Bug in ParseProcessingInstructions in xml-tree.c
Posted: 2007-07-16T13:12:35-07:00
I'm writing an application that displays files that utilizes ImageMagick 6.3.5 under Windows XP. While testing, I tried to open the following image, which ended up throwing a Fatal exception
I'm running with the Multi-threaded release build as generated by VisualMagick. After some tracking, I located the source of the exception at line 1495 of xml-tree.c, in the ParseProcessingInstructions function. It seems as though an invalid value was being passed into ResizeMagickMemory (0xcdcdcdcd in debug mode, and 0xbaadf00d in release), which indicated that the memory to resize was never allocated. I added the following line at line 1480, and all seems well:
Here is the complete function:
I'm running with the Multi-threaded release build as generated by VisualMagick. After some tracking, I located the source of the exception at line 1495 of xml-tree.c, in the ParseProcessingInstructions function. It seems as though an invalid value was being passed into ResizeMagickMemory (0xcdcdcdcd in debug mode, and 0xbaadf00d in release), which indicated that the memory to resize was never allocated. I added the following line at line 1480, and all seems well:
Code: Select all
root->processing_instructions[i][2]=(char *) NULL;Code: Select all
static void ParseProcessingInstructions(XMLTreeRoot *root,char *xml,
size_t length)
{
char
*target;
long
j;
register long
i;
target=xml;
xml[length]='\0';
xml+=strcspn(xml,XMLWhitespace);
if (*xml != '\0')
{
*xml='\0';
xml+=strspn(xml+1,XMLWhitespace)+1;
}
if (strcmp(target,"xml") == 0)
{
xml=strstr(xml,"standalone");
if ((xml != (char *) NULL) &&
(strncmp(xml+strspn(xml+10,XMLWhitespace "='\"")+10,"yes",3) == 0))
root->standalone=MagickTrue;
return;
}
if (root->processing_instructions[0] == (char **) NULL)
{
root->processing_instructions=(char ***) AcquireMagickMemory(sizeof(
*root->processing_instructions));
if (root->processing_instructions ==(char ***) NULL)
ThrowMagickFatalException(ResourceLimitFatalError,
"UnableToAcquireString",xml);
*root->processing_instructions=(char **) NULL;
}
i=0;
while ((root->processing_instructions[i] != (char **) NULL) &&
(strcmp(target,root->processing_instructions[i][0]) != 0))
i++;
if (root->processing_instructions[i] == (char **) NULL)
{
root->processing_instructions=(char ***) ResizeMagickMemory(
root->processing_instructions,(size_t) (i+2)*
sizeof(*root->processing_instructions));
if (root->processing_instructions == (char ***) NULL)
ThrowMagickFatalException(ResourceLimitFatalError,
"UnableToAcquireString",xml);
root->processing_instructions[i]=(char **) AcquireMagickMemory(3*
sizeof(**root->processing_instructions));
if (root->processing_instructions[i] == (char **) NULL)
ThrowMagickFatalException(ResourceLimitFatalError,
"UnableToAcquireString",xml);
root->processing_instructions[i][0]=ConstantString(target);
root->processing_instructions[i][1]=(char *) NULL;
root->processing_instructions[i][2]=(char *) NULL; // added by TCM
root->processing_instructions[i+1]=(char **) NULL;
}
j=1;
while (root->processing_instructions[i][j] != (char *) NULL)
j++;
root->processing_instructions[i]=(char **) ResizeMagickMemory(
root->processing_instructions[i],(size_t) (j+3)*sizeof(
**root->processing_instructions));
if (root->processing_instructions[i] == (char **) NULL)
ThrowMagickFatalException(ResourceLimitFatalError,"UnableToAcquireString",
xml);
root->processing_instructions[i][j+2]=(char *) ResizeMagickMemory(
root->processing_instructions[i][j+1],(size_t) (j+1)* sizeof(
**root->processing_instructions));
if (root->processing_instructions[i][j+2] == (char *) NULL)
ThrowMagickFatalException(ResourceLimitFatalError,"UnableToAcquireString",
xml);
(void) CopyMagickString(root->processing_instructions[i][j+2]+j-1,
root->root.tag != (char *) NULL ? ">" : "<",2);
root->processing_instructions[i][j+1]=(char *) NULL;
root->processing_instructions[i][j]=ConstantString(xml);
}