Bug#927307: libgraphicsmagick breaks gnudatalanguage

Thu, 18 Apr 2019 06:33:41 -0700 

On Thu, 18 Apr 2019, László Böszörményi wrote:


#2  0x00007ffff334640f in __assert_fail_base
   (fmt=0x7ffff34a8ee0 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
assertion=0x7ffff6657940 "semaphore_info != (SemaphoreInfo *) NULL",
file=0x7ffff66578c8 "magick/semaphore.c", line=606,
function=<optimized out>) at assert.c:92
       str = 0x555555578090 ""
       total = 4096
#3  0x00007ffff33540f2 in __GI___assert_fail
   (assertion=0x7ffff6657940 "semaphore_info != (SemaphoreInfo *)
NULL", file=0x7ffff66578c8 "magick/semaphore.c", line=606,
function=0x7ffff66579c0 "LockSemaphoreInfo") at assert.c:101
#4  0x00007ffff651802d in LockSemaphoreInfo ()
   at /usr/lib/libGraphicsMagick-Q16.so.3
#5  0x00007ffff6514e59 in GetMagickResourceLimit ()
   at /usr/lib/libGraphicsMagick-Q16.so.3
#6  0x00007ffff64f1719 in GetCacheInfo ()
   at /usr/lib/libGraphicsMagick-Q16.so.3
#7  0x00007ffff64d4081 in AllocateImage ()
   at /usr/lib/libGraphicsMagick-Q16.so.3
#8  0x00007ffff63eacf5 in Magick::ImageRef::ImageRef() (this=0x5555555d9740)
   at Magick++/lib/ImageRef.cpp:49
#9  0x00007ffff63e155c in Magick::Image::Image()
   (this=0x7ffff7f9fc60 <lib::gImage>) at Magick++/lib/Image.cpp:278
#10 0x00007ffff73fb1d0 in  ()
   at /usr/lib/x86_64-linux-gnu/libgnudatalanguage.so.0
#11 0x00007ffff7fe430a in call_init
   (l=<optimized out>, argc=argc@entry=1,
argv=argv@entry=0x7fffffffec58, env=env@entry=0x7fffffffec68) at



This problem would occur if the InitializeMagick() function is not 
called before using any other function.  The InitializeMagick() 
function calls InitializeMagickResources() which allocates the 
semaphore discovered to be null.



C++ adds the interesting wrinkle that statically-constructed objects 
are constructed before main() is even invoked.  Since _dl_start_user() 
is reported at the bottom of the stack rather than main() this could 
be a C++ static construction issue, or a shared library constructor 
function issue.



Between the version which worked and the version which is failing, the 
implementation of magick/resource.c was changed to allocate a 
semaphore for each resource limit rather than using a single global 
semaphore across all resource limits.



For reasons unknown to me, I did not include a generalized resource 
limit function in Magick++.  For purposes of fuzzing via oss-fuzz, I 
see that this code is used:


        Magick::InitializeMagick(nullptr);
        MagickLib::SetMagickResourceLimit(MagickLib::MemoryResource, 
1000000000);
        MagickLib::SetMagickResourceLimit(MagickLib::WidthResource, 2048);
        MagickLib::SetMagickResourceLimit(MagickLib::HeightResource, 2048);

and this is diving into the C API after calling InitializeMagick();

Bob
--
Bob Friesenhahn
bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/
Public Key,     http://www.simplesystems.org/users/bfriesen/public-key.txt





















					Reply via email to