FULL PRODUCT VERSION :
java version "1.6.0_10"
Java(TM) SE Runtime Environment (build 1.6.0_10-b33)
Java HotSpot(TM) 64-Bit Server VM (build 11.0-b15, mixed mode)


ADDITIONAL OS VERSION INFORMATION :
Linux ubuntu 2.6.24-23-generic #1 SMP Mon Jan 26 01:04:16 UTC 2009 x86_64 GNU/Linux

A DESCRIPTION OF THE PROBLEM :
JVM crashed when reading image with color profile using ImageIO.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
execute attached script, use file http://farm1.static.flickr.com/130/413993721_0894d0328d_b.jpg


ERROR MESSAGES/STACK TRACES THAT OCCUR :
*** glibc detected *** /opt/jdk1.6.0_10/bin/java: double free or corruption (!prev): 0x000000004027ab40 ***
======= Backtrace: =========
/lib/libc.so.6[0x7f18d489108a]
/lib/libc.so.6(cfree+0x8c)[0x7f18d4894c1c]
/opt/jdk1.6.0_10/jre/lib/amd64/libcmm.so[0x7f188bf2b212]
/opt/jdk1.6.0_10/jre/lib/amd64/libcmm.so[0x7f188beef4ae]
/opt/jdk1.6.0_10/jre/lib/amd64/libcmm.so[0x7f188bf2b229]
/opt/jdk1.6.0_10/jre/lib/amd64/libcmm.so[0x7f188bf1fe9e]
/opt/jdk1.6.0_10/jre/lib/amd64/libcmm.so[0x7f188bf14d2d]
/opt/jdk1.6.0_10/jre/lib/amd64/libcmm.so[0x7f188bf2390b]
/opt/jdk1.6.0_10/jre/lib/amd64/libcmm.so[0x7f188bf287cb]
/opt/jdk1.6.0_10/jre/lib/amd64/libcmm.so(Java_sun_awt_color_CMM_cmmGetTransform+0xe2)[0x7f188bf2cfa2]
[0x7f18cfdf1852]
======= Memory map: ========
40000000-40009000 r-xp 00000000 08:01 26838656                           /opt/jdk1.6.0_10/bin/java
40108000-4010a000 rwxp 00008000 08:01 26838656                           /opt/jdk1.6.0_10/bin/java
4010a000-4027d000 rwxp 4010a000 00:00 0                                  [heap]
40282000-40285000 ---p 40282000 00:00 0
40285000-40383000 rwxp 40285000 00:00 0
40543000-40546000 ---p 40543000 00:00 0
40546000-40644000 rwxp 40546000 00:00 0
40780000-40783000 ---p 40780000 00:00 0
40783000-40881000 rwxp 40783000 00:00 0
40c4f000-40c52000 ---p 40c4f000 00:00 0
40c52000-40d50000 rwxp 40c52000 00:00 0
40d50000-40d53000 ---p 40d50000 00:00 0
40d53000-40e51000 rwxp 40d53000 00:00 0
40f56000-40f59000 ---p 40f56000 00:00 0
40f59000-41057000 rwxp 40f59000 00:00 0
4148e000-41491000 ---p 4148e000 00:00 0
41491000-4158f000 rwxp 41491000 00:00 0
4158f000-41592000 ---p 4158f000 00:00 0
41592000-41690000 rwxp 41592000 00:00 0
41690000-41691000 ---p 41690000 00:00 0
41691000-41791000 rwxp 41691000 00:00 0
418d1000-418d2000 ---p 418d1000 00:00 0
418d2000-419d2000 rwxp 418d2000 00:00 0
419d2000-419d3000 ---p 419d2000 00:00 0
419d3000-41ad3000 rwxp 419d3000 00:00 0
41ad3000-41ad4000 ---p 41ad3000 00:00 0
41ad4000-41bd4000 rwxp 41ad4000 00:00 0
7f1884000000-7f1884021000 rwxp 7f1884000000 00:00 0
7f1884021000-7f1888000000 ---p 7f1884021000 00:00 0
7f188bbc3000-7f188bbd0000 r-xp 00000000 08:01 22396946                   /lib/libgcc_s.so.1
7f188bbd0000-7f188bdd0000 ---p 0000d000 08:01 22396946                   /lib/libgcc_s.so.1
7f188bdd0000-7f188bdd1000 rwxp 0000d000 08:01 22396946                   /lib/libgcc_s.so.1
7f188bde6000-7f188bee6000 rwxp 7f188bde6000 00:00 0
7f188bee6000-7f188bf32000 r-xp 00000000 08:01 26839230                   /opt/jdk1.6.0_10/jre/lib/amd64/libcmm.so
7f188bf32000-7f188c032000 ---p 0004c000 08:01 26839230                   /opt/jdk1.6.0_10/jre/lib/amd64/libcmm.so
7f188c032000-7f188c03f000 rwxp 0004c000 08:01 26839230                   /opt/jdk1.6.0_10/jre/lib/amd64/libcmm.so
7f188c03f000-7f188c040000 rwxp 7f188c03f000 00:00 0
7f188c040000-7f188c06c000 r-xp 00000000 08:01 26839223                   /opt/jdk1.6.0_10/jre/lib/amd64/libjpeg.so
7f188c06c000-7f188c16c000 ---p 0002c000 08:01 26839223                   /opt/jdk1.6.0_10/jre/lib/amd64/libjpeg.so
7f188c16c000-7f188c172000 rwxp 0002c000 08:01 26839223                   /opt/jdk1.6.0_10/jre/lib/amd64/libjpeg.so
7f188c172000-7f188c177000 r-xp 00000000 08:01 24695817                   /usr/lib/libXdmcp.so.6.0.0
7f188c177000-7f188c376000 ---p 00005000 08:01 24695817                   /usr/lib/libXdmcp.so.6.0.0
7f188c376000-7f188c377000 rwxp 00004000 08:01 24695817                   /usr/lib/libXdmcp.so.6.0.0
7f188c377000-7f188c392000 r-xp 00000000 08:01 24690895                   /usr/lib/libxcb.so.1.0.0
7f188c392000-7f188c591000 ---p 0001b000 08:01 24690895                   /usr/lib/libxcb.so.1.0.0
7f188c591000-7f188c592000 rwxp 0001a000 08:01 24690895                   /usr/lib/libxcb.so.1.0.0
7f188c592000-7f188c593000 r-xp 00000000 08:01 24690897                   /usr/lib/libxcb-xlib.so.0.0.0
7f188c593000-7f188c792000 ---p 00001000 08:01 24690897                   /usr/lib/libxcb-xlib.so.0.0.0
7f188c792000-7f188c793000 rwxp 0000000Aborted


REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
import java.awt.image.BufferedImage;
import java.io.File;
import java.io.IOException;

import javax.imageio.ImageIO;

public class Crash {

	public static void main(String[] args) throws IOException {
		BufferedImage image = ImageIO.read(new File("413993721_0894d0328d_b.jpg"));
		System.out.println(image);
	}
}
---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
strip color profile before passing image to ImageIO
Posted Date : 2009-04-13 17:49:34.0

N/A

This problem is caused by corrupted color profile embedded into image.
 Namely, this profile contains corrupted tags rTRC, gTRC, an bTRC, which 
 are required for a transform generation.
 There is short dump of the profile header that demonstrates the corruption:

tagCount: 17
 0: cprt, offset=150, size=033: type='text' (74657874)
 1: desc, offset=184, size=06c: type='desc' (64657363)
 2: wtpt, offset=1f0, size=014: type='XYZ ' (58595a20)
 3: bkpt, offset=204, size=014: type='XYZ ' (58595a20)
 4: rXYZ, offset=218, size=014: type='XYZ ' (58595a20)
 5: gXYZ, offset=22c, size=014: type='XYZ ' (58595a20)
 6: bXYZ, offset=240, size=014: type='XYZ ' (58595a20)
 7: dmnd, offset=254, size=070: type='desc' (64657363)
 8: dmdd, offset=2c4, size=088: type='desc' (64657363)
 9: vued, offset=34c, size=086: type='desc' (64657363)
10: view, offset=3d4, size=024: type='view' (76696577)
11: lumi, offset=3f8, size=014: type='XYZ ' (58595a20)
12: meas, offset=40c, size=024: type='meas' (6d656173)
13: tech, offset=430, size=00c: type='☻♦♣?' (020405b4)
14: rTRC, offset=43c, size=80c: type='r╡→→' (72b51a1a)
15: gTRC, offset=43c, size=80c: type='r╡→→' (72b51a1a)
16: bTRC, offset=43c, size=80c: type='r╡→→' (72b51a1a)

Note that type signatures of tags rTRC, gTRC, and bTRC are corrupted
and contain meaningless values (btw, the technology tag seems also corrupted
but it is not used by kcms for transform generation).
It makes impossible for kacms to determine exact type of tag (which may
vary for modern profiles) and leads to transform generation failure.
Observed crash is caused by a disagreement in different levels of kcms
error handling which leads to multiple deletion of same chunk of data.

Instead of improving the error handling strategy in the kcms (that may be
unnecessary if we have some plans to upgrade the library), I suggest to
introduce small check for validity of required tags: namely we can check
whether TRC tags have types corresponded to the spec and report failure 
if these types are incorrect.

Another part of the fix is related to jpeg reader. Here we introduce 
a sanity check for newly created color profile: if this color space
unable to perform a simple color conversion, then we ignore it.
It allows to avoid a declaration of image types based on corrupted
color spaces and failures on processing pixel data provided by decoder.
Posted Date : 2009-06-02 09:03:40.0