[Magick-bugs] mogrify(1) bug in calling FT_Outline_Decompose()...

Sean Chittenden sean at chittenden.org
Wed Jan 28 16:21:10 PST 2009 

Hello.  It looks like there is a bug in the way that mogrify(1) calls  
FT_Outline_Decompose(3).  FT_Outline_Decompose() gets passed an  
outline object where n_contours is 1 and the countours pointer is set  
to 0xc and dereferenced with a subscript operator (and crashes in a  
horrible SIGSEGV death *grin*).  Any thoughts?  Very reproducible.

freetype-2.3.8
ImageMagick-6.4.8-3

Thanks in advance.  -sc



% gdb mogrify core
GNU gdb 6.2.1
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and  
you are
welcome to change it and/or distribute copies of it under certain  
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for  
details.
This GDB was configured as "i386-sun-solaris2"...
Core was generated by `mogrify myimage.jpg -strokewidth 1 -pointsize  
12 -fill none'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /opt/local/lib/libMagickCore.so.1...done.
Loaded symbols for /opt/local/lib/libMagickCore.so.1
Reading symbols from /opt/local/lib/libMagickWand.so.1...done.
Loaded symbols for /opt/local/lib/libMagickWand.so.1
Reading symbols from /opt/local/lib/liblcms.so.1...done.
Loaded symbols for /opt/local/lib/liblcms.so.1
Reading symbols from /opt/local/lib/libtiff.so.3...done.
Loaded symbols for /opt/local/lib/libtiff.so.3
Reading symbols from /lib/libc.so.1...done.
Loaded symbols for /lib/libc.so.1
Reading symbols from /opt/local/lib/libjpeg.so.62...done.
Loaded symbols for /opt/local/lib/libjpeg.so.62
Reading symbols from /opt/local/lib/libfontconfig.so.1...done.
Loaded symbols for /opt/local/lib/libfontconfig.so.1
Reading symbols from /opt/local/lib/libexpat.so.1...done.
Loaded symbols for /opt/local/lib/libexpat.so.1
Reading symbols from /opt/local/lib/libiconv.so.2...done.
Loaded symbols for /opt/local/lib/libiconv.so.2
Reading symbols from /usr/lib/libXext.so.0...done.
Loaded symbols for /usr/lib/libXext.so.0
Reading symbols from /usr/lib/libXt.so.4...done.
Loaded symbols for /usr/lib/libXt.so.4
Reading symbols from /usr/lib/libbz2.so.1...done.
Loaded symbols for /usr/lib/libbz2.so.1
Reading symbols from /lib/libpthread.so.1...
warning: Lowest section in /lib/libpthread.so.1 is .dynamic at 00000074
done.
Loaded symbols for /lib/libpthread.so.1
Reading symbols from /opt/local/lib/libfreetype.so.6...done.
Loaded symbols for /opt/local/lib/libfreetype.so.6
Reading symbols from /usr/lib/libz.so.1...done.
Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /usr/lib/libSM.so.6...done.
Loaded symbols for /usr/lib/libSM.so.6
Reading symbols from /usr/lib/libICE.so.6...done.
Loaded symbols for /usr/lib/libICE.so.6
Reading symbols from /usr/lib/libX11.so.4...done.
Loaded symbols for /usr/lib/libX11.so.4
Reading symbols from /lib/libsocket.so.1...done.
Loaded symbols for /lib/libsocket.so.1
Reading symbols from /lib/libnsl.so.1...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /lib/libm.so.2...done.
Loaded symbols for /lib/libm.so.2
Reading symbols from /usr/sfw/lib/libgcc_s.so.1...done.
Loaded symbols for /usr/sfw/lib/libgcc_s.so.1
Reading symbols from /opt/local/lib/ImageMagick-6.4.8/modules-Q16/ 
coders/jpeg.so...done.
Loaded symbols for /opt/local/lib/ImageMagick-6.4.8/modules-Q16/coders/ 
jpeg.so
Reading symbols from /lib/libmp.so.2...done.
Loaded symbols for /lib/libmp.so.2
Reading symbols from /lib/libmd.so.1...done.
Loaded symbols for /lib/libmd.so.1
Reading symbols from /lib/libscf.so.1...done.
Loaded symbols for /lib/libscf.so.1
Reading symbols from /lib/libuutil.so.1...done.
Loaded symbols for /lib/libuutil.so.1
Reading symbols from /lib/libgen.so.1...done.
Loaded symbols for /lib/libgen.so.1
Reading symbols from /lib/libdl.so.1...done.
Loaded symbols for /lib/libdl.so.1
Reading symbols from /usr/openwin/lib/libXau.so.6...done.
Loaded symbols for /usr/openwin/lib/libXau.so.6
#0  0xfe7134ec in FT_Outline_Decompose (outline=0x849155c,
     func_interface=0xfee06c1c, user=0x84b0280) at ftoutln.c:93
93            last = outline->contours[n];
(gdb) set args myimage.jpg -strokewidth 1 -pointsize 12 -fill none - 
stroke black -draw " fill none rectangle 0,0 800,600 fill white circle  
400,300 412,300 text 0,12 ' xyw=0,0,800' text 424,300 '(1)' fill none  
rectangle 1,82 531,479 fill white circle 266,280 278,280 text 1,94 '  
xyw=1,82,530' text 290,280 '(2)'" myimage.jpg
(gdb) run
Starting program: mogrify myimage.jpg -strokewidth 1 -pointsize 12 - 
fill none -stroke black -draw " fill none rectangle 0,0 800,600 fill  
white circle 400,300 412,300 text 0,12 ' xyw=0,0,800' text 424,300  
'(1)' fill none rectangle 1,82 531,479 fill white circle 266,280  
278,280 text 1,94 ' xyw=1,82,530' text 290,280 '(2)'" myimage.jpg
warning: Lowest section in /lib/libpthread.so.1 is .dynamic at 00000074

Program received signal SIGSEGV, Segmentation fault.
0xfe7134ec in FT_Outline_Decompose (outline=0x8492094,
     func_interface=0xfee06c1c, user=0x84b0280) at ftoutln.c:93
93            last = outline->contours[n];
(gdb) bt
#0  0xfe7134ec in FT_Outline_Decompose (outline=0x8492094,
     func_interface=0xfee06c1c, user=0x84b0280) at ftoutln.c:93
#1  0xfec28f14 in RenderFreetype (image=0x8071a10, draw_info=0x848f360,
     encoding=0x0, offset=0x8036bb0, metrics=0x8036b20)
     at magick/annotate.c:1538
#2  0xfec2a5d0 in RenderType (image=0x8071a10, draw_info=0x80878a8,
     offset=0x8036bb0, metrics=0x8036b20) at magick/annotate.c:1100
#3  0xfec2ba2b in AnnotateImage (image=0x8071a10, draw_info=0x80876a0)
     at magick/annotate.c:422
#4  0xfec90a1e in DrawPrimitive (image=0x8071a10, draw_info=0x8087498,
     primitive_info=0x8478220) at magick/draw.c:4436
#5  0xfec97851 in DrawImage (image=0x8071a10, draw_info=0x846aee0)
     at magick/draw.c:3113
#6  0xfef16615 in MogrifyImage (image_info=0x8068e28, argc=12,  
argv=0x80673b4,
     image=0x8047664, exception=0x8061bf8) at wand/mogrify.c:1179
#7  0xfef1727b in MogrifyImages (image_info=0x8068e28, post=MagickFalse,
     argc=12, argv=0x80673b4, images=0x80476e4, exception=0x8061bf8)
     at wand/mogrify.c:7624
#8  0xfef17d56 in MogrifyImageCommand (image_info=0x8068e28, argc=13,
     argv=0x80673b0, wand_unused_metadata=0x0, exception=0x8061bf8)
     at wand/mogrify.c:3671
#9  0x08051287 in main (argc=13, argv=0x8047908) at utilities/ 
mogrify.c:118
(gdb) frame 0
#0  0xfe7134ec in FT_Outline_Decompose (outline=0x8492094,
     func_interface=0xfee06c1c, user=0x84b0280) at ftoutln.c:93
93            last = outline->contours[n];
(gdb) p *outline
$1 = {n_contours = 1, n_points = 0, points = 0xd,
   tags = 0x8 <Address 0x8 out of bounds>, contours = 0xc, flags = 4}




--
Sean Chittenden
sean at chittenden.org

More information about the Magick-bugs mailing list