msan: use of uninitialized value in ReadBMPImage
Posted: 2017-01-19T13:01:09-07:00
I want to get image headers data like geometry. To achieve the goal I load image in "ping" mode.
Here's the code:
It works. But when I compile the program with clang++ -fsanitize=memory and feed in a BMP image (you may try http://www.multiresolutions.com/sparses ... nstein.bmp for example) I get the following errors:
* https://github.com/ImageMagick/ImageMag ... ge.c#L3705 q here is allocated but not initialized and msan is right as such
* Looks like the problem is that ping mode assumes both nexus_info->authentic_pixel_cache == MagickTrue and that nexus_info->cache does not need to be populated. Anyway it is accessed in SyncImage
* https://github.com/ImageMagick/ImageMag ... bmp.c#L922 This place seems very good to finish the work when dealing with headers only but image_info->number_scenes is zero and so the execution proceeds further.
Question is valid both for 6.9.6 and 7.0.4-4.
Here's the code:
Code: Select all
void print_image_geometry(const char *data, size_t len) {
ImageInfo *image_info = AcquireImageInfo();
ExceptionInfo *exception_info = AcquireExceptionInfo();
Image *image = NULL;
// This alternative doesn't work either
//image_info->ping = MagickTrue;
//image = BlobToImage(image_info, data, len, exception_info);
image = PingBlob(image_info, data, len, exception_info);
printf("%zd x %zd\n", image->columns, image->rows);
}
I tried to investigate the problem myself and so far realized that:==687894==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x549df3 in PushColormapIndex /place/home/realtim/probes/ImageMagick/magick/image.c:3556:7
#1 0x52d7ed in SyncImage /place/home/realtim/probes/ImageMagick/magick/image.c:3618:13
#2 0xda54ff in ReadBMPImage /place/home/realtim/probes/ImageMagick/coders/bmp.c:1180:16
#3 0x647b70 in ReadImage /place/home/realtim/probes/ImageMagick/magick/constitute.c:492:13
#4 0x879005 in ReadStream /place/home/realtim/probes/ImageMagick/magick/stream.c:974:9
#5 0x77a2bd in PingBlob /place/home/realtim/probes/ImageMagick/magick/blob.c:2790:9
#6 0x510c2f in print_image_geometry(char const*, unsigned long) /place/home/realtim/probes/main.cpp:14:13
#7 0x5116ff in main /place/home/realtim/probes/main.cpp:22:5
#8 0x7f568048a7ec in __libc_start_main /build/eglibc-oqps9y/eglibc-2.15/csu/libc-start.c:226
SUMMARY: MemorySanitizer: use-of-uninitialized-value /place/home/realtim/probes/ImageMagick/magick/image.c:3556:7 in PushColormapIndex
ORIGIN: invalid (0). Might be a bug in MemorySanitizer origin tracking.
This could still be a bug in your code, too!
Exiting
* https://github.com/ImageMagick/ImageMag ... ge.c#L3705 q here is allocated but not initialized and msan is right as such
* Looks like the problem is that ping mode assumes both nexus_info->authentic_pixel_cache == MagickTrue and that nexus_info->cache does not need to be populated. Anyway it is accessed in SyncImage
* https://github.com/ImageMagick/ImageMag ... bmp.c#L922 This place seems very good to finish the work when dealing with headers only but image_info->number_scenes is zero and so the execution proceeds further.
Question is valid both for 6.9.6 and 7.0.4-4.