convert segfault if not enough space in tmpdir (linux)

[Anarchist]

media-gfx/imagemagick-6.7.1.0 like rather lot (may be even all) versions before
crashes (segmentation fault) if not enough space in temp dir (current Gentoo
build --- /tmp).

Reproducible: Always

Steps to Reproduce:
1. Set up tmpdir (in my case it's located in / and is about 474M (may be for
check --- as separate file, with initiated filesystem and mounted at /tmp);
2. Prepare test image file (in my case img443.bmp: PC bitmap, Windows 3.x
format, 7158 x 4555 x 24);
3. Try to convert test image:
$ convert img443.bmp test.png
Actual Results:
Segmentation fault

Expected Results:
Successful convertation or error message like "Not enough space in temp
directory", but not segmentation fault.

Oryginally reported in Gentoo bugzilla (strace output is uploaded there):
https://bugs.gentoo.org/show_bug.cgi?id=387373

[magick]

ImageMagick failed in the messaging system when it was trying to deliver a sane exception message (no space on device). A stack trace would be helpful. Also is the messaging system broken? Try

• convert logo: /logo

You should get a "permission denied" exception message.

We tried to reproduce your problem with ImageMagick 6.7.3-1, the latest ImageMagick release and it worked properly (an exception was thrown as expected).

[Anarchist]

ImageMagick failed in the messaging system when it was trying to deliver a sane exception message (no space on device). A stack trace would be helpful.

strace was attached ad downstream bugzilla:
https://387373.bugs.gentoo.org/attachment.cgi?id=290239

Excuse me I've forgot to tell, that source bmp file is 94M size.

Also is the messaging system broken? Try

• convert logo: /logo

You should get a "permission denied" exception message.

It seems to be broken:
$ convert logo: /logo
convert: unable to open image `/logo': @ error/blob.c/OpenBlob/2588.

We tried to reproduce your problem with ImageMagick 6.7.3-1, the latest ImageMagick release and it worked properly (an exception was thrown as expected).

What was the size of source image file?
And how much space were in /tmp?
In a few days (up to about week) I can try to make check with current test version in Gentoo (6.7.3.0).

[magick]

We're looking for a stack trace from gdb so we can identify where in the ImageMagick source distribution the fault occurs.

It appears the messaging system works. The OS throws a Bus Error when disk space is memory mapped and there is not enough disk when a page is mapped. Perhaps there is a problem unwinding from the signal handler. Try this command:

• convert -limit map 0 -limit memory 0 img443.bmp test.png

This forces the image pixels to disk only (no memory map) and if we get a sane exception, it points to a signal handler problem.

If you get a chance, try ImageMagick 6.7.3 and let us know if it works / fails.

[Anarchist]

We're looking for a stack trace from gdb so we can identify where in the ImageMagick source distribution the fault occurs.

It appears the messaging system works. The OS throws a Bus Error when disk space is memory mapped and there is not enough disk when a page is mapped. Perhaps there is a problem unwinding from the signal handler. Try this command:

• convert -limit map 0 -limit memory 0 img443.bmp test.png

This forces the image pixels to disk only (no memory map) and if we get a sane exception, it points to a signal handler problem.

Starting program: /usr/bin/convert -limit map 0 -limit memory 0 img443.bmp test.png
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
0xb7daa2a0 in QueueAuthenticNexus () from /usr/lib/libMagickCore.so.4


#0 0xb7daa2a0 in QueueAuthenticNexus () from /usr/lib/libMagickCore.so.4
#1 0xb7daaee9 in QueueAuthenticPixels () from /usr/lib/libMagickCore.so.4
#2 0xb7fdd308 in ?? () from /usr/lib/ImageMagick-6.7.1/modules-Q32/coders/bmp.so
#3 0xb7dd1e5f in ReadImage () from /usr/lib/libMagickCore.so.4
#4 0xb7dd322a in ReadImages () from /usr/lib/libMagickCore.so.4
#5 0xb7c8a876 in ConvertImageCommand () from /usr/lib/libMagickWand.so.4
#6 0xb7d31dc9 in MagickCommandGenesis () from /usr/lib/libMagickWand.so.4
#7 0x080487a2 in ?? ()
#8 0xb7b120f3 in __libc_start_main () from /lib/libc.so.6
#9 0x080486ad in ?? ()

[magick]

The trace suggests memory corruption. If so, is it a general problem or specific to a certain release of ImageMagick or a specific image? Try these commands:

• convert -limit map 0 -limit memory 0 logo: -resize 7158x4555! null:
  convert -limit map 0 -limit memory 0 logo: -resize 7158x4555! test.avs
  convert -limit map 0 -limit memory 0 logo: -resize 7158x4555! test.png
  convert -limit map 0 -limit memory 0 img443.bmp test.avs

Which of these fail? Do they also fail for ImageMagick 6.7.3? If the failure is specific to the BMP image perhaps the image is corrupt or there is a bug in the BMP coder. Can you post a URL to your image so we can download it and attempt to reproduce the bug?

[Anarchist]

If so, is it a general problem or specific to a certain release of ImageMagick or a specific image?

It is neither problem of specific release, nor of the specific image (I remember the same problem with different images ind different releases of ImageMagick).

Try these commands:

• convert -limit map 0 -limit memory 0 logo: -resize 7158x4555! null:
  convert -limit map 0 -limit memory 0 logo: -resize 7158x4555! test.avs
  convert -limit map 0 -limit memory 0 logo: -resize 7158x4555! test.png
  convert -limit map 0 -limit memory 0 img443.bmp test.avs

Which of these fail?

The third one (logo convertation to png).
Result avs are 125 Mb size.

Do they also fail for ImageMagick 6.7.3?

The latest easy available test version is 6.7.3.0.
I'll try to check it tomorrow.

System update (just today) from libpng-1.4 to libpng-1.5 don't change behaviour.

If the failure is specific to the BMP image perhaps the image is corrupt or there is a bug in the BMP coder. Can you post a URL to your image so we can download it and attempt to reproduce the bug?

According to rescribed test (segmentation fault of logo conversion) it seems to be unnecessary.

[magick]

We're reviewing the message subsystem. Unfortunately the problem does not happen for us under Fedora Linux. We get:

• -> convert -limit memory 0 -limit map 0 logo: -resize 5000% info:
  logo: GIF 640x480 640x480+0+0 8-bit PseudoClass 256c 31.7KB 34.560u 0:11.990
  convert: UnableToWritePixelCache `/dev/shm/magick-ILpZ1dKr': No space left on device @ error/cache.c/WritePixelCachePixels/5600.
  convert: unable to extend cache `LOGO': No space left on device @ error/cache.c/OpenPixelCache/4114.

[Anarchist]

We're reviewing the message subsystem. Unfortunately the problem does not happen for us under Fedora Linux.

Could you show df -h for this system (I have just 478Mb space in /tmp)?
What version of ImageMagick you've tested?

Now I've upgrade ImageMagick to 6.7.3.0.
The behaviour changed.
Previously crashes command:

Code: Select all

convert -limit map 0 -limit memory 0 logo: -resize 7158x4555! test.png

now doesn't fall into segmentation fault.
It just stops (does nothing, but command don't finishes) after all available space in /tmp becomes used (but is not enough).


For comparison convertation to jpg fails as it should:

Code: Select all

$ convert img443.bmp test.jpg
convert: Write failed on temporary file --- out of disk space? `test.jpg' @ error/jpeg.c/JPEGErrorHandler/297.