JDK-6658726 : ColorConvertOp causes JVM to abort
  • Type: Bug
  • Component: client-libs
  • Sub-Component: 2d
  • Affected Version: 6
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS: linux
  • CPU: x86
  • Submitted: 2008-02-04
  • Updated: 2011-03-07
  • Resolved: 2011-03-07
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6 JDK 7
6u14Fixed 7 b54Fixed
Description
FULL PRODUCT VERSION :
java version "1.6.0_04"
Java(TM) SE Runtime Environment (build 1.6.0_04-b12)
Java HotSpot(TM) Server VM (build 10.0-b19, mixed mode)
AND
java version "1.7.0-ea"
Java(TM) SE Runtime Environment (build 1.7.0-ea-b24)
Java HotSpot(TM) Server VM (build 12.0-b01, mixed mode)



ADDITIONAL OS VERSION INFORMATION :
Linux gatekeeper 2.6.22.9-91.fc7 #1 SMP Thu Sep 27 23:10:59 EDT 2007 i686 athlon i386 GNU/Linux

A DESCRIPTION OF THE PROBLEM :
the JVM crashes trying to use ImageIO.read with specific JPG images. the image in question has an sRGB embedded profile. the same image displays fine using Preview.App under OSX for instance.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
ImageInputStream imageInputStream = new MemoryCacheImageInputStream(new ByteArrayInputStream(blob.getBytes(1L, (int)blob.length())));
BufferedImage sourceImage = ImageIO.read(imageInputStream);

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
the image to be read successfully or at worst throwing an exception
ACTUAL -
the JVM crashes and aborts.

ERROR MESSAGES/STACK TRACES THAT OCCUR :
*** glibc detected *** java: corrupted double-linked list: 0x90843e60 ***
======= Backtrace: =========
/lib/libc.so.6[0x940867]
/lib/libc.so.6(__libc_malloc+0x7e)[0x941ebe]
/usr/local/jdk1.6.0_04/jre/lib/i386/libcmm.so[0x90600f65]
/usr/local/jdk1.6.0_04/jre/lib/i386/libcmm.so[0x905bb460]
/usr/local/jdk1.6.0_04/jre/lib/i386/libcmm.so[0x905b4690]
/usr/local/jdk1.6.0_04/jre/lib/i386/libcmm.so[0x905b3e34]
/usr/local/jdk1.6.0_04/jre/lib/i386/libcmm.so[0x905f79e6]
/usr/local/jdk1.6.0_04/jre/lib/i386/libcmm.so[0x905f7f4d]
/usr/local/jdk1.6.0_04/jre/lib/i386/libcmm.so[0x905f82a2]
/usr/local/jdk1.6.0_04/jre/lib/i386/libcmm.so[0x905fdc70]
/usr/local/jdk1.6.0_04/jre/lib/i386/libcmm.so(Java_sun_awt_color_CMM_cmmGetTransform+0xee)[0x906031ee]
[0xb4f123aa]
[0xb4f0ade9]
[0xb4f0af0d]
[0xb4f0ada7]
[0xb4f08249]
/usr/local/jdk1.6.0_04/jre/lib/i386/server/libjvm.so[0x637338d]
/usr/local/jdk1.6.0_04/jre/lib/i386/server/libjvm.so[0x64fd168]
/usr/local/jdk1.6.0_04/jre/lib/i386/server/libjvm.so[0x6373220]
/usr/local/jdk1.6.0_04/jre/lib/i386/server/libjvm.so[0x639cab7]
/usr/local/jdk1.6.0_04/jre/lib/i386/server/libjvm.so[0x638354a]
/usr/local/jdk1.6.0_04/jre/lib/i386/libjpeg.so(Java_com_sun_imageio_plugins_jpeg_JPEGImageReader_readImage+0xa36)[0x905872d6]
[0xb4f123aa]
[0xb4f0ace1]
[0xb4f0ada7]
[0xb4f0ada7]
[0xb4f0ada7]
[0xb4f08249]
/usr/local/jdk1.6.0_04/jre/lib/i386/server/libjvm.so[0x637338d]
/usr/local/jdk1.6.0_04/jre/lib/i386/server/libjvm.so[0x64fd168]
/usr/local/jdk1.6.0_04/jre/lib/i386/server/libjvm.so[0x6373220]
/usr/local/jdk1.6.0_04/jre/lib/i386/server/libjvm.so[0x639c846]
/usr/local/jdk1.6.0_04/jre/lib/i386/server/libjvm.so[0x638e048]
java(JavaMain+0x2c8)[0x8049b98]
/lib/libpthread.so.0[0xa6544b]
/lib/libc.so.6(clone+0x5e)[0x9a880e]
======= Memory map: ========



REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
import java.awt.image.BufferedImage;
import java.io.FileInputStream;

import javax.imageio.ImageIO;
import javax.imageio.stream.ImageInputStream;
import javax.imageio.stream.MemoryCacheImageInputStream;

public class ExportImagesTest
{
    /**
     * @param args
     */
    public static void main(String[] args)
    {
        try
        {
            ImageInputStream imageInputStream = new MemoryCacheImageInputStream(new FileInputStream("broken.jpg"));
            BufferedImage sourceImage = ImageIO.read(imageInputStream);
        }
        catch (Exception e)
        {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }
    }

}

---------- END SOURCE ----------

Comments
SUGGESTED FIX http://sa.sfbay.sun.com/projects/java2d_data/7/6658726.0/
29-01-2009

EVALUATION The peculiarity of profile in question is that tone curve tags for red, green, and blue components have incorrect signature: instead of "curv" it has leading space char (" curv"). The kcms code failed to recognize given tags as a tone curves and handles them incorrectly, that leads to failure of a kcms transform creation. Observed crash is manifestation of inconsistencies in error handling strategy on several levels of kcms: to recovery after a error some routines attempt to de-allocate data buffers which are referenced by a duplicated pointers and aren't de-allocated in normal circumstances. This cause heap corruption when actual data containers are destroyed on a higher level. However, there is a way to resolve this particular problem: we can make the tag handlers more tolerant to incorrect tag signatures, i.e. tag signature may be trimmed that makes possible to handle it without any failures.
29-01-2009

EVALUATION Investigation of the sample image shows that embedded color profile has some peculiarities which may cause crash in the kcms library. Extracted profile and simplified test are attached.
24-11-2008

EVALUATION The crash occurs in the CMM library code and seems to be caused by the embedded color profile. However, without sample image, it is quite hard to figure out actual reason of the crash. There could be some peculiarities in the color profile that CMM unable to handle, or there could be some issues in the Image IO plugin that lead to corruption of the embeddedcolor profile. We need a sample image in order to be able to investigate this problem, so I move this CR to incomplete state.
23-11-2008