
==22678== Invalid read of size 1
==22678==    at 0x40896C: (within /usr/bin/jhead)
==22678==    by 0x40890A: (within /usr/bin/jhead)
==22678==    by 0x408BE2: (within /usr/bin/jhead)
==22678==    by 0x405E22: (within /usr/bin/jhead)
==22678==    by 0x405F0A: (within /usr/bin/jhead)
==22678==    by 0x4020A2: (within /usr/bin/jhead)
==22678==    by 0x403F25: (within /usr/bin/jhead)
==22678==    by 0x50CF5A5: (below main) (in /lib/libc-2.9.so)
==22678==  Address 0x5423dd9 is 1 bytes after a block of size 160 alloc'd
==22678==    at 0x4C278AE: malloc (vg_replace_malloc.c:207)
==22678==    by 0x405B0B: (within /usr/bin/jhead)
==22678==    by 0x405F0A: (within /usr/bin/jhead)
==22678==    by 0x4020A2: (within /usr/bin/jhead)
==22678==    by 0x403F25: (within /usr/bin/jhead)
==22678==    by 0x50CF5A5: (below main) (in /lib/libc-2.9.so)
==22678== 
==22678== Invalid write of size 8
==22678==    at 0x40287C: (within /usr/bin/jhead)
==22678==    by 0x403F25: (within /usr/bin/jhead)
==22678==    by 0x50CF5A5: (below main) (in /lib/libc-2.9.so)
==22678==  Address 0x543484c is 132 bytes inside a block of size 134 alloc'd
==22678==    at 0x4C278AE: malloc (vg_replace_malloc.c:207)
==22678==    by 0x4090B3: (within /usr/bin/jhead)
==22678==    by 0x402B01: (within /usr/bin/jhead)
==22678==    by 0x403F25: (within /usr/bin/jhead)
==22678==    by 0x50CF5A5: (below main) (in /lib/libc-2.9.so)
==22678== 
==22678== Invalid write of size 8
==22678==    at 0x402883: (within /usr/bin/jhead)
==22678==    by 0x403F25: (within /usr/bin/jhead)
==22678==    by 0x50CF5A5: (below main) (in /lib/libc-2.9.so)
==22678==  Address 0x5434854 is 6 bytes after a block of size 134 alloc'd
==22678==    at 0x4C278AE: malloc (vg_replace_malloc.c:207)
==22678==    by 0x4090B3: (within /usr/bin/jhead)
==22678==    by 0x402B01: (within /usr/bin/jhead)
==22678==    by 0x403F25: (within /usr/bin/jhead)
==22678==    by 0x50CF5A5: (below main) (in /lib/libc-2.9.so)
==22678== 
==22678== Invalid write of size 2
==22678==    at 0x40288B: (within /usr/bin/jhead)
==22678==    by 0x403F25: (within /usr/bin/jhead)
==22678==    by 0x50CF5A5: (below main) (in /lib/libc-2.9.so)
==22678==  Address 0x543485c is 14 bytes after a block of size 134 alloc'd
==22678==    at 0x4C278AE: malloc (vg_replace_malloc.c:207)
==22678==    by 0x4090B3: (within /usr/bin/jhead)
==22678==    by 0x402B01: (within /usr/bin/jhead)
==22678==    by 0x403F25: (within /usr/bin/jhead)
==22678==    by 0x50CF5A5: (below main) (in /lib/libc-2.9.so)
==22678== 
==22678== Invalid write of size 1
==22678==    at 0x402893: (within /usr/bin/jhead)
==22678==    by 0x403F25: (within /usr/bin/jhead)
==22678==    by 0x50CF5A5: (below main) (in /lib/libc-2.9.so)
==22678==  Address 0x543485e is not stack'd, malloc'd or (recently) free'd
Modified: a.jpg
a.jpg
==22678== 
==22678== ERROR SUMMARY: 6 errors from 6 contexts (suppressed: 8 from 1)
==22678== malloc/free: in use at exit: 240 bytes in 1 blocks.
==22678== malloc/free: 30 allocs, 29 frees, 70,991 bytes allocated.
==22678== For counts of detected errors, rerun with: -v
==22678== searching for pointers to 1 not-freed blocks.
==22678== checked 81,552 bytes.
==22678== 
==22678== LEAK SUMMARY:
==22678==    definitely lost: 0 bytes in 0 blocks.
==22678==      possibly lost: 0 bytes in 0 blocks.
==22678==    still reachable: 240 bytes in 1 blocks.
==22678==         suppressed: 0 bytes in 0 blocks.
==22678== Rerun with --leak-check=full to see details of leaked memory.

ProblemType: Bug
Architecture: amd64
DistroRelease: Ubuntu 9.04
NonfreeKernelModules: fglrx
Package: jhead 2.86-2
ProcEnviron:
 PATH=(custom, user)
 LANG=en_DK.UTF-8
 SHELL=/bin/bash
SourcePackage: jhead
Uname: Linux 2.6.28-13-generic x86_64

** Affects: jhead (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug

-- 
Abort due to double free or corruption
https://bugs.launchpad.net/bugs/395554
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs




More information about the universe-bugs mailing list