Segfault on identify -verbose -ping test.pdf

[Hubbitus]

It always reproducible.
Please refer for Fedora bugzilla for more details and backtraces - https://bugzilla.redhat.com/show_bug.cgi?id=638352#c10

[magick]

• 2010-09-28 6.5.8-10 Cristy <quetzlzacatenango@image...>
  * Don't permit access to pixels when pinging an image (reference
  viewtopic.php?f=3&t=17194).
  * Temporary files not always deleted (reference
  viewtopic.php?f=2&t=15960).

Code: Select all

diff -rc ImageMagick-6.5.8-10/magick/cache.c ImageMagick-6.5.8-11/magick/cache.c
*** ImageMagick-6.5.8-10/magick/cache.c 2009-12-11 16:38:29.000000000 -0500
--- ImageMagick-6.5.8-11/magick/cache.c 2010-10-03 11:40:08.721443934 -0400
***************
*** 1757,1762 ****
--- 1757,1764 ----
    MagickOffsetType
      offset;
  
+   if (cache_info->type == PingCache)
+     return(MagickTrue);
    offset=(MagickOffsetType) nexus_info->region.y*cache_info->columns+
      nexus_info->region.x;
    if (nexus_info->pixels != (cache_info->pixels+offset))
***************
*** 3949,3954 ****
--- 3951,3966 ----
    cache_info->columns=image->columns;
    cache_info->active_index_channel=((image->storage_class == PseudoClass) ||
      (image->colorspace == CMYKColorspace)) ? MagickTrue : MagickFalse;
+   if (image->ping != MagickFalse)
+     {
+       cache_info->storage_class=image->storage_class;
+       cache_info->colorspace=image->colorspace;
+       cache_info->type=PingCache;
+       cache_info->pixels=(PixelPacket *) NULL;
+       cache_info->indexes=(IndexPacket *) NULL;
+       cache_info->length=0;
+       return(MagickTrue);
+     }
    number_pixels=(MagickSizeType) cache_info->columns*cache_info->rows;
    packet_size=sizeof(PixelPacket);
    if (cache_info->active_index_channel != MagickFalse)
***************
*** 4897,4904 ****
    nexus_info->region.height=region->height == 0UL ? 1UL : region->height;
    nexus_info->region.x=region->x;
    nexus_info->region.y=region->y;
!   if ((cache_info->type != DiskCache) && (image->clip_mask == (Image *) NULL) &&
!       (image->mask == (Image *) NULL))
      {
        offset=(MagickOffsetType) nexus_info->region.y*cache_info->columns+
          nexus_info->region.x;
--- 4909,4916 ----
    nexus_info->region.height=region->height == 0UL ? 1UL : region->height;
    nexus_info->region.x=region->x;
    nexus_info->region.y=region->y;
!   if ((cache_info->type != DiskCache) && (cache_info->type != PingCache) &&
!       (image->clip_mask == (Image *) NULL) && (image->mask == (Image *) NULL))
      {
        offset=(MagickOffsetType) nexus_info->region.y*cache_info->columns+
          nexus_info->region.x;
diff -rc ImageMagick-6.5.8-10/magick/cache-private.h ImageMagick-6.5.8-11/magick/cache-private.h
*** ImageMagick-6.5.8-10/magick/cache-private.h 2009-12-11 16:38:29.000000000 -0500
--- ImageMagick-6.5.8-11/magick/cache-private.h 2010-10-03 11:40:19.996412838 -0400
***************
*** 32,38 ****
    UndefinedCache,
    MemoryCache,
    MapCache,
!   DiskCache
  } CacheType;
  
  typedef void
--- 32,39 ----
    UndefinedCache,
    MemoryCache,
    MapCache,
!   DiskCache,
!   PingCache
  } CacheType;
  
  typedef void
diff -rc ImageMagick-6.5.8-10/magick/image.c ImageMagick-6.5.8-11/magick/image.c
*** ImageMagick-6.5.8-10/magick/image.c 2009-12-22 16:15:23.000000000 -0500
--- ImageMagick-6.5.8-11/magick/image.c 2010-10-03 11:41:12.982443890 -0400
***************
*** 180,185 ****
--- 180,186 ----
    image->y_resolution=DefaultResolution;
    image->units=PixelsPerInchResolution;
    GetTimerInfo(&image->timer);
+   image->ping=MagickFalse;
    image->cache=AcquirePixelCache(0);
    image->blob=CloneBlobInfo((BlobInfo *) NULL);
    image->debug=IsEventLogging();
***************
*** 252,257 ****
--- 253,259 ----
    image->border_color=image_info->border_color;
    image->matte_color=image_info->matte_color;
    image->transparent_color=image_info->transparent_color;
+   image->ping=image_info->ping;
    image->progress_monitor=image_info->progress_monitor;
    image->client_data=image_info->client_data;
    if (image_info->cache != (void *) NULL)
***************
*** 873,878 ****
--- 875,881 ----
      clone_image->blob=ReferenceBlob(image->blob);
    else
      clone_image->blob=CloneBlobInfo((BlobInfo *) NULL);
+   clone_image->ping=image->ping;
    clone_image->debug=IsEventLogging();
    clone_image->semaphore=AllocateSemaphoreInfo();
    if ((columns == 0) && (rows == 0))
diff -rc ImageMagick-6.5.8-10/magick/image.h ImageMagick-6.5.8-11/magick/image.h
*** ImageMagick-6.5.8-10/magick/image.h 2009-12-11 16:38:29.000000000 -0500
--- ImageMagick-6.5.8-11/magick/image.h 2010-10-03 11:41:34.698448518 -0400
***************
*** 330,335 ****
--- 330,338 ----
  
    MagickBooleanType
      dither;
+ 
+   MagickBooleanType
+     ping;
  };
  
  struct _ImageInfo
diff -rc ImageMagick-6.5.8-10/magick/resource.c ImageMagick-6.5.8-11/magick/resource.c
*** ImageMagick-6.5.8-10/magick/resource.c      2009-12-17 21:53:20.000000000 -0500
--- ImageMagick-6.5.8-11/magick/resource.c      2010-10-03 11:44:18.426998774 -0400
***************
*** 332,337 ****
--- 332,338 ----
  static void *DestroyTemporaryResources(void *temporary_resource)
  {
    (void) remove((char *) temporary_resource);
+   temporary_resource=DestroyString((char *) temporary_resource);
    return((void *) NULL);
  }
  
***************
*** 477,486 ****
    (void) LockSemaphoreInfo(resource_semaphore);
    if (temporary_resources == (SplayTreeInfo *) NULL)
      temporary_resources=NewSplayTree(CompareSplayTreeString,
!       RelinquishMagickMemory,DestroyTemporaryResources);
    (void) UnlockSemaphoreInfo(resource_semaphore);
    resource=ConstantString(path);
!   (void) AddValueToSplayTree(temporary_resources,resource,resource);
    return(file);
  }
  

--- 478,487 ----
    (void) LockSemaphoreInfo(resource_semaphore);
    if (temporary_resources == (SplayTreeInfo *) NULL)
      temporary_resources=NewSplayTree(CompareSplayTreeString,
!       DestroyTemporaryResources,(void *(*)(void *)) NULL);
    (void) UnlockSemaphoreInfo(resource_semaphore);
    resource=ConstantString(path);
!   (void) AddValueToSplayTree(temporary_resources,resource,(const void *) NULL);
    return(file);
  }

[Hubbitus]

Thank you very much for fast fix. I hope it go in next release.

[magick]

The problem you reported is already fixed in the current release of ImageMagick, 6.6.4-8.

[Drarakel]

I guess that could fit into that topic:
I'm still getting crashes when doing "identify -verbose -ping" with PSD files (see also here).
Take that file (just a random PSD from the web - from here):
pin-full-stokpsd.zip
Windows notes for the crash: "Application Failure identify.exe 4.0.0.0 in core_rl_magick_.dll 4.0.0.0 at offset 000d35b4.."
I'm using IM v6.6.4-8 Q16, Windows XP.

[magick]

Here's a patch:

Code: Select all

*** magick/stream.c~    2010-10-04 14:00:17.954718038 -0400
--- magick/stream.c     2010-10-04 13:24:53.681967998 -0400
***************
*** 152,158 ****
    StreamInfo
      *stream_info;
  
!   stream_info=(StreamInfo *) AcquireAlignedMemory(1,sizeof(*stream_info));
    if (stream_info == (StreamInfo *) NULL)
      ThrowFatalException(ResourceLimitFatalError,"MemoryAllocationFailed");
    (void) ResetMagickMemory(stream_info,0,sizeof(*stream_info));
--- 152,158 ----
    StreamInfo
      *stream_info;
  
!   stream_info=(StreamInfo *) AcquireQuantumMemory(1,sizeof(*stream_info));
    if (stream_info == (StreamInfo *) NULL)
      ThrowFatalException(ResourceLimitFatalError,"MemoryAllocationFailed");
    (void) ResetMagickMemory(stream_info,0,sizeof(*stream_info));
***************
*** 703,719 ****
    /*
      Pixels are stored in a temporary buffer until they are synced to the cache.
    */
    number_pixels=(MagickSizeType) columns*rows;
    length=(size_t) number_pixels*sizeof(PixelPacket);
!   if ((image->storage_class == PseudoClass) ||
!       (image->colorspace == CMYKColorspace))
      length+=number_pixels*sizeof(IndexPacket);
    if (cache_info->pixels == (PixelPacket *) NULL)
      {
        cache_info->length=length;
        status=AcquireStreamPixels(cache_info,exception);
        if (status == MagickFalse)
!         return((PixelPacket *) NULL);
      }
    else
      if (cache_info->length != length)
--- 703,723 ----
    /*
      Pixels are stored in a temporary buffer until they are synced to the cache.
    */
+   cache_info->active_index_channel=((image->storage_class == PseudoClass) ||
+     (image->colorspace == CMYKColorspace)) ? MagickTrue : MagickFalse;
    number_pixels=(MagickSizeType) columns*rows;
    length=(size_t) number_pixels*sizeof(PixelPacket);
!   if (cache_info->active_index_channel != MagickFalse)
      length+=number_pixels*sizeof(IndexPacket);
    if (cache_info->pixels == (PixelPacket *) NULL)
      {
        cache_info->length=length;
        status=AcquireStreamPixels(cache_info,exception);
        if (status == MagickFalse)
!         {
!           cache_info->length=0;
!           return((PixelPacket *) NULL);
!         }
      }
    else
      if (cache_info->length != length)
***************
*** 722,732 ****
          cache_info->length=length;
          status=AcquireStreamPixels(cache_info,exception);
          if (status == MagickFalse)
!           return((PixelPacket *) NULL);
        }
    cache_info->indexes=(IndexPacket *) NULL;
!   if ((image->storage_class == PseudoClass) ||
!       (image->colorspace == CMYKColorspace))
      cache_info->indexes=(IndexPacket *) (cache_info->pixels+number_pixels);
    return(cache_info->pixels);
  }
--- 726,738 ----
          cache_info->length=length;
          status=AcquireStreamPixels(cache_info,exception);
          if (status == MagickFalse)
!           {
!             cache_info->length=0;
!             return((PixelPacket *) NULL);
!           }
        }
    cache_info->indexes=(IndexPacket *) NULL;
!   if (cache_info->active_index_channel != MagickFalse)
      cache_info->indexes=(IndexPacket *) (cache_info->pixels+number_pixels);
    return(cache_info->pixels);
  }
***************
*** 855,866 ****
    /*
      Pixels are stored in a temporary buffer until they are synced to the cache.
    */
    cache_info->columns=columns;
    cache_info->rows=rows;
    number_pixels=(MagickSizeType) columns*rows;
    length=(size_t) number_pixels*sizeof(PixelPacket);
!   if ((image->storage_class == PseudoClass) ||
!       (image->colorspace == CMYKColorspace))
      length+=number_pixels*sizeof(IndexPacket);
    if (cache_info->pixels == (PixelPacket *) NULL)
      {
--- 861,873 ----
    /*
      Pixels are stored in a temporary buffer until they are synced to the cache.
    */
+   cache_info->active_index_channel=((image->storage_class == PseudoClass) ||
+     (image->colorspace == CMYKColorspace)) ? MagickTrue : MagickFalse;
    cache_info->columns=columns;
    cache_info->rows=rows;
    number_pixels=(MagickSizeType) columns*rows;
    length=(size_t) number_pixels*sizeof(PixelPacket);
!   if (cache_info->active_index_channel != MagickFalse)
      length+=number_pixels*sizeof(IndexPacket);
    if (cache_info->pixels == (PixelPacket *) NULL)
      {
***************
*** 877,884 ****
    if (cache_info->pixels == (void *) NULL)
      return((PixelPacket *) NULL);
    cache_info->indexes=(IndexPacket *) NULL;
!   if ((image->storage_class == PseudoClass) ||
!       (image->colorspace == CMYKColorspace))
      cache_info->indexes=(IndexPacket *) (cache_info->pixels+number_pixels);
    return(cache_info->pixels);
  }
--- 884,890 ----
    if (cache_info->pixels == (void *) NULL)
      return((PixelPacket *) NULL);
    cache_info->indexes=(IndexPacket *) NULL;
!   if (cache_info->active_index_channel != MagickFalse)
      cache_info->indexes=(IndexPacket *) (cache_info->pixels+number_pixels);
    return(cache_info->pixels);
  }