On Thu, 18 Apr 2019, László Böszörményi wrote:

#2  0x00007ffff334640f in __assert_fail_base
   (fmt=0x7ffff34a8ee0 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
assertion=0x7ffff6657940 "semaphore_info != (SemaphoreInfo *) NULL",
file=0x7ffff66578c8 "magick/semaphore.c", line=606,
function=<optimized out>) at assert.c:92
       str = 0x555555578090 ""
       total = 4096
#3  0x00007ffff33540f2 in __GI___assert_fail
   (assertion=0x7ffff6657940 "semaphore_info != (SemaphoreInfo *)
NULL", file=0x7ffff66578c8 "magick/semaphore.c", line=606,
function=0x7ffff66579c0 "LockSemaphoreInfo") at assert.c:101
#4  0x00007ffff651802d in LockSemaphoreInfo ()
   at /usr/lib/libGraphicsMagick-Q16.so.3
#5  0x00007ffff6514e59 in GetMagickResourceLimit ()
   at /usr/lib/libGraphicsMagick-Q16.so.3
#6  0x00007ffff64f1719 in GetCacheInfo ()
   at /usr/lib/libGraphicsMagick-Q16.so.3
#7  0x00007ffff64d4081 in AllocateImage ()
   at /usr/lib/libGraphicsMagick-Q16.so.3
#8  0x00007ffff63eacf5 in Magick::ImageRef::ImageRef() (this=0x5555555d9740)
   at Magick++/lib/ImageRef.cpp:49
#9  0x00007ffff63e155c in Magick::Image::Image()
   (this=0x7ffff7f9fc60 <lib::gImage>) at Magick++/lib/Image.cpp:278
#10 0x00007ffff73fb1d0 in  ()
   at /usr/lib/x86_64-linux-gnu/libgnudatalanguage.so.0
#11 0x00007ffff7fe430a in call_init
   (l=<optimized out>, argc=argc@entry=1,
argv=argv@entry=0x7fffffffec58, env=env@entry=0x7fffffffec68) at

This problem would occur if the InitializeMagick() function is not called before using any other function. The InitializeMagick() function calls InitializeMagickResources() which allocates the semaphore discovered to be null.

C++ adds the interesting wrinkle that statically-constructed objects are constructed before main() is even invoked. Since _dl_start_user() is reported at the bottom of the stack rather than main() this could be a C++ static construction issue, or a shared library constructor function issue.

Between the version which worked and the version which is failing, the implementation of magick/resource.c was changed to allocate a semaphore for each resource limit rather than using a single global semaphore across all resource limits.

For reasons unknown to me, I did not include a generalized resource limit function in Magick++. For purposes of fuzzing via oss-fuzz, I see that this code is used:

        Magick::InitializeMagick(nullptr);
        MagickLib::SetMagickResourceLimit(MagickLib::MemoryResource, 
1000000000);
        MagickLib::SetMagickResourceLimit(MagickLib::WidthResource, 2048);
        MagickLib::SetMagickResourceLimit(MagickLib::HeightResource, 2048);

and this is diving into the C API after calling InitializeMagick();

Bob
--
Bob Friesenhahn
bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/
Public Key,     http://www.simplesystems.org/users/bfriesen/public-key.txt

Reply via email to