United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: 6658726 ColorConvertOp causes JVM to abort
6658726 : ColorConvertOp causes JVM to abort

Details
Type:
Bug
Submit Date:
2008-02-04
Status:
Closed
Updated Date:
2011-03-07
Project Name:
JDK
Resolved Date:
2011-03-07
Component:
client-libs
OS:
linux
Sub-Component:
2d
CPU:
x86
Priority:
P3
Resolution:
Fixed
Affected Versions:
6
Fixed Versions:
7

Related Reports
Backport:
JDK-2172436 - ColorConvertOp causes JVM to abort

Sub Tasks

Description
FULL PRODUCT VERSION :
java version "1.6.0_04"
Java(TM) SE Runtime Environment (build 1.6.0_04-b12)
Java HotSpot(TM) Server VM (build 10.0-b19, mixed mode)
AND
java version "1.7.0-ea"
Java(TM) SE Runtime Environment (build 1.7.0-ea-b24)
Java HotSpot(TM) Server VM (build 12.0-b01, mixed mode)



ADDITIONAL OS VERSION INFORMATION :
Linux gatekeeper 2.6.22.9-91.fc7 #1 SMP Thu Sep 27 23:10:59 EDT 2007 i686 athlon i386 GNU/Linux

A DESCRIPTION OF THE PROBLEM :
the JVM crashes trying to use ImageIO.read with specific JPG images. the image in question has an sRGB embedded profile. the same image displays fine using Preview.App under OSX for instance.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
ImageInputStream imageInputStream = new MemoryCacheImageInputStream(new ByteArrayInputStream(blob.getBytes(1L, (int)blob.length())));
BufferedImage sourceImage = ImageIO.read(imageInputStream);

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
the image to be read successfully or at worst throwing an exception
ACTUAL -
the JVM crashes and aborts.

ERROR MESSAGES/STACK TRACES THAT OCCUR :
*** glibc detected *** java: corrupted double-linked list: 0x90843e60 ***
======= Backtrace: =========
/lib/libc.so.6[0x940867]
/lib/libc.so.6(__libc_malloc+0x7e)[0x941ebe]
/usr/local/jdk1.6.0_04/jre/lib/i386/libcmm.so[0x90600f65]
/usr/local/jdk1.6.0_04/jre/lib/i386/libcmm.so[0x905bb460]
/usr/local/jdk1.6.0_04/jre/lib/i386/libcmm.so[0x905b4690]
/usr/local/jdk1.6.0_04/jre/lib/i386/libcmm.so[0x905b3e34]
/usr/local/jdk1.6.0_04/jre/lib/i386/libcmm.so[0x905f79e6]
/usr/local/jdk1.6.0_04/jre/lib/i386/libcmm.so[0x905f7f4d]
/usr/local/jdk1.6.0_04/jre/lib/i386/libcmm.so[0x905f82a2]
/usr/local/jdk1.6.0_04/jre/lib/i386/libcmm.so[0x905fdc70]
/usr/local/jdk1.6.0_04/jre/lib/i386/libcmm.so(Java_sun_awt_color_CMM_cmmGetTransform+0xee)[0x906031ee]
[0xb4f123aa]
[0xb4f0ade9]
[0xb4f0af0d]
[0xb4f0ada7]
[0xb4f08249]
/usr/local/jdk1.6.0_04/jre/lib/i386/server/libjvm.so[0x637338d]
/usr/local/jdk1.6.0_04/jre/lib/i386/server/libjvm.so[0x64fd168]
/usr/local/jdk1.6.0_04/jre/lib/i386/server/libjvm.so[0x6373220]
/usr/local/jdk1.6.0_04/jre/lib/i386/server/libjvm.so[0x639cab7]
/usr/local/jdk1.6.0_04/jre/lib/i386/server/libjvm.so[0x638354a]
/usr/local/jdk1.6.0_04/jre/lib/i386/libjpeg.so(Java_com_sun_imageio_plugins_jpeg_JPEGImageReader_readImage+0xa36)[0x905872d6]
[0xb4f123aa]
[0xb4f0ace1]
[0xb4f0ada7]
[0xb4f0ada7]
[0xb4f0ada7]
[0xb4f08249]
/usr/local/jdk1.6.0_04/jre/lib/i386/server/libjvm.so[0x637338d]
/usr/local/jdk1.6.0_04/jre/lib/i386/server/libjvm.so[0x64fd168]
/usr/local/jdk1.6.0_04/jre/lib/i386/server/libjvm.so[0x6373220]
/usr/local/jdk1.6.0_04/jre/lib/i386/server/libjvm.so[0x639c846]
/usr/local/jdk1.6.0_04/jre/lib/i386/server/libjvm.so[0x638e048]
java(JavaMain+0x2c8)[0x8049b98]
/lib/libpthread.so.0[0xa6544b]
/lib/libc.so.6(clone+0x5e)[0x9a880e]
======= Memory map: ========



REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
import java.awt.image.BufferedImage;
import java.io.FileInputStream;

import javax.imageio.ImageIO;
import javax.imageio.stream.ImageInputStream;
import javax.imageio.stream.MemoryCacheImageInputStream;

public class ExportImagesTest
{
    /**
     * @param args
     */
    public static void main(String[] args)
    {
        try
        {
            ImageInputStream imageInputStream = new MemoryCacheImageInputStream(new FileInputStream("broken.jpg"));
            BufferedImage sourceImage = ImageIO.read(imageInputStream);
        }
        catch (Exception e)
        {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }
    }

}

---------- END SOURCE ----------

Comments
SUGGESTED FIX

http://sa.sfbay.sun.com/projects/java2d_data/7/6658726.0/
2009-01-29 
EVALUATION

The peculiarity of profile in question is that tone curve tags
 for red, green, and blue components have incorrect signature:
 instead of "curv" it has leading space char (" curv"). The kcms
 code failed to recognize given tags as a tone curves and handles
 them incorrectly, that leads to failure of a kcms transform creation.
 
 Observed crash is manifestation of inconsistencies in error handling
 strategy on several levels of kcms: to recovery after a error some
 routines attempt to de-allocate data buffers which are referenced by a
 duplicated pointers and aren't de-allocated in normal circumstances.
 This cause heap corruption when actual data containers are destroyed
 on a higher level.

 However, there is a way to resolve this particular problem:
 we can make the tag handlers more tolerant to incorrect tag signatures,
 i.e. tag signature may be trimmed that makes possible to handle it without
 any failures.
2009-01-29 
EVALUATION

Investigation of the sample image shows that embedded color profile
has some peculiarities which may cause crash in the  kcms library.
Extracted profile and simplified test are attached.
2008-11-24 
EVALUATION

The crash occurs in the CMM library code and seems to be caused by  the embedded
color profile.
However, without sample image, it is quite hard to figure out actual  reason
of the crash. There could be some peculiarities in the color profile that CMM
unable to handle, or there could be some issues in the Image IO plugin that lead
to corruption of  the embeddedcolor profile.

We need a sample image in order to be able to investigate this problem,
so I move this CR to incomplete state.
2008-11-23


Hardware and Software, Engineered to Work Together