[Magick-bugs] SIGSEGV in CloneImage

Martin von Gagern Martin.vGagern at gmx.net
Wed Apr 22 10:08:50 PDT 2009 

Hi!

This is a retransmission, because judging from the pipermail archive, my
original post from 2009-04-13 didn't make it through.

I just tried to convert two LZW-compressed TIFF images saved from GIMP
into a two-page JPEG-compressed PDF document using a command like this:

  convert -compress JPEG page1.tif page2.tif result.pdf

Using ImageMagick 6.5.1 on Gentoo linux I got a SIGSEGV in reply:

#0  0x4b50d12e in CloneImage (...) at magick/image.c:1129
#1  0x4b469765 in InjectImageBlob (...) at magick/blob.c:1789
#2  0xb7fd02f5 in WritePDFImage (...) at coders/pdf.c:1554
#3  0x4b4936fb in WriteImage (...) at magick/constitute.c:1168
#4  0x4b494058 in WriteImages (...) at magick/constitute.c:1287
#5  0x4a0f358d in ConvertImageCommand (...) at wand/convert.c:2777
#6  0x08048bfb in main (...) at utilities/convert.c:122

Looking at the assembly code and comparing it with the corresponding
source I identified these lines as the cause:

      if (GetNextImageInList(image) != (Image *) NULL)
        clone_image->next->previous=clone_image;

The problem is that the first test operates on the input image, while
the assignment assumes clone_image to be non-NULL, which is wrong.
Looking a few lines above, one finds the assignment

  clone_image->next=NewImageList();

and as NewImageList() is only an elaborate way to write NULL, this
assumption that clone_image->next does exist will always be false.

I'm not sure about what the intended behaviour of CloneImage with a
parameter of orphan == MagickFalse should be. Should the clone replace
the original, inserted after the original, or should siblings in the
original list be cloned as well?

Neither am I sure why InjectImageBlob calls CloneImage with orphan set
to false. It looks to me like that function doesn't use list
neighbourhood of the cloned image, so there might just as well be no
such neighbourhood. I also see that InjectImageBlob manually destroys
the cloned blob's info, just to replace it with a clone of NULL info.
When called with orphan != MagickFalse, CloneImage will perform these
steps as well, so passing a true value for orphan might save some lines
of code in InjectImageBlob.

Greetings,
 Martin von Gagern

More information about the Magick-bugs mailing list