Bug in ParseProcessingInstructions in xml-tree.c

Post any defects you find in the released or beta versions of the ImageMagick software here. Include the ImageMagick version, OS, and any command-line required to reproduce the problem. Got a patch for a bug? Post it here.
Post Reply
thomas.c1.moore

Bug in ParseProcessingInstructions in xml-tree.c

Post by thomas.c1.moore »

I'm writing an application that displays files that utilizes ImageMagick 6.3.5 under Windows XP. While testing, I tried to open the following image, which ended up throwing a Fatal exception

Image

I'm running with the Multi-threaded release build as generated by VisualMagick. After some tracking, I located the source of the exception at line 1495 of xml-tree.c, in the ParseProcessingInstructions function. It seems as though an invalid value was being passed into ResizeMagickMemory (0xcdcdcdcd in debug mode, and 0xbaadf00d in release), which indicated that the memory to resize was never allocated. I added the following line at line 1480, and all seems well:

Code: Select all

root->processing_instructions[i][2]=(char *) NULL;
Here is the complete function:

Code: Select all

static void ParseProcessingInstructions(XMLTreeRoot *root,char *xml,
  size_t length)
{
  char
    *target;

  long
    j;

  register long
    i;

  target=xml;
  xml[length]='\0';
  xml+=strcspn(xml,XMLWhitespace);
  if (*xml != '\0')
    {
      *xml='\0';
      xml+=strspn(xml+1,XMLWhitespace)+1;
    }
  if (strcmp(target,"xml") == 0)
    {
      xml=strstr(xml,"standalone");
      if ((xml != (char *) NULL) &&
          (strncmp(xml+strspn(xml+10,XMLWhitespace "='\"")+10,"yes",3) == 0))
        root->standalone=MagickTrue;
      return;
    }
  if (root->processing_instructions[0] == (char **) NULL)
    {
      root->processing_instructions=(char ***) AcquireMagickMemory(sizeof(
        *root->processing_instructions));
      if (root->processing_instructions ==(char ***) NULL)
        ThrowMagickFatalException(ResourceLimitFatalError,
          "UnableToAcquireString",xml);
      *root->processing_instructions=(char **) NULL;
    }
  i=0;
  while ((root->processing_instructions[i] != (char **) NULL) &&
         (strcmp(target,root->processing_instructions[i][0]) != 0))
    i++;
  if (root->processing_instructions[i] == (char **) NULL)
    {
      root->processing_instructions=(char ***) ResizeMagickMemory(
        root->processing_instructions,(size_t) (i+2)*
        sizeof(*root->processing_instructions));
      if (root->processing_instructions == (char ***) NULL)
        ThrowMagickFatalException(ResourceLimitFatalError,
          "UnableToAcquireString",xml);
      root->processing_instructions[i]=(char **) AcquireMagickMemory(3*
        sizeof(**root->processing_instructions));
      if (root->processing_instructions[i] == (char **) NULL)
        ThrowMagickFatalException(ResourceLimitFatalError,
          "UnableToAcquireString",xml);
      root->processing_instructions[i][0]=ConstantString(target);
      root->processing_instructions[i][1]=(char *) NULL;
      root->processing_instructions[i][2]=(char *) NULL; // added by TCM
      root->processing_instructions[i+1]=(char **) NULL;
    }
  j=1;
  while (root->processing_instructions[i][j] != (char *) NULL)
    j++;
  root->processing_instructions[i]=(char **) ResizeMagickMemory(
    root->processing_instructions[i],(size_t) (j+3)*sizeof(
    **root->processing_instructions));
  if (root->processing_instructions[i] == (char **) NULL)
    ThrowMagickFatalException(ResourceLimitFatalError,"UnableToAcquireString",
      xml);
  root->processing_instructions[i][j+2]=(char *) ResizeMagickMemory(
    root->processing_instructions[i][j+1],(size_t) (j+1)* sizeof(
    **root->processing_instructions));
  if (root->processing_instructions[i][j+2] == (char *) NULL)
    ThrowMagickFatalException(ResourceLimitFatalError,"UnableToAcquireString",
      xml);
  (void) CopyMagickString(root->processing_instructions[i][j+2]+j-1,
    root->root.tag != (char *) NULL ? ">" : "<",2);
  root->processing_instructions[i][j+1]=(char *) NULL;
  root->processing_instructions[i][j]=ConstantString(xml);
}
Top
User avatar
magick
Site Admin
Posts: 11064
Joined: 2003-05-31T11:32:55-07:00

Re: Bug in ParseProcessingInstructions in xml-tree.c

Post by magick »

The bug you reported was fixed in ImageMagick 6.3.5-1 the current release.
Top
thomas.c1.moore

Re: Bug in ParseProcessingInstructions in xml-tree.c

Post by thomas.c1.moore »

Unless a new version came out between this past Friday, July 13 that is more recent than the download at

ftp://ftp.imagemagick.org/pub/ImageMagi ... .3.5-1.zip

Then the problem is not fixed...
Top
User avatar
magick
Site Admin
Posts: 11064
Joined: 2003-05-31T11:32:55-07:00

Re: Bug in ParseProcessingInstructions in xml-tree.c

Post by magick »

Just downloaded the 6.3.5-1 Windows source and it contains the patch. The source looks like this (around line 1478):

Code: Select all

      root->processing_instructions[i][0]=ConstantString(target);
      root->processing_instructions[i][1]=(char *)
        root->processing_instructions[i+1];
      root->processing_instructions[i+1]=(char **) NULL;
      root->processing_instructions[i][2]=ConstantString("");
    }
  j=1;
  while (root->processing_instructions[i][j] != (char *) NULL)
    j++;
Top
thomas.c1.moore

Re: Bug in ParseProcessingInstructions in xml-tree.c

Post by thomas.c1.moore »

That appears to be correct. I wonder if the ImageMagick-windows.zip symbolic link was messed up...
Top
Post Reply

Return to “Bugs”