msan: use of uninitialized value in ReadBMPImage

[realtim]

I want to get image headers data like geometry. To achieve the goal I load image in "ping" mode.
Here's the code:

Code: Select all

void print_image_geometry(const char *data, size_t len) {
    ImageInfo *image_info = AcquireImageInfo();
    ExceptionInfo *exception_info = AcquireExceptionInfo();
    Image *image = NULL;

    // This alternative doesn't work either
    //image_info->ping = MagickTrue;
    //image = BlobToImage(image_info, data, len, exception_info);
 
    image = PingBlob(image_info, data, len, exception_info);

    printf("%zd x %zd\n", image->columns, image->rows);
}

It works. But when I compile the program with clang++ -fsanitize=memory and feed in a BMP image (you may try http://www.multiresolutions.com/sparses ... nstein.bmp for example) I get the following errors:

==687894==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x549df3 in PushColormapIndex /place/home/realtim/probes/ImageMagick/magick/image.c:3556:7
#1 0x52d7ed in SyncImage /place/home/realtim/probes/ImageMagick/magick/image.c:3618:13
#2 0xda54ff in ReadBMPImage /place/home/realtim/probes/ImageMagick/coders/bmp.c:1180:16
#3 0x647b70 in ReadImage /place/home/realtim/probes/ImageMagick/magick/constitute.c:492:13
#4 0x879005 in ReadStream /place/home/realtim/probes/ImageMagick/magick/stream.c:974:9
#5 0x77a2bd in PingBlob /place/home/realtim/probes/ImageMagick/magick/blob.c:2790:9
#6 0x510c2f in print_image_geometry(char const*, unsigned long) /place/home/realtim/probes/main.cpp:14:13
#7 0x5116ff in main /place/home/realtim/probes/main.cpp:22:5
#8 0x7f568048a7ec in __libc_start_main /build/eglibc-oqps9y/eglibc-2.15/csu/libc-start.c:226

SUMMARY: MemorySanitizer: use-of-uninitialized-value /place/home/realtim/probes/ImageMagick/magick/image.c:3556:7 in PushColormapIndex
ORIGIN: invalid (0). Might be a bug in MemorySanitizer origin tracking.
This could still be a bug in your code, too!
Exiting

I tried to investigate the problem myself and so far realized that:
* https://github.com/ImageMagick/ImageMag ... ge.c#L3705 q here is allocated but not initialized and msan is right as such
* Looks like the problem is that ping mode assumes both nexus_info->authentic_pixel_cache == MagickTrue and that nexus_info->cache does not need to be populated. Anyway it is accessed in SyncImage
* https://github.com/ImageMagick/ImageMag ... bmp.c#L922 This place seems very good to finish the work when dealing with headers only but image_info->number_scenes is zero and so the execution proceeds further.

Question is valid both for 6.9.6 and 7.0.4-4.

[magick]

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

[realtim]

I saw your patch and it works. Thank you!
One more question -- is it right to call SyncImage in ping mode?

[magick]

Probably not. We'll consider skipping SyncImage() in ping mode.