SIGSEGV in png.c 6.3.7-8

[rmagick]

Just installed 6.3.7-8. I'm getting a SIGSEGV in a call to RelinquishMagickMemory from png.c. Here's the traceback:

Code: Select all

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1210845520 (LWP 31880)]
0xb7dad7bc in free () from /lib/tls/i686/cmov/libc.so.6
(gdb) whe
#0  0xb7dad7bc in free () from /lib/tls/i686/cmov/libc.so.6
#1  0xb7ab2baf in RelinquishMagickMemory (memory=0x120) at magick/memory.c:589
#2  0xb6aeeacc in png_IM_free (png_ptr=0xbfed88e8, ptr=0x120) at coders/png.c:1435
#3  0xb6df03b6 in ?? () from /usr/lib/libpng12.so.0
#4  0xbfed88e8 in ?? ()
#5  0x00000120 in ?? ()
#6  0x00000000 in ?? ()
(gdb) fr 2
#2  0xb6aeeacc in png_IM_free (png_ptr=0xbfed88e8, ptr=0x120) at coders/png.c:1435
1435      ptr=RelinquishMagickMemory(ptr);
(gdb) p ptr
$1 = (png_voidp) 0x120

I'm using libpng version 1.2.15~beta5-2ubuntu0.1 on Kubuntu 7.10. This failure occurs with both my .png tests. Please let me know if you need a reproduction.

[magick]

Post a program/script that we can run to reproduce the problem. We need to determine if the problem is within ImageMagick or the PNG delegate library. We're using 6.3.7-8 and libpng-1.2.22 and cannot reproduce the problem.

[rmagick]

The problem is triggered by this specific image: http://home.nc.rr.com/foxhunter/Snake.wmf. I can reproduce the abend by simply trying to display the image.

Please let me know if you need any more information.

Here's some gdb output.

Code: Select all

tim@linux:~/RMagick/projects/RMagick/doc/ex/images$ display -version
Version: ImageMagick 6.3.7 12/28/07 Q16 http://www.imagemagick.org
Copyright: Copyright (C) 1999-2008 ImageMagick Studio LLC

tim@linux:~/RMagick/projects/RMagick/doc/ex/images$ gdb display
GNU gdb 6.6-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) run Snake.wmf
Starting program: /usr/local/bin/display Snake.wmf
[Thread debugging using libthread_db enabled]
[New Thread -1216141648 (LWP 13855)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1216141648 (LWP 13855)]
0xb7afd7bc in free () from /lib/tls/i686/cmov/libc.so.6
(gdb) whe
#0  0xb7afd7bc in free () from /lib/tls/i686/cmov/libc.so.6
#1  0xb7e55baf in RelinquishMagickMemory (memory=0x120) at magick/memory.c:589
#2  0xb6c55acc in png_IM_free (png_ptr=0xbf9a9518, ptr=0x120) at coders/png.c:1435
#3  0xb6f853b6 in ?? () from /usr/lib/libpng12.so.0
#4  0xbf9a9518 in ?? ()
#5  0x00000120 in ?? ()
#6  0x00000000 in ?? ()
(gdb)

I just confirmed that an earlier version of display works okay:
Version: ImageMagick 6.3.6 11/08/07 Q16 http://www.imagemagick.org

[magick]

Post the output of

• convert -verbose Snake.wmf Snake.png

This command works for us but we need to see how WMF is being interpreted by your ImageMagick instance.

[rmagick]

$ convert -verbose Snake.wmf Snake.png
"wmf2eps" -o "/home/tim/tmp/magick-XXkgEFu6" "/home/tim/tmp/magick-XXvpgbxt"
"gs" -q -dQUIET -dPARANOIDSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=0 "-sDEVICE=pngalpha" -dTextAlphaBits=4 -dGraphicsAlphaBits=4 "-r72x72" -g361x346 "-sOutputFile=/home/tim/tmp/magick-XXFPGv4Q" "-f/home/tim/tmp/magick-XXOK5wyo" "-f/home/tim/tmp/magick-XXCJIz2V"
Segmentation fault (core dumped)

Interesting. My libwmf version is 0.2.8.

[magick]

Either Ghostscript is producing a bad PNG file or there is a bug in the PNG delegate library or the ImageMagick PNG coder. Post a URL to Snake.eps and Snake.png produced with these commands:

• wmf2eps -o Snake.eps Snake.wmf
  gs -q -dQUIET -dPARANOIDSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=0 "-sDEVICE=pngalpha" -dTextAlphaBits=4 -dGraphicsAlphaBits=4 "-r72x72" -g361x346 "-sOutputFile=Snake.png" Snake.eps

We will download these files and trace the source of the bug.

[rmagick]

Let me know if you need any more info.

http://home.nc.rr.com/foxhunter/Snake.eps
http://home.nc.rr.com/foxhunter/Snake.png

[magick]

We downloaded your files and they convert fine for us without complaint. We ran valgrind and it did not report any memory problems. Try this command and let us know if it reports memory corruption:

• valgrind convert Snake.wmf Snake.png

[rmagick]

Okay. Output is here: http://home.nc.rr.com/foxhunter/convert.28880

BTW, the command abends with this output:

$ valgrind --log-file=convert convert Snake.wmf Snake.png
convert: magick/blob.c:472: CloseBlob: Assertion `image->signature == 0xabacadabUL' failed.
Aborted (core dumped)

[magick]

We're using a new version of the libtool distribution (i.e. dlopen()) that perhaps has a bug we have not stumbled across yet. To test, rebuild ImageMagick without modules. Either build static or add --without-modules to the configure script. See if the problem persists and report back to us.

[rmagick]

That fixed it.

convert Snake.wmf Snake.png

works. Here's the configure command line I used.

Code: Select all

  $ ./configure CFLAGS=-g --enable-shared --disable-static --without-modules --enable-lzw --with-gs-font-dir=/usr/share/fonts/type1/gsfonts --with-quantum-depth=16 --without-perl --without-magick-plus-plus

Just to confirm, I re-built IM again using --with-modules and the abend returned.

[magick]

Unfortunately we cannot reproduce the problem on the 7 different OS's we tried it on. We'll stand by and look for other bug reports until we get enough information to track the source of the problem.

[rmagick]

Don't you hate it when this happens? I'll post if I learn anything else.

[hoeth]

I can reproduce this bug on linux (x86_64) with IM 6.3.9-8 and libpng-1.2.25 by converting a .ps file to png (or to anything else, since png is the intermediate step used by ghostscript). My backtrace is

#0 0x00002b65afcc72f5 in free () from /lib64/libc.so.6
#1 0x00002b65af1b4f10 in RelinquishMagickMemory () from /usr/lib64/libMagickCore.so.1
#2 0x00002b65b50937b8 in png_IM_free () from /usr/lib64/ImageMagick-6.3.9/modules-Q8/coders/png.so
#3 0x00002b65b30e27ed in png_free_data () from /usr/lib64/libgs.so.8
#4 0x00002b65b415bef7 in png_info_destroy () from /usr/lib64/libpng12.so.0
#5 0x00002b65b4165dce in png_read_destroy () from /usr/lib64/libpng12.so.0
#6 0x00002b65b4166104 in png_destroy_read_struct () from /usr/lib64/libpng12.so.0
#7 0x00002b65b50980df in ReadOnePNGImage () from /usr/lib64/ImageMagick-6.3.9/modules-Q8/coders/png.so
#8 0x00002b65b509f962 in ReadPNGImage () from /usr/lib64/ImageMagick-6.3.9/modules-Q8/coders/png.so
#9 0x00002b65af14796c in ReadImage () from /usr/lib64/libMagickCore.so.1
#10 0x00002b65b2c1bf17 in ReadPSImage () from /usr/lib64/ImageMagick-6.3.9/modules-Q8/coders/ps.so
#11 0x00002b65af14796c in ReadImage () from /usr/lib64/libMagickCore.so.1
#12 0x00002b65af519a9e in ConvertImageCommand () from /usr/lib64/libMagickWand.so.1
#13 0x0000000000400dd6 in main ()

The output of "convert -verbose d01-x01-y01.ps d01-x01-y01.png" is

"gs" -q -dQUIET -dPARANOIDSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=0 "-sDEVICE=pngalpha" -dTextAlphaBits=4 -dGraphicsAlphaBits=4 "-r72x72" -g332x304 "-sOutputFile=/tmp/magick-XXaQnXHS" "-f/tmp/magick-XXcAMYDj" "-f/tmp/magick-XXJwe7zK"

The file /tmp/magick-XXaQnXHS seems to be a good png file and just what I expect as output file from the convert command. You find the relevant files here:

http://www.linta.de/~hoeth/imagemagick/d01-x01-y01.ps
http://www.linta.de/~hoeth/imagemagick/magick-XXaQnXHS

Compiling with "--without-modules" yields a working convert.

[magick]

Again we cannot reproduce the problem even under x86_64 Linux. As soon as we can we will have a patch for the problem in short order.