On Sun, Mar 25, 2007 at 06:20:43PM +0200, Daniel Kobras wrote: > Oops. Next try.
Ok.
segv2.viff still gives heap corruption with that patch applied
(segv.viff is fixed). Might have something to do with realloc()ing to
0 bytes in AllocateImageColormap with colors=0, but obviously there's
some corruption somewhere already before that realloc() (otherwise
it's equivalent to just a free()).
------------------------------------------------------------
$ gdb --args gm identify samples/segv2.viff
GNU gdb 6.6-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu"...
Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) r
Starting program: /usr/bin/gm identify samples/segv2.viff
[Thread debugging using libthread_db enabled]
[New Thread 47538893661280 (LWP 1804)]
*** glibc detected *** double free or corruption (fasttop): 0x0000000000533970
***
Program received signal SIGABRT, Aborted.
[Switching to Thread 47538893661280 (LWP 1804)]
0x00002b3c8166607b in raise () from /lib/libc.so.6
(gdb) bt
#0 0x00002b3c8166607b in raise () from /lib/libc.so.6
#1 0x00002b3c8166784e in abort () from /lib/libc.so.6
#2 0x00002b3c8169c629 in __libc_message () from /lib/libc.so.6
#3 0x00002b3c816a3193 in _int_free () from /lib/libc.so.6
#4 0x00002b3c816a321e in free () from /lib/libc.so.6
#5 0x00002b3c8103b722 in AllocateImageColormap (image=0x531a70, colors=0) at
image.c:395
#6 0x00002b3c8105f7de in AssignImageColors (cube_info=0x565990,
image=0x531a70) at quantize.c:383
#7 0x00002b3c81062ec8 in QuantizeImage (quantize_info=0x7fff29c86bd0,
image=0x531a70) at quantize.c:2156
#8 0x00002b3c8104ca52 in SetImageType (image=0x531a70, image_type=BilevelType)
at image.c:6492
#9 0x00002b3c8119dd20 in ReadVIFFImage (image_info=0x5163d0,
exception=0x7fff29c89590) at viff.c:601
#10 0x00002b3c80ff17e1 in ReadImage (image_info=0x5131b0,
exception=0x7fff29c89590) at constitute.c:2748
#11 0x00002b3c8108b602 in ReadStream (image_info=0x511060,
stream=0x2b3c80fec38e <PingStream>, exception=0x7fff29c89590) at stream.c:488
#12 0x00002b3c80fec472 in PingImage (image_info=0x50aed0,
exception=0x7fff29c89590) at constitute.c:1060
#13 0x00002b3c80fc9053 in IdentifyImageCommand (image_info=0x50aed0, argc=2,
argv=0x50d020, metadata=0x7fff29c895d8, exception=0x7fff29c89590)
at command.c:6791
#14 0x00002b3c80fcae79 in MagickCommand (image_info=0x50aed0, argc=2,
argv=0x7fff29c89ee0, metadata=0x7fff29c895d8, exception=0x7fff29c89590)
at command.c:7210
#15 0x0000000000400f71 in main (argc=2, argv=0x7fff29c89ee0) at gm.c:150
(gdb) bt full
#0 0x00002b3c8166607b in raise () from /lib/libc.so.6
No symbol table info available.
#1 0x00002b3c8166784e in abort () from /lib/libc.so.6
No symbol table info available.
#2 0x00002b3c8169c629 in __libc_message () from /lib/libc.so.6
No symbol table info available.
#3 0x00002b3c816a3193 in _int_free () from /lib/libc.so.6
No symbol table info available.
#4 0x00002b3c816a321e in free () from /lib/libc.so.6
No symbol table info available.
#5 0x00002b3c8103b722 in AllocateImageColormap (image=0x531a70, colors=0) at
image.c:395
_magick_mp = (void *) 0x0
i = 0
length = 0
quantum = 0 '\0'
__PRETTY_FUNCTION__ = "AllocateImageColormap"
#6 0x00002b3c8105f7de in AssignImageColors (cube_info=0x565990,
image=0x531a70) at quantize.c:383
index = 0 '\0'
count = 8
y = 5452912
indexes = (IndexPacket *) 0x3fd7a8cffee8c654 <Address
0x3fd7a8cffee8c654 out of bounds>
i = 47538860422536
x = 47538864118919
node_info = (const NodeInfo *) 0x2b3c81061a0d
q = (PixelPacket *) 0xb29c86ba0
dither = 0
id = 5659024
is_grayscale = 0
is_monochrome = 4294967295
__func__ = "AssignImageColors"
#7 0x00002b3c81062ec8 in QuantizeImage (quantize_info=0x7fff29c86bd0,
image=0x531a70) at quantize.c:2156
cube_info = (CubeInfo *) 0x565990
status = 1
depth = 8
number_colors = 2
__PRETTY_FUNCTION__ = "QuantizeImage"
__func__ = "QuantizeImage"
#8 0x00002b3c8104ca52 in SetImageType (image=0x531a70, image_type=BilevelType)
at image.c:6492
quantize_info = {number_colors = 2, tree_depth = 8, dither = 1,
colorspace = GRAYColorspace, measure_error = 0, signature = 2880220587}
status = 1
__PRETTY_FUNCTION__ = "SetImageType"
#9 0x00002b3c8119dd20 in ReadVIFFImage (image_info=0x5163d0,
exception=0x7fff29c89590) at viff.c:601
polarity = 0
min_value = 0
scale_factor = 1.0897435897435896
value = 158.0128205128205
image = (Image *) 0x531a70
bit = 0
y = 140733894390000
indexes = (IndexPacket *) 0x0
x = 0
q = (PixelPacket *) 0x0
i = 3952
p = (unsigned char *) 0x564a10 ""
count = 1
buffer = "\001\000\002\002\000\000"
viff_pixels = (unsigned char *) 0x564a10 ""
status = 1
bytes_per_pixel = 1
lsb_first = 1
max_packets = 3952
number_pixels = 30856
viff_info = {identifier = 171 '«', file_type = 1 '\001', release = 0
'\0', version = 2 '\002', machine_dependency = 2 '\002', reserve = "\000\000",
comment = '\0' <repeats 27 times>, "\001", '\0' <repeats 15 times>, "@", '\0'
<repeats 32 times>, "\002\000\000\000 ", '\0' <repeats 24 times>, " ", '\0'
<repeats 27 times>, "\b", '\0' <repeats 102 times>, "\020", '\0' <repeats 150
times>, "\b", '\0' <repeats 19 times>, "@", '\0' <repeats 31 times>, "\b", '\0'
<repeats 55 times>, "@", '\0' <repeats 15 times>, rows = 203, columns = 152,
subrows = 0, x_offset = -1, y_offset = -1, x_bits_per_pixel = 1.06535322e+09,
y_bits_per_pixel = 1.06535322e+09, location_type = 1, location_dimension = 0,
number_of_images = 1, number_data_bands = 3, data_storage_type = 0,
data_encode_scheme = 0, map_scheme = 0, map_storage_type = 0, map_rows = 0,
map_columns = 0, map_subrows = 0, map_enable = 1, maps_per_cycle = 0,
color_space_model = 15}
__PRETTY_FUNCTION__ = "ReadVIFFImage"
__func__ = "ReadVIFFImage"
#10 0x00002b3c80ff17e1 in ReadImage (image_info=0x5131b0,
exception=0x7fff29c89590) at constitute.c:2748
filename = "samples/segv2.viff", '\0' <repeats 2034 times>, "<"
magick = "VIFF", '\0' <repeats 2048 times>
delegate_info = (const DelegateInfo *) 0x0
magick_info = (const MagickInfo *) 0x530c30
image = (Image *) 0x0
next = (Image *) 0x2b3c80e2a3a2
clone_info = (ImageInfo *) 0x5163d0
__PRETTY_FUNCTION__ = "ReadImage"
__func__ = "ReadImage"
#11 0x00002b3c8108b602 in ReadStream (image_info=0x511060,
stream=0x2b3c80fec38e <PingStream>, exception=0x7fff29c89590) at stream.c:488
image = (Image *) 0x1fd
clone_info = (ImageInfo *) 0x5131b0
__PRETTY_FUNCTION__ = "ReadStream"
#12 0x00002b3c80fec472 in PingImage (image_info=0x50aed0,
exception=0x7fff29c89590) at constitute.c:1060
image = (Image *) 0x1fd
clone_info = (ImageInfo *) 0x511060
__PRETTY_FUNCTION__ = "PingImage"
#13 0x00002b3c80fc9053 in IdentifyImageCommand (image_info=0x50aed0, argc=2,
argv=0x50d020, metadata=0x7fff29c895d8, exception=0x7fff29c89590)
at command.c:6791
format = 0x0
option = 0x5068e0 "samples/segv2.viff"
q = 0x0
image = (Image *) 0x0
count = 0
number_images = 0
x = 0
p = (Image *) 0x0
i = 1
ping = 1
status = 1
__func__ = "IdentifyImageCommand"
#14 0x00002b3c80fcae79 in MagickCommand (image_info=0x50aed0, argc=2,
argv=0x7fff29c89ee0, metadata=0x7fff29c895d8, exception=0x7fff29c89590)
at command.c:7210
client_name = "/usr/bin/gm identify", '\0' <repeats 1268 times>,
"2lâ\200<+\000\000\000\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\000\224È)ÿ\177\000\000\020ºó\200<+\000\000å'M\005\000\000\000\000\003oô\200<+\000\000\000\000\000\000\000\000\000\000\027\000\000\000\000\000\000\000\220$ô\200<+\000\000\220\177ô\200<+",
'\0' <repeats 18 times>,
"P\224È)ÿ\177\000\000\200\034Ÿ\202<+\000\000`\224È)ÿ\177\000\000\bòó\200<+\000\000ÿt\005\003\000\000\000\000Ðxã\200<[EMAIL
PROTECTED])ÿ\177\000\0002lâ\200<+\000\000å'M\005\000\000\000\000\001\000"...
command_name = "gm\000r/bin/gm", '\0' <repeats 2041 times>
option = 0x7fff29c8a4f1 "identify"
status = 0
i = 6
__func__ = "MagickCommand"
#15 0x0000000000400f71 in main (argc=2, argv=0x7fff29c89ee0) at gm.c:150
command = "gm\000r/bin/gm", '\0' <repeats 2041 times>
text = 0x0
exception = {severity = UndefinedException, reason = 0x0, description =
0x0, error_number = 0, module = 0x0, function = 0x0, line = 0,
signature = 2880220587}
image_info = (ImageInfo *) 0x50aed0
status = 1
command_names = {0x401199 "animate", 0x4011a1 "composite", 0x4011ab
"conjure", 0x4011b3 "convert", 0x4011bb "display", 0x4011c3 "identify",
0x4011cc "import", 0x4011d3 "mogrify", 0x4011db "montage", 0x0}
------------------------------------------------------------
Under valgrind I only get uses of uninitialized values in three
different lines, but no crash:
------------------------------------------------------------
$ valgrind gm identify samples/segv2.viff
==32490== Memcheck, a memory error detector.
==32490== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==32490== Using LibVEX rev 1732, a library for dynamic binary translation.
==32490== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==32490== Using valgrind-3.2.3-Debian, a dynamic binary instrumentation
framework.
==32490== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==32490== For more details, rerun with: -v
==32490==
==32490== Use of uninitialised value of size 8
==32490== at 0x4C32A3B: XYZTransformPacket (image.c:4946)
==32490== by 0x4C327F0: RGBTransformImage (image.c:5546)
==32490== by 0x4C355E8: TransformColorspace (image.c:6950)
==32490== by 0x4C4AD52: QuantizeImage (quantize.c:2113)
==32490== by 0x4C34A51: SetImageType (image.c:6492)
==32490== by 0x4D85D1F: ReadVIFFImage (viff.c:601)
==32490== by 0x4BD97E0: ReadImage (constitute.c:2748)
==32490== by 0x4C73601: ReadStream (stream.c:488)
==32490== by 0x4BD4471: PingImage (constitute.c:1060)
==32490== by 0x4BB1052: IdentifyImageCommand (command.c:6791)
==32490== by 0x4BB2E78: MagickCommand (command.c:7210)
==32490== by 0x400F70: main (gm.c:150)
==32490==
==32490== Use of uninitialised value of size 8
==32490== at 0x4C32A41: XYZTransformPacket (image.c:4946)
==32490== by 0x4C327F0: RGBTransformImage (image.c:5546)
==32490== by 0x4C355E8: TransformColorspace (image.c:6950)
==32490== by 0x4C4AD52: QuantizeImage (quantize.c:2113)
==32490== by 0x4C34A51: SetImageType (image.c:6492)
==32490== by 0x4D85D1F: ReadVIFFImage (viff.c:601)
==32490== by 0x4BD97E0: ReadImage (constitute.c:2748)
==32490== by 0x4C73601: ReadStream (stream.c:488)
==32490== by 0x4BD4471: PingImage (constitute.c:1060)
==32490== by 0x4BB1052: IdentifyImageCommand (command.c:6791)
==32490== by 0x4BB2E78: MagickCommand (command.c:7210)
==32490== by 0x400F70: main (gm.c:150)
==32490==
==32490== Use of uninitialised value of size 8
==32490== at 0x4C32A49: XYZTransformPacket (image.c:4946)
==32490== by 0x4C327F0: RGBTransformImage (image.c:5546)
==32490== by 0x4C355E8: TransformColorspace (image.c:6950)
==32490== by 0x4C4AD52: QuantizeImage (quantize.c:2113)
==32490== by 0x4C34A51: SetImageType (image.c:6492)
==32490== by 0x4D85D1F: ReadVIFFImage (viff.c:601)
==32490== by 0x4BD97E0: ReadImage (constitute.c:2748)
==32490== by 0x4C73601: ReadStream (stream.c:488)
==32490== by 0x4BD4471: PingImage (constitute.c:1060)
==32490== by 0x4BB1052: IdentifyImageCommand (command.c:6791)
==32490== by 0x4BB2E78: MagickCommand (command.c:7210)
==32490== by 0x400F70: main (gm.c:150)
==32490==
==32490== Use of uninitialised value of size 8
==32490== at 0x4C32A85: XYZTransformPacket (image.c:4951)
==32490== by 0x4C327F0: RGBTransformImage (image.c:5546)
==32490== by 0x4C355E8: TransformColorspace (image.c:6950)
==32490== by 0x4C4AD52: QuantizeImage (quantize.c:2113)
==32490== by 0x4C34A51: SetImageType (image.c:6492)
==32490== by 0x4D85D1F: ReadVIFFImage (viff.c:601)
==32490== by 0x4BD97E0: ReadImage (constitute.c:2748)
==32490== by 0x4C73601: ReadStream (stream.c:488)
==32490== by 0x4BD4471: PingImage (constitute.c:1060)
==32490== by 0x4BB1052: IdentifyImageCommand (command.c:6791)
==32490== by 0x4BB2E78: MagickCommand (command.c:7210)
==32490== by 0x400F70: main (gm.c:150)
==32490==
==32490== Use of uninitialised value of size 8
==32490== at 0x4C32A8C: XYZTransformPacket (image.c:4951)
==32490== by 0x4C327F0: RGBTransformImage (image.c:5546)
==32490== by 0x4C355E8: TransformColorspace (image.c:6950)
==32490== by 0x4C4AD52: QuantizeImage (quantize.c:2113)
==32490== by 0x4C34A51: SetImageType (image.c:6492)
==32490== by 0x4D85D1F: ReadVIFFImage (viff.c:601)
==32490== by 0x4BD97E0: ReadImage (constitute.c:2748)
==32490== by 0x4C73601: ReadStream (stream.c:488)
==32490== by 0x4BD4471: PingImage (constitute.c:1060)
==32490== by 0x4BB1052: IdentifyImageCommand (command.c:6791)
==32490== by 0x4BB2E78: MagickCommand (command.c:7210)
==32490== by 0x400F70: main (gm.c:150)
==32490==
==32490== Use of uninitialised value of size 8
==32490== at 0x4C32A95: XYZTransformPacket (image.c:4951)
==32490== by 0x4C327F0: RGBTransformImage (image.c:5546)
==32490== by 0x4C355E8: TransformColorspace (image.c:6950)
==32490== by 0x4C4AD52: QuantizeImage (quantize.c:2113)
==32490== by 0x4C34A51: SetImageType (image.c:6492)
==32490== by 0x4D85D1F: ReadVIFFImage (viff.c:601)
==32490== by 0x4BD97E0: ReadImage (constitute.c:2748)
==32490== by 0x4C73601: ReadStream (stream.c:488)
==32490== by 0x4BD4471: PingImage (constitute.c:1060)
==32490== by 0x4BB1052: IdentifyImageCommand (command.c:6791)
==32490== by 0x4BB2E78: MagickCommand (command.c:7210)
==32490== by 0x400F70: main (gm.c:150)
==32490==
==32490== Use of uninitialised value of size 8
==32490== at 0x4C32AD3: XYZTransformPacket (image.c:4956)
==32490== by 0x4C327F0: RGBTransformImage (image.c:5546)
==32490== by 0x4C355E8: TransformColorspace (image.c:6950)
==32490== by 0x4C4AD52: QuantizeImage (quantize.c:2113)
==32490== by 0x4C34A51: SetImageType (image.c:6492)
==32490== by 0x4D85D1F: ReadVIFFImage (viff.c:601)
==32490== by 0x4BD97E0: ReadImage (constitute.c:2748)
==32490== by 0x4C73601: ReadStream (stream.c:488)
==32490== by 0x4BD4471: PingImage (constitute.c:1060)
==32490== by 0x4BB1052: IdentifyImageCommand (command.c:6791)
==32490== by 0x4BB2E78: MagickCommand (command.c:7210)
==32490== by 0x400F70: main (gm.c:150)
==32490==
==32490== Use of uninitialised value of size 8
==32490== at 0x4C32ADA: XYZTransformPacket (image.c:4956)
==32490== by 0x4C327F0: RGBTransformImage (image.c:5546)
==32490== by 0x4C355E8: TransformColorspace (image.c:6950)
==32490== by 0x4C4AD52: QuantizeImage (quantize.c:2113)
==32490== by 0x4C34A51: SetImageType (image.c:6492)
==32490== by 0x4D85D1F: ReadVIFFImage (viff.c:601)
==32490== by 0x4BD97E0: ReadImage (constitute.c:2748)
==32490== by 0x4C73601: ReadStream (stream.c:488)
==32490== by 0x4BD4471: PingImage (constitute.c:1060)
==32490== by 0x4BB1052: IdentifyImageCommand (command.c:6791)
==32490== by 0x4BB2E78: MagickCommand (command.c:7210)
==32490== by 0x400F70: main (gm.c:150)
==32490==
==32490== Use of uninitialised value of size 8
==32490== at 0x4C32AE3: XYZTransformPacket (image.c:4956)
==32490== by 0x4C327F0: RGBTransformImage (image.c:5546)
==32490== by 0x4C355E8: TransformColorspace (image.c:6950)
==32490== by 0x4C4AD52: QuantizeImage (quantize.c:2113)
==32490== by 0x4C34A51: SetImageType (image.c:6492)
==32490== by 0x4D85D1F: ReadVIFFImage (viff.c:601)
==32490== by 0x4BD97E0: ReadImage (constitute.c:2748)
==32490== by 0x4C73601: ReadStream (stream.c:488)
==32490== by 0x4BD4471: PingImage (constitute.c:1060)
==32490== by 0x4BB1052: IdentifyImageCommand (command.c:6791)
==32490== by 0x4BB2E78: MagickCommand (command.c:7210)
==32490== by 0x400F70: main (gm.c:150)
samples/segv2.viff VIFF 203x152+0+0 PseudoClass 2c 8-bit 91.4k 0.280u 0:01
==32490==
==32490== ERROR SUMMARY: 1827 errors from 9 contexts (suppressed: 8 from 1)
==32490== malloc/free: in use at exit: 0 bytes in 0 blocks.
==32490== malloc/free: 1,674 allocs, 1,674 frees, 435,294 bytes allocated.
==32490== For counts of detected errors, rerun with: -v
==32490== All heap blocks were freed -- no leaks are possible.
------------------------------------------------------------
The lines are:
4946 red=(x_p->x+y_p->x+z_p->x+primary_info->x);
4951 green=(x_p->y+y_p->y+z_p->y+primary_info->y);
4956 blue=(x_p->z+y_p->z+z_p->z+primary_info->z);
Also if I set MALLOC_CHECK_ to 0, 1 or 2, I don't get the bug:
------------------------------------------------------------
$ env MALLOC_CHECK_=0 gm identify samples/segv2.viff
samples/segv2.viff VIFF 203x152+0+0 PseudoClass 2c 8-bit 91.4k 0.020u 0:01
$ env MALLOC_CHECK_=1 gm identify samples/segv2.viff
malloc: using debugging hooks
samples/segv2.viff VIFF 203x152+0+0 PseudoClass 0c 8-bit 91.4k 0.150u 0:01
$ env MALLOC_CHECK_=2 gm identify samples/segv2.viff
samples/segv2.viff VIFF 203x152+0+0 PseudoClass 0c 8-bit 91.4k 0.150u 0:01
$ gm identify samples/segv2.viff
*** glibc detected *** double free or corruption (fasttop): 0x0000000000533970
***
------------------------------------------------------------
Sami
signature.asc
Description: Digital signature
