Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SegFault when reading .glb files with gltf-viewer #754

Closed
el-dee opened this issue Oct 7, 2019 · 4 comments
Closed

SegFault when reading .glb files with gltf-viewer #754

el-dee opened this issue Oct 7, 2019 · 4 comments
Assignees
Labels
bug
Milestone

Comments

@el-dee
Copy link
Contributor

@el-dee el-dee commented Oct 7, 2019

Testing on Linux (Mint/Ubuntu Xenial), gltf-viewer crashes when loading some .glb files. I investigated with an debug enabled build and the backtrace is :

#0  Extension::extract_bytes (this=this@entry=0x7fffffffc240, size=size@entry=12676) at dtool/src/prc/streamReader_ext.cxx:25
#1  0x00007ffff45bc438 in Dtool_StreamReader_extract_bytes_436 (self=, arg=) at built/tmp/libp3prc_igate.cxx:14038
#2  0x0000000000528af6 in PyEval_EvalFrameEx ()
#3  0x000000000052d2b9 in ?? ()
#4  0x0000000000528ee2 in PyEval_EvalFrameEx ()
#5  0x00000000005287c4 in PyEval_EvalFrameEx ()
#6  0x000000000052d2b9 in ?? ()
#7  0x0000000000528ee2 in PyEval_EvalFrameEx ()
#8  0x000000000052d2b9 in ?? ()
#9  0x0000000000528ee2 in PyEval_EvalFrameEx ()
#10 0x000000000052e10b in PyEval_EvalCodeEx ()
#11 0x00000000004ec3e8 in ?? ()
#12 0x00000000005bc037 in PyObject_Call ()
#13 0x00007ffff4a7e4ed in PythonThread::call_python_func (function=0x7fffed710488, args=args@entry=0x7fffe5bfbea0) at panda/src/pipeline/pythonThread.cxx:137
#14 0x00007ffff4a8dcb6 in PythonLoaderFileType::load_file (this=0x18e7380, path=..., options=..., record=0x0) at panda/src/pgraph/pythonLoaderFileType.cxx:349
#15 0x00007ffff3918000 in Loader::try_load_file (this=this@entry=0x17cb6a0, pathname=..., options=..., requested_type=requested_type@entry=0x18e7380) at panda/src/pgraph/loader.cxx:354
#16 0x00007ffff3919057 in Loader::load_file (this=0x17cb6a0, filename=..., options=...) at panda/src/pgraph/loader.cxx:248
#17 0x00007ffff46b8231 in Loader::load_sync (options=..., filename=..., this=) at built/include/loader.I:156
#18 Dtool_Loader_load_sync_1637 (self=, args=, kwds=) at built/tmp/libp3pgraph_igate.cxx:1047
#19 0x00000000004ea117 in PyCFunction_Call ()
#20 0x00000000005243f4 in PyEval_EvalFrameEx ()
#21 0x000000000052d2b9 in ?? ()
#22 0x0000000000528ee2 in PyEval_EvalFrameEx ()
#23 0x000000000052e84a in PyEval_EvalCodeEx ()
#24 0x00000000004ec373 in ?? ()
#25 0x00000000005bc037 in PyObject_Call ()
#26 0x00000000004f489e in ?? ()
#27 0x00000000005bc037 in PyObject_Call ()
#28 0x000000000054e9b9 in ?? ()
#29 0x000000000055851c in ?? ()
#30 0x00000000005bc037 in PyObject_Call ()
#31 0x0000000000528cef in PyEval_EvalFrameEx ()
#32 0x00000000005287c4 in PyEval_EvalFrameEx ()
#33 0x000000000052d2b9 in ?? ()
#34 0x000000000052dfbf in PyEval_EvalCode ()
#35 0x00000000005fc652 in ?? ()
#36 0x00000000005feafa in PyRun_FileExFlags ()
#37 0x00000000005fecec in PyRun_SimpleFileExFlags ()
#38 0x000000000063ec96 in Py_Main ()
#39 0x00000000004d02e1 in main ()

It seems that in Extension<StreamReader>::extract_bytes the variable buffer, a pointer to an allocated buffer from alloca(size) is corrupted or the heap itself is corrupted, in any case gdb can’t dump the memory at that location. The size variable seems ok, it looks like the size of the buffer being read.

Reading the same model as .gltf works though.

Model used for test : https://github.com/KhronosGroup/glTF-Sample-Models/tree/master/2.0/MetalRoughSpheres

@rdb rdb self-assigned this Oct 7, 2019
@rdb rdb added this to the 1.10.5 milestone Oct 7, 2019
@rdb

This comment has been minimized.

Copy link
Member

@rdb rdb commented Oct 7, 2019

On it; it looks like we're using alloca here, which could easily result in a stack overflow. However, we could just copy straight into the Python bytes object and then adjust using _PyBytes_Resize if needed, so we don't even need the extra allocation.

@rdb rdb added the bug label Oct 7, 2019
@Moguri

This comment has been minimized.

Copy link
Collaborator

@Moguri Moguri commented Oct 8, 2019

@rdb do you know if this is happening when trying to load the BAM file? If so, could this also be related to #745? I wouldn't be surprised if most of the file size is texture data.

@rdb

This comment has been minimized.

Copy link
Member

@rdb rdb commented Oct 8, 2019

@Moguri I think this bug does not affect texture reads in .bam files, only reads from Python.

rdb added a commit that referenced this issue Oct 8, 2019
@el-dee

This comment has been minimized.

Copy link
Contributor Author

@el-dee el-dee commented Oct 8, 2019

Tested with several problematic .glb files, no more crashes!

@el-dee el-dee closed this Oct 8, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.