Invalid delete on WPG Image

Post any defects you find in the released or beta versions of the ImageMagick software here. Include the ImageMagick version, OS, and any command-line required to reproduce the problem. Got a patch for a bug? Post it here.
Post Reply
woodyuk11
Posts: 5
Joined: 2017-11-22T03:53:00-07:00
Authentication code: 1152

Invalid delete on WPG Image

Post by woodyuk11 » 2017-11-22T03:59:15-07:00

I am using ImageMagick-6.9.9.20. I have a WPG, I load it into a blob via the update(), I then call Image.read() on said blob. In this read call we use the blob to create an image (BlobToImage()) which copies the pointer of the blob's data to a ImageInfo structure. During the read we perform a realloc which assigns the data to a new location and so the old pointer is no longer used and is replaced within the image's own blob. But the pointer still exists in the original Blob we called read() using. So when the blob gets destroyed, it's pointer is non null so delete is called on it, even though the data no longer exists at that location.

Has anyone else experienced this or has any ideas of how I can work around this?

Thanks in advance.

snibgo
Posts: 10007
Joined: 2010-01-23T23:01:33-07:00
Authentication code: 1151
Location: England, UK

Re: Invalid delete on WPG Image

Post by snibgo » 2017-11-22T06:13:37-07:00

If you realloc a pointer, I don't see how it's old value still exists. Perhaps you can show the code. Better still, a complete but minimal program that demonstrates the problem. (The process of making a complete but minimal program often points out where the error lies.)
snibgo's IM pages: im.snibgo.com

woodyuk11
Posts: 5
Joined: 2017-11-22T03:53:00-07:00
Authentication code: 1152

Re: Invalid delete on WPG Image

Post by woodyuk11 » 2017-11-22T06:54:04-07:00

I worry this isn't clear. If I call Image.read() passing in a blob which is set up with some data, we assign the pointer to the data to an internal blob. During the processing of this image we call ResizeMagickMemory() on the data pointer. This reallocs the memory and assigns the pointer to the new data to the internal blob (NOT the external one we have passed in to read()). So when we destroy the external blob the pointer is invalid.

So basically realloc is called on the pointer which is within the internal blob, NOT the external and gets reassigned to the internal blob.

Here is how I am calling it:

Code: Select all

{
	// Create a blob to store the image
	Magick::Blob blob;

	// Prime the blob with the image data
	blob.update( data_buffer, data_size );

	Magick::Image magImage;
	magImage.read( blob );
}
When the blob goes out of scope and gets destroyed the delete within the Blobref destructor on the data is invalid. I'm happy to share the WPG if it helps

woodyuk11
Posts: 5
Joined: 2017-11-22T03:53:00-07:00
Authentication code: 1152

Re: Invalid delete on WPG Image

Post by woodyuk11 » 2017-11-23T02:33:08-07:00

The data pointer in the blob in the code above gets copied into a new blob within the image. This data pointer within the image blob has realloc called on it ( from SeekBlob() -> ResizeQuantumMemory() -> ResizeMagickMemory() ) and the image blob's data pointer gets reassigned to the new reallocated memory. But the data pointer within the blob in the above code does not get updated so when destroyed delete is called on the data pointer on memory which no longer exists (invalid delete).

woodyuk11
Posts: 5
Joined: 2017-11-22T03:53:00-07:00
Authentication code: 1152

Re: Invalid delete on WPG Image

Post by woodyuk11 » 2017-11-23T02:38:12-07:00


woodyuk11
Posts: 5
Joined: 2017-11-22T03:53:00-07:00
Authentication code: 1152

Re: Invalid delete on WPG Image

Post by woodyuk11 » 2017-11-27T04:13:12-07:00

Here is another test file of a different format replicating the issue. Am I using the Magick++ API incorrectly? I've also tested this using 7.0.7-11 and had the same results

https://drive.google.com/file/d/1yKzgpO ... sp=sharing

Post Reply