Bug#611260: libgraphicsmagick3: Crash in psiconv suggests graphicsmagick bug (access of freed memory)

Reuben Thomas Thu, 27 Jan 2011 05:21:21 -0800

Package: libgraphicsmagick3
Version: 1.3.12-1
Severity: important

See bug #609535 for the background (and it would be a shame to lose
psiconv to this bug).


psiconv recently fell foul of needing to call InitializeMagick, so I
supplied a patch for that. It cures simple use cases, but on trying to
convert a multiple-image file, it gives the following crash:

lt-psiconv: magick/semaphore.c:526: LockSemaphoreInfo: Assertion 
`semaphore_info->signature == 0xabacadabUL' failed.

Program received signal SIGABRT, Aborted.
0x0012e416 in __kernel_vsyscall ()
(gdb) where
#0  0x0012e416 in __kernel_vsyscall ()
#1  0x00948941 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2  0x0094be42 in abort () at abort.c:92
#3  0x009418e8 in __assert_fail (assertion=0x3be6d0 "semaphore_info->signature 
== 0xabacadabUL",
    file=0x3be68c "magick/semaphore.c", line=526, function=0x3be771 
"LockSemaphoreInfo") at assert.c:81
#4  0x0026ae02 in LockSemaphoreInfo () from /usr/lib/libGraphicsMagick.so.3
#5  0x001a3812 in ReferenceBlob () from /usr/lib/libGraphicsMagick.so.3
#6  0x00233bc3 in SyncNextImageInList () from /usr/lib/libGraphicsMagick.so.3
#7  0x0039efeb in ?? () from /usr/lib/libGraphicsMagick.so.3
#8  0x001eaf56 in WriteImage () from /usr/lib/libGraphicsMagick.so.3
#9  0x001a68b1 in ImageToBlob () from /usr/lib/libGraphicsMagick.so.3
#10 0x0804a893 in image_to_list (list=0x8059fd0, image=0x80bb120, dest=<value 
optimized out>) at gen_image.c:98
#11 0x0804aa54 in gen_image_list (config=<value optimized out>, list=<value 
optimized out>,
    sections=<value optimized out>, dest=0x804ea8a "TIFF") at gen_image.c:163
#12 0x0804aba0 in gen_clipart (config=0x8059d98, list=0x8059fd0, 
file=0x8059fc0, dest=0x804ea8a "TIFF",
    encoding_type=ENCODING_UTF8) at gen_image.c:193
#13 gen_image (config=0x8059d98, list=0x8059fd0, file=0x8059fc0, dest=0x804ea8a 
"TIFF",
    encoding_type=ENCODING_UTF8) at gen_image.c:222
#14 0x08049b96 in main (argc=2, argv=0xbffff0f4) at psiconv.c:298

Unfortunately there’s no libmagick3-dbg, so there’s no more
information about what’s going on inside the library. However, when I
run with valgrind:

==31530== Memcheck, a memory error detector
==31530== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==31530== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for 
copyright info
==31530== Command: /home/rrt/download/psiconv-0.9.8/.libs/lt-psiconv 
examples/Clipart
==31530==
==31530== Conditional jump or move depends on uninitialised value(s)
==31530==    at 0x403100C: psiconv_config_read (configuration.c:295)
==31530==    by 0x8049A01: main (psiconv.c:227)
==31530==
==31530== Invalid read of size 4
==31530==    at 0x4184D82: LockSemaphoreInfo (in 
/usr/lib/libGraphicsMagick.so.3.6.0)
==31530==    by 0x40BD811: ReferenceBlob (in 
/usr/lib/libGraphicsMagick.so.3.6.0)
==31530==    by 0x414DBC2: SyncNextImageInList (in 
/usr/lib/libGraphicsMagick.so.3.6.0)
==31530==    by 0x42B8FEA: ??? (in /usr/lib/libGraphicsMagick.so.3.6.0)
==31530==    by 0x4104F55: WriteImage (in /usr/lib/libGraphicsMagick.so.3.6.0)
==31530==    by 0x40C08B0: ImageToBlob (in /usr/lib/libGraphicsMagick.so.3.6.0)
==31530==    by 0x804A892: image_to_list (gen_image.c:98)
==31530==    by 0x804AA53: gen_image_list (gen_image.c:163)
==31530==    by 0x804AB9F: gen_image (gen_image.c:193)
==31530==    by 0x8049B95: main (psiconv.c:298)
==31530==  Address 0x54c4e88 is 24 bytes inside a block of size 28 free'd
==31530==    at 0x40257ED: free (vg_replace_malloc.c:366)
==31530==    by 0x4152E63: MagickFree (in /usr/lib/libGraphicsMagick.so.3.6.0)
==31530==    by 0x4184EC9: DestroySemaphoreInfo (in 
/usr/lib/libGraphicsMagick.so.3.6.0)
==31530==    by 0x40C1606: DestroyBlob (in /usr/lib/libGraphicsMagick.so.3.6.0)
==31530==    by 0x414DBAE: SyncNextImageInList (in 
/usr/lib/libGraphicsMagick.so.3.6.0)
==31530==    by 0x42B8FEA: ??? (in /usr/lib/libGraphicsMagick.so.3.6.0)
==31530==    by 0x4104F55: WriteImage (in /usr/lib/libGraphicsMagick.so.3.6.0)
==31530==    by 0x40C08B0: ImageToBlob (in /usr/lib/libGraphicsMagick.so.3.6.0)
==31530==    by 0x804A892: image_to_list (gen_image.c:98)
==31530==    by 0x804AA53: gen_image_list (gen_image.c:163)
==31530==    by 0x804AB9F: gen_image (gen_image.c:193)
==31530==    by 0x8049B95: main (psiconv.c:298)
==31530==
lt-psiconv: magick/semaphore.c:526: LockSemaphoreInfo: Assertion 
`semaphore_info->signature == 0xabacadabUL' failed.
==31530==
==31530== HEAP SUMMARY:
==31530==     in use at exit: 5,516,490 bytes in 2,930 blocks
==31530==   total heap usage: 8,125 allocs, 5,195 frees, 16,177,481 bytes 
allocated
==31530==
==31530== LEAK SUMMARY:
==31530==    definitely lost: 2,996 bytes in 72 blocks
==31530==    indirectly lost: 48 bytes in 3 blocks
==31530==      possibly lost: 55,234 bytes in 271 blocks
==31530==    still reachable: 5,458,212 bytes in 2,584 blocks
==31530==         suppressed: 0 bytes in 0 blocks
==31530== Rerun with --leak-check=full to see details of leaked memory
==31530==

What seems to be happening is that libgraphicsmagick is accessing
memory that it has already freed (note that the report of the block
freed is inside the same call into graphicsmagick as the eventual
crash). I checked that the innermost call frame of actual psiconv
code, gen_image.c:98, is only run once, so the free and the incorrect
access are definitely on the same call into graphicsmagick, hence it
looks like a graphicsmagick bug.

-- System Information:
Debian Release: squeeze/sid
  APT prefers maverick-updates
  APT policy: (500, 'maverick-updates'), (500, 'maverick-security'), (500, 
'maverick-backports'), (500, 'maverick')
Architecture: i386 (i686)

Kernel: Linux 2.6.35-24-generic (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libgraphicsmagick3 depends on:
ii  libbz2-1.0    1.0.5-4ubuntu1             high-quality block-sorting file co
ii  libc6         2.12.1-0ubuntu10.1         Embedded GNU C Library: Shared lib
ii  libfreetype6  2.4.2-2ubuntu0.1           FreeType 2 font engine, shared lib
ii  libgomp1      4.5.1-7ubuntu2             GCC OpenMP (GOMP) support library
ii  libice6       2:1.0.6-1                  X11 Inter-Client Exchange library
ii  libjasper1    1.900.1-7                  The JasPer JPEG-2000 runtime libra
ii  libjpeg62     6b-16.1                    The Independent JPEG Group's JPEG
ii  liblcms1      1.18.dfsg-1ubuntu2.10.10.1 Color management library
ii  libltdl7      2.2.6b-2ubuntu1            A system independent dlopen wrappe
ii  libpng12-0    1.2.44-1                   PNG library - runtime
ii  libsm6        2:1.1.1-1                  X11 Session Management library
ii  libtiff4      3.9.4-2                    Tag Image File Format (TIFF) libra
ii  libwmf0.2-7   0.2.8.4-7ubuntu2           Windows metafile conversion librar
ii  libx11-6      2:1.3.3-3ubuntu1           X11 client-side library
ii  libxext6      2:1.1.2-1                  X11 miscellaneous extension librar
ii  libxml2       2.7.7.dfsg-4ubuntu0.1      GNOME XML library
ii  zlib1g        1:1.2.3.4.dfsg-3ubuntu1    compression library - runtime

Versions of packages libgraphicsmagick3 recommends:
ii  ghos 8.71.dfsg.2-0ubuntu7                The GPL Ghostscript PostScript/PDF
ii  gsfo 1:8.11+urwcyr1.0.7~pre44-4.2ubuntu1 Fonts for the Ghostscript interpre

Versions of packages libgraphicsmagick3 suggests:
pn  graphicsmagick-dbg            <none>     (no description available)

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#611260: libgraphicsmagick3: Crash in psiconv suggests graphicsmagick bug (access of freed memory)

Reply via email to