Post any defects you find in the released or beta versions of the ImageMagick software here. Include the ImageMagick version, OS, and any command-line required to reproduce the problem. Got a patch for a bug? Post it here.
mkoppanen
Posts: 309 Joined: 2007-06-09T07:06:32-07:00
Post
by mkoppanen 2013-10-31T10:57:17-07:00
Hello,
the following code crashes with double-free / corruption. My GDB refuses to produce a proper backtrace:
Code: Select all
#include <wand/MagickWand.h>
#include <assert.h>
int main ()
{
MagickBooleanType ret;
MagickWand *wand = NewMagickWand ();
assert (wand);
ret = MagickReadImage (wand, "magick:rose");
assert (ret == MagickTrue);
ret = MagickSetImageFormat (wand, "jpg");
assert (ret == MagickTrue);
ret = MagickSetOption (wand, "jpeg:extent", "30kb");
assert (ret == MagickTrue);
size_t siz;
unsigned char *rc = MagickGetImageBlob (wand, &siz);
assert (rc);
return 0;
}
mkoppanen
Posts: 309 Joined: 2007-06-09T07:06:32-07:00
Post
by mkoppanen 2013-10-31T11:17:29-07:00
lldb seems to work, its the jpeg_finish_compress line:
Code: Select all
(lldb) bt
* thread #1: tid = 0x2e1be, 0x00007fff906c9866 libsystem_kernel.dylib`__pthread_kill + 10, queue = 'com.apple.main-thread, stop reason = signal SIGABRT
frame #0: 0x00007fff906c9866 libsystem_kernel.dylib`__pthread_kill + 10
frame #1: 0x00007fff9559635c libsystem_pthread.dylib`pthread_kill + 92
frame #2: 0x00007fff939c0bba libsystem_c.dylib`abort + 125
frame #3: 0x00007fff973cd093 libsystem_malloc.dylib`free + 411
frame #4: 0x000000010077dfd7 libjpeg.8.dylib`free_pool + 282
frame #5: 0x000000010075c640 libjpeg.8.dylib`jpeg_abort + 29
frame #6: 0x0000000100496d4f libMagickCore-6.Q16.1.dylib`WriteJPEGImage(image_info=0x000000010102de00, image=0x0000000101032000) + 11167 at jpeg.c:2776
frame #7: 0x0000000100494e1f libMagickCore-6.Q16.1.dylib`WriteJPEGImage(image_info=0x0000000101017400, image=0x0000000101026a00) + 3183 at jpeg.c:2252
frame #8: 0x0000000100201220 libMagickCore-6.Q16.1.dylib`WriteImage(image_info=0x0000000101013200, image=0x0000000101026a00) + 2384 at constitute.c:1164
frame #9: 0x00000001001b8657 libMagickCore-6.Q16.1.dylib`ImageToBlob(image_info=0x000000010100f000, image=0x0000000101026a00, length=0x00007fff5fbffb98, exception=0x0000000100b0f950) + 1063 at blob.c:1548
frame #10: 0x00000001000b71ea libMagickWand-6.Q16.1.dylib`MagickGetImageBlob(wand=0x000000010100d800, length=0x00007fff5fbffb98) + 410 at magick-image.c:4113
frame #11: 0x0000000100000e91 wand`main + 385 at crash.c:21
frame #12: 0x00007fff938775fd libdyld.dylib`start + 1
frame #13: 0x00007fff938775fd libdyld.dylib`start + 1
dlemstra
Posts: 1570 Joined: 2013-05-04T15:28:54-07:00Authentication code: 6789
Contact:
Post
by dlemstra 2013-11-01T00:16:40-07:00
Which version of ImageMagick are you using?
mkoppanen
Posts: 309 Joined: 2007-06-09T07:06:32-07:00
Post
by mkoppanen 2013-11-03T03:27:16-07:00
ImageMagick 6, trunk version. This seems to be reproducible with other versions as well, tested with 6.8.7 Q16 as well
magick
Site Admin
Posts: 11064 Joined: 2003-05-31T11:32:55-07:00
Post
by magick 2013-11-03T07:15:15-07:00
We can reproduce the problem you posted and have a patch in ImageMagick 6.8.7-5 Beta available by sometime tomorrow. In the mean-time, do not set jpeg:extent.
broucaries
Posts: 467 Joined: 2008-12-21T11:51:10-07:00
Post
by broucaries 2013-11-30T07:35:04-07:00
Seems security related maybe ? How easy to trigger from command line ?
magick
Site Admin
Posts: 11064 Joined: 2003-05-31T11:32:55-07:00
Post
by magick 2013-11-30T09:13:05-07:00
The bug only occurs when creating a blob with a call to ImageToBlob() when jpeg:extent is defined and the output format is JPEG. These conditions are never met from the command-line.
