Bug#946499: eog crashes with 'BadAlloc (insufficient resources for operation)' on large image

Bernhard Übelacker bernhardu at mailbox.org
Tue Dec 31 13:54:49 GMT 2019 

Dear Maintainer,
I tried to reproduce this issue. And as far as I see
eog/cairo tries to allocate a pixmap from the xserver
in the size of the image file - in this case 44351x3013 pixel.

Unfortunately the xserver has a hard limit for such pixmap sizes:

  Thread 1 "Xorg" hit Breakpoint 4, ProcShmCreatePixmap (client=0x55b5f312cc50) at ../../../../Xext/shm.c:1085
  1085        if (width > 32767 || height > 32767)
  1086            return BadAlloc;

Would wayland behave better in that regard?
Otherwise eog/cairo would need to allocate
that pixmap some other way.

This issue reported against gtkmm seems to match:
    https://gitlab.gnome.org/GNOME/gtkmm/issues/54

Complete backtraces with debug symbols in attached
file of eog and xserver.

Could remember I saw such a rejection from the xserver
already in (not strictly related): https://bugs.debian.org/858045


Kind regards,
Bernhard
-------------- next part --------------

# Buster/testing amd64 qemu VM 2019-12-31


apt update
apt dist-upgrade


apt install systemd-coredump mc xserver-xorg sddm openbox xterm imagemagick graphicsmagick gimp gdb eog eog-dbgsym libglib2.0-0-dbgsym libgtk-3-0-dbgsym libcairo2-dbgsym libxext6-dbg libx11-6-dbgsym xserver-xorg-core-dbgsym
apt build-dep xserver-xorg-core


reboot





mkdir /home/benutzer/source/xserver-xorg-core/orig -p
cd    /home/benutzer/source/xserver-xorg-core/orig
apt source xserver-xorg-core
cd




benutzer at debian:~$ convert -size 44351x3013 xc:white white.jpg       
convert-im6.q16: width or height exceeds limit `white' @ error/cache.c/OpenPixelCache/3911.
convert-im6.q16: no images defined `white.jpg' @ error/convert.c/ConvertImageCommand/3258.



# Created with gimp
benutzer at debian:~$ identify 44351x3013.jpg 
44351x3013.jpg JPEG 44351x3013 44351x3013+0+0 8-bit sRGB 1.49679MiB 0.000u 0:00.000
benutzer at debian:~$ file 44351x3013.jpg 
44351x3013.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, comment: "Created with GIMP", progressive, precision 8, 44351x3013, components 3





export DISPLAY=:0

benutzer at debian:~$ eog 44351x3013.jpg 

(eog:661): Gdk-ERROR **: 14:05:22.547: The program 'eog' received an X Window System error.
This probably reflects a bug in the program.
The error was 'BadAlloc (insufficient resources for operation)'.
  (Details: serial 1315 error_code 11 request_code 130 (MIT-SHM) minor_code 5)
  (Note to programmers: normally, X errors are reported asynchronously;
   that is, you will receive the error a while after causing it.
   To debug your program, run it with the GDK_SYNCHRONIZE environment
   variable to change this behavior. You can then get a meaningful
   backtrace from your debugger if you break on the gdk_x_error() function.)
Trace/Breakpoint ausgelöst (Speicherabzug geschrieben)



[   43.663846] traps: eog[661] trap int3 ip:7fc4abeebdb5 sp:7ffc7facd730 error:0 in libglib-2.0.so.0.6200.3[7fc4abeb2000+80000]

Dez 31 14:05:22 debian systemd[1]: Started Process Core Dump (PID 687/UID 0).
Dez 31 14:05:29 debian systemd-coredump[688]: Core file was truncated to 2147483648 bytes.
Dez 31 14:05:35 debian systemd-coredump[688]: Process 661 (eog) of user 1000 dumped core.
                                              
                                              Stack trace of thread 661:
                                              #0  0x00007fc4abeebdb5 n/a (n/a + 0x0)
Dez 31 14:05:35 debian systemd[1]: systemd-coredump at 0-687-0.service: Succeeded.









benutzer at debian:~$ GDK_SYNCHRONIZE=1 gdb -q --args eog 44351x3013.jpg                                 
Reading symbols from eog...
(No debugging symbols found in eog)
(gdb) run
Starting program: /usr/bin/eog 44351x3013.jpg
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff2391700 (LWP 1012)]
[New Thread 0x7ffff1b90700 (LWP 1013)]
[New Thread 0x7ffff138f700 (LWP 1014)]
[New Thread 0x7ffff0b24700 (LWP 1015)]
[New Thread 0x7fffe3fff700 (LWP 1016)]

(eog:1008): Gdk-ERROR **: 14:10:12.498: The program 'eog' received an X Window System error.
This probably reflects a bug in the program.
The error was 'BadAlloc (insufficient resources for operation)'.
  (Details: serial 2438 error_code 11 request_code 130 (MIT-SHM) minor_code 5)
  (Note to programmers: normally, X errors are reported asynchronously;
   that is, you will receive the error a while after causing it.
   To debug your program, run it with the GDK_SYNCHRONIZE environment
   variable to change this behavior. You can then get a meaningful
   backtrace from your debugger if you break on the gdk_x_error() function.)

Thread 1 "eog" received signal SIGTRAP, Trace/breakpoint trap.
0x00007ffff7c4bdb5 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
(gdb) bt
#0  0x00007ffff7c4bdb5 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#1  0x00007ffff7c4e6bc in g_log_writer_default () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#2  0x00007ffff7c4c9e7 in g_log_structured_array () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#3  0x00007ffff7c4d400 in g_log_structured_standard () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#4  0x00007ffff723e61a in ?? () from /lib/x86_64-linux-gnu/libgdk-3.so.0
#5  0x00007ffff724b453 in ?? () from /lib/x86_64-linux-gnu/libgdk-3.so.0
#6  0x00007ffff651414b in _XError () from /lib/x86_64-linux-gnu/libX11.so.6
#7  0x00007ffff6510f77 in ?? () from /lib/x86_64-linux-gnu/libX11.so.6
#8  0x00007ffff6511015 in ?? () from /lib/x86_64-linux-gnu/libX11.so.6
#9  0x00007ffff6511f6d in _XReply () from /lib/x86_64-linux-gnu/libX11.so.6
#10 0x00007ffff650d81d in XSync () from /lib/x86_64-linux-gnu/libX11.so.6
#11 0x00007ffff650d8bb in ?? () from /lib/x86_64-linux-gnu/libX11.so.6
#12 0x00007ffff6514aaf in ?? () from /lib/x86_64-linux-gnu/libX11.so.6
#13 0x00007ffff549ce81 in XShmCreatePixmap () from /lib/x86_64-linux-gnu/libXext.so.6
#14 0x00007ffff715dd73 in ?? () from /lib/x86_64-linux-gnu/libcairo.so.2
#15 0x00007ffff715e9a1 in ?? () from /lib/x86_64-linux-gnu/libcairo.so.2
#16 0x00007ffff715ea2c in ?? () from /lib/x86_64-linux-gnu/libcairo.so.2
#17 0x00007ffff71324b3 in cairo_surface_create_similar_image () from /lib/x86_64-linux-gnu/libcairo.so.2
#18 0x00007ffff71326a0 in cairo_surface_create_similar () from /lib/x86_64-linux-gnu/libcairo.so.2
#19 0x00007ffff722ba81 in gdk_window_create_similar_surface () from /lib/x86_64-linux-gnu/libgdk-3.so.0
#20 0x00007ffff7f912db in ?? () from /usr/lib/x86_64-linux-gnu/eog/libeog.so
#21 0x00007ffff7f93a13 in eog_scroll_view_set_image () from /usr/lib/x86_64-linux-gnu/eog/libeog.so
#22 0x00007ffff7fa5cc7 in ?? () from /usr/lib/x86_64-linux-gnu/eog/libeog.so
#23 0x00007ffff7fa66a6 in ?? () from /usr/lib/x86_64-linux-gnu/eog/libeog.so
#24 0x00007ffff7d2eeb2 in g_closure_invoke () from /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#25 0x00007ffff7d424d4 in ?? () from /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#26 0x00007ffff7d4b18f in g_signal_emit_valist () from /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#27 0x00007ffff7d4b81f in g_signal_emit () from /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#28 0x00007ffff7f7f2b9 in ?? () from /usr/lib/x86_64-linux-gnu/eog/libeog.so
#29 0x00007ffff7c45d7e in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#30 0x00007ffff7c46130 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#31 0x00007ffff7c461bf in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#32 0x00007ffff7e4fced in g_application_run () from /lib/x86_64-linux-gnu/libgio-2.0.so.0
#33 0x0000555555555331 in main ()
(gdb) generate-core-file core
warning: target file /proc/1008/cmdline contained unexpected null characters
Saved corefile core
(gdb) 














gdb -q /usr/bin/eog --core core

set width 0
set pagination off
bt

benutzer at debian:~$ gdb -q /usr/bin/eog --core core
Reading symbols from /usr/bin/eog...
Reading symbols from /usr/lib/debug/.build-id/5f/7bc6fae2d0db1b144e2b30cdf905dd5e36c1b8.debug...
[New LWP 1008]
[New LWP 1012]
[New LWP 1013]
[New LWP 1014]
[New LWP 1015]
[New LWP 1016]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/usr/bin/eog 44351x3013.jpg'.
Program terminated with signal SIGTRAP, Trace/breakpoint trap.
#0  _g_log_abort (breakpoint=1) at ../../../glib/gmessages.c:554
554     ../../../glib/gmessages.c: Datei oder Verzeichnis nicht gefunden.
[Current thread is 1 (Thread 0x7ffff28e6c00 (LWP 1008))]
(gdb) set width 0
(gdb) set pagination off
(gdb) bt
#0  _g_log_abort (breakpoint=1) at ../../../glib/gmessages.c:554
#1  0x00007ffff7c4e6bc in g_log_writer_default (log_level=6, log_level at entry=G_LOG_LEVEL_ERROR, fields=fields at entry=0x7fffffffd270, n_fields=n_fields at entry=6, user_data=user_data at entry=0x0) at ../../../glib/gmessages.c:2694
#2  0x00007ffff7c4c9e7 in g_log_structured_array (n_fields=6, fields=0x7fffffffd270, log_level=G_LOG_LEVEL_ERROR) at ../../../glib/gmessages.c:1925
#3  g_log_structured_array (log_level=G_LOG_LEVEL_ERROR, fields=0x7fffffffd270, n_fields=6) at ../../../glib/gmessages.c:1898
#4  0x00007ffff7c4d400 in g_log_structured_standard (log_domain=log_domain at entry=0x7ffff727f017 "Gdk", log_level=log_level at entry=G_LOG_LEVEL_ERROR, file=file at entry=0x7ffff729da00 "../../../../../gdk/x11/gdkdisplay-x11.c", line=line at entry=0x7ffff729d457 "2763", func=func at entry=0x7ffff729e0f0 <__func__.78549> "_gdk_x11_display_error_event", message_format=message_format at entry=0x7ffff729e442 "%s") at ../../../glib/gmessages.c:1982
#5  0x00007ffff723e61a in _gdk_x11_display_error_event (display=display at entry=0x5555555c50c0, error=error at entry=0x7fffffffd8c0) at ../../../../../gdk/x11/gdkdisplay-x11.c:2763
#6  0x00007ffff724b453 in gdk_x_error (error=0x7fffffffd8c0, xdisplay=0x5555555b3da0) at ../../../../../gdk/x11/gdkmain-x11.c:307
#7  gdk_x_error (xdisplay=0x5555555b3da0, error=0x7fffffffd8c0) at ../../../../../gdk/x11/gdkmain-x11.c:269
#8  0x00007ffff651414b in _XError (dpy=dpy at entry=0x5555555b3da0, rep=rep at entry=0x555555b5ef60) at ../../src/XlibInt.c:1489
#9  0x00007ffff6510f77 in handle_error (dpy=0x5555555b3da0, err=0x555555b5ef60, in_XReply=<optimized out>) at ../../src/xcb_io.c:199
#10 0x00007ffff6511015 in handle_response (dpy=dpy at entry=0x5555555b3da0, response=0x555555b5ef60, in_XReply=in_XReply at entry=1) at ../../src/xcb_io.c:324
#11 0x00007ffff6511f6d in _XReply (dpy=dpy at entry=0x5555555b3da0, rep=rep at entry=0x7fffffffda80, extra=extra at entry=0, discard=discard at entry=1) at ../../src/xcb_io.c:634
#12 0x00007ffff650d81d in XSync (dpy=0x5555555b3da0, discard=discard at entry=0) at ../../src/Sync.c:44
#13 0x00007ffff650d8bb in _XSyncFunction (dpy=<optimized out>) at ../../src/Synchro.c:35
#14 0x00007ffff6514aaf in _XPrivSyncFunction (dpy=0x5555555b3da0) at ../../src/XlibInt.c:242
#15 0x00007ffff549ce81 in XShmCreatePixmap (dpy=0x5555555b3da0, d=4194311, data=<optimized out>, shminfo=shminfo at entry=0x5555556a93a8, width=44351, height=<optimized out>, depth=32) at ../../src/XShm.c:429
#16 0x00007ffff715dd73 in _cairo_xlib_shm_surface_create (format=PIXMAN_a8r8g8b8, width=width at entry=44351, height=height at entry=3013, will_sync=will_sync at entry=0, create_pixmap=4096, other=<optimized out>, other=<optimized out>) at ../../../../src/cairo-xlib-surface-shm.c:843
#17 0x00007ffff715e9a1 in _cairo_xlib_surface_create_shm (other=other at entry=0x55555570a600, format=<optimized out>, width=width at entry=44351, height=height at entry=3013) at ../../../../src/cairo-xlib-surface-shm.c:1156
#18 0x00007ffff715ea2c in _cairo_xlib_surface_create_similar_shm (other=0x55555570a600, format=CAIRO_FORMAT_ARGB32, width=44351, height=3013) at ../../../../src/cairo-xlib-surface-shm.c:1181
#19 0x00007ffff71324b3 in INT_cairo_surface_create_similar_image (height=3013, width=44351, format=CAIRO_FORMAT_ARGB32, other=<optimized out>) at ../../../../src/cairo-surface.c:595
#20 INT_cairo_surface_create_similar_image (other=<optimized out>, format=CAIRO_FORMAT_ARGB32, width=44351, height=3013) at ../../../../src/cairo-surface.c:576
#21 0x00007ffff71326a0 in cairo_surface_create_similar (other=other at entry=0x55555570a600, content=content at entry=CAIRO_CONTENT_COLOR_ALPHA, width=width at entry=44351, height=height at entry=3013) at ../../../../src/cairo-surface.c:518
#22 0x00007ffff722ba81 in gdk_window_create_similar_surface (window=0x555555b6dd00, content=content at entry=CAIRO_CONTENT_COLOR_ALPHA, width=width at entry=44351, height=height at entry=3013) at ../../../../gdk/gdkwindow.c:10187
#23 0x00007ffff7f912db in create_surface_from_pixbuf (pixbuf=<optimized out>, view=0x5555558e66c0) at ../src/eog-scroll-view.c:1656
#24 update_pixbuf (view=view at entry=0x5555558e66c0, pixbuf=<optimized out>) at ../src/eog-scroll-view.c:1656
#25 0x00007ffff7f93a13 in eog_scroll_view_set_image (view=0x5555558e66c0, image=image at entry=0x7fffdc0640d0) at ../src/eog-scroll-view.c:1959
#26 0x00007ffff7fa5cc7 in eog_window_display_image (window=window at entry=0x555555749f50, image=0x7fffdc0640d0) at ../src/eog-window.c:994
#27 0x00007ffff7fa66a6 in eog_job_load_cb (job=0x555555a861e0, data=<optimized out>) at ../src/eog-window.c:1431
#28 0x00007ffff7d2eeb2 in g_closure_invoke (closure=0x555555629c50, return_value=0x0, n_param_values=1, param_values=0x7fffffffe080, invocation_hint=0x7fffffffe000) at ../../../gobject/gclosure.c:810
#29 0x00007ffff7d424d4 in signal_emit_unlocked_R (node=node at entry=0x555555acaf60, detail=detail at entry=0, instance=instance at entry=0x555555a861e0, emission_return=emission_return at entry=0x0, instance_and_params=instance_and_params at entry=0x7fffffffe080) at ../../../gobject/gsignal.c:3641
#30 0x00007ffff7d4b18f in g_signal_emit_valist (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=var_args at entry=0x7fffffffe230) at ../../../gobject/gsignal.c:3397
#31 0x00007ffff7d4b81f in g_signal_emit (instance=instance at entry=0x555555a861e0, signal_id=<optimized out>, detail=detail at entry=0) at ../../../gobject/gsignal.c:3453
#32 0x00007ffff7f7f2b9 in notify_finished (job=0x555555a861e0) at ../src/eog-jobs.c:158
#33 0x00007ffff7c45d7e in g_main_dispatch (context=0x555555595c00) at ../../../glib/gmain.c:3179
#34 g_main_context_dispatch (context=context at entry=0x555555595c00) at ../../../glib/gmain.c:3844
#35 0x00007ffff7c46130 in g_main_context_iterate (context=context at entry=0x555555595c00, block=block at entry=1, dispatch=dispatch at entry=1, self=<optimized out>) at ../../../glib/gmain.c:3917
#36 0x00007ffff7c461bf in g_main_context_iteration (context=context at entry=0x555555595c00, may_block=may_block at entry=1) at ../../../glib/gmain.c:3978
#37 0x00007ffff7e4fced in g_application_run (application=0x55555558e140, argc=<optimized out>, argv=<optimized out>) at ../../../gio/gapplication.c:2559
#38 0x0000555555555331 in main (argc=<optimized out>, argv=<optimized out>) at ../src/main.c:133







gdb -q --pid $(pidof Xorg)

set width 0
set pagination off
directory /home/benutzer/source/xserver-xorg-core/orig/xorg-server-1.20.6/hw/kdrive/ephyr/man
b ProcShmCreatePixmap

Thread 1 "Xorg" hit Breakpoint 4, ProcShmCreatePixmap (client=0x55b5f312cc50) at ../../../../Xext/shm.c:1085
1085        if (width > 32767 || height > 32767)

(gdb) list
1080        depth = stuff->depth;
1081        if (!width || !height || !depth) {
1082            client->errorValue = 0;
1083            return BadValue;
1084        }
1085        if (width > 32767 || height > 32767)
1086            return BadAlloc;
1087
1088        if (stuff->depth != 1) {
1089            pDepth = pDraw->pScreen->allowedDepths;

(gdb) print width
$1 = 44351
(gdb) print height
$2 = 3013

(gdb) bt
#0  ProcShmCreatePixmap (client=0x55b5f312cc50) at ../../../../Xext/shm.c:1085
#1  0x000055b5f13e72a8 in ProcShmDispatch (client=0x55b5f312cc50) at ../../../../Xext/shm.c:1366
#2  0x000055b5f134f924 in Dispatch () at ../../../../dix/dispatch.c:478
#3  0x000055b5f13538f4 in dix_main (argc=13, argv=0x7ffc3dfa1398, envp=<optimized out>) at ../../../../dix/main.c:276
#4  0x00007fcbf175cbbb in __libc_start_main (main=0x55b5f133d710 <main>, argc=13, argv=0x7ffc3dfa1398, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc3dfa1388) at ../csu/libc-start.c:308
#5  0x000055b5f133d74a in _start () at ../../../../Xext/shm.c:1493







https://gitlab.gnome.org/GNOME/gtkmm/issues/54

More information about the pkg-gnome-maintainers mailing list