[Linux] Some PNG textures cause segfaults

Forum rules
Please don't bump threads here if you have a problem - it will often be forgotten about if you do. Instead, make a new thread here.

Post a reply

Smilies
:D :) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :wink: :geek: :ugeek: :!: :?: :idea: :arrow: :| :mrgreen: :3: :wub: >:( :blergh:
View more smilies
BBCode is OFF
Smilies are ON
Topic review
   

Expand view Topic review: [Linux] Some PNG textures cause segfaults

Re: [Linux] Some PNG textures cause segfaults

by Graf Zahl » Fri Apr 15, 2016 10:38 am

There's probably more that needs to be merged into maint. But that can wait until a new release is imminent.

Re: [Linux] Some PNG textures cause segfaults

by Edward-san » Fri Apr 15, 2016 10:21 am

Shouldn't the fix be merged in the maint branch together with this commit?

Re: [Linux] Some PNG textures cause segfaults

by Graf Zahl » Fri Apr 15, 2016 7:08 am

Yup. It seems to be random chance that on Windows the values in these variables just happen to be something that doesn't make it throw up.
The entire 'tRNS' case is broken, it has to readjust the file pointer in case it doesn't read anything.

Re: [Linux] Some PNG textures cause segfaults

by Edward-san » Fri Apr 15, 2016 7:06 am

Aha, if I add 'else lump->Seek (len, SEEK_CUR);' after the if (ColorType == 3) block, the crash doesn't happen anymore.

Re: [Linux] Some PNG textures cause segfaults

by Edward-san » Fri Apr 15, 2016 7:03 am

Hmm, before that weird len, in the previous loop, when 'lump' has:

'Length = 2853, StartPos = 351, FilePos = 412',

'len' is 6 and 'id' matches the tRNS chunk, then inside the switch, ColorType is 2, making the condition (ColorType == 3) false, so the code break the switch without doing any seek. Could it be the problem?

Re: [Linux] Some PNG textures cause segfaults

by Graf Zahl » Fri Apr 15, 2016 6:59 am

grAb is only looked at in the constructor. Once the values are known there is no need to read them again. And for texture creation they are simply not needed.

Re: [Linux] Some PNG textures cause segfaults

by Edward-san » Fri Apr 15, 2016 6:52 am

At a certain point, in the while loop at line 636 in pngtexture.cpp, 'len' has value '6', then becomes '28326' with the biglong conversion, 'id' is:

{'\a','\221','\0','\0'} (37127)

while 'lump' has:
'Length = 2853, StartPos = 351, FilePos = 424'.

Then, it goes to the 'default' switch, making the code execute 'lump->Seek (len, SEEK_CUR)', making 'lump' containing
'Length = 2853, StartPos = 351, FilePos = 28750'.

Does this help?

[edit] The grAb chunk is found but it's not handled in the switch. Is that okay?

Re: [Linux] Some PNG textures cause segfaults

by _mental_ » Fri Apr 15, 2016 6:51 am

It looks like a stack overwrite happened at line 657. What is the value of len variable at line 653? I guess it's greater than 256.

Re: [Linux] Some PNG textures cause segfaults

by Graf Zahl » Fri Apr 15, 2016 6:32 am

Can't you try a debugger so see what's up there?

Re: [Linux] Some PNG textures cause segfaults

by VoidMage » Fri Apr 15, 2016 6:21 am

Well, no real progress, but I need to mention, that I've tried clang and it crashes just the same.

It also hates something about your coding style: with '-Wall', it floods with 'warning: '<foo>' overrides a member function but is not marked 'override'' in dobject.h and dobject.h.

AFAICT, there aren't any other warnings for pngtexture.cpp.

Re: [Linux] Some PNG textures cause segfaults

by Edward-san » Fri Apr 15, 2016 6:15 am

Attached a backtrace at the moment the function FPNGTexture::CopyTrueColorPixels is entered after the summon command. At least this is showing correctly.
Attachments
gzdoom-backtrace-start.txt
(42.93 KiB) Downloaded 36 times

Re: [Linux] Some PNG textures cause segfaults

by Edward-san » Fri Apr 15, 2016 5:24 am

Attached a crash log with debug enabled. What's going on? I'll try with Valgrind or the address sanitizer.
Attachments
gzdoom-crash.log.txt
(61.37 KiB) Downloaded 38 times

Re: [Linux] Some PNG textures cause segfaults

by Graf Zahl » Fri Apr 15, 2016 4:17 am

The software renderer never calls CopyTrueColorPixels. That's only used by GZDoom and the hardware 2D code.

Re: [Linux] Some PNG textures cause segfaults

by VoidMage » Fri Apr 15, 2016 3:54 am

Hmm, that's an interesting point.

Funny thing, with '+set vid_renderer 0' crash doesn't happen.

Re: [Linux] Some PNG textures cause segfaults

by Graf Zahl » Fri Apr 15, 2016 3:13 am

It doesn't go to FBitmap::CopyPixelDataRGB. It will go to FGLBitmap::CopyPixelDataRGB. But that's mostly the same. This is a virtual function call, so if the call itself fails the only reason can be some problem with the virtual function table. No idea how that could happen, though.

Top