Bug 1001122
Summary: | malloc memory corruption | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Roman Rakus <rrakus> | ||||||
Component: | python-pillow | Assignee: | Michal Minar <miminar> | ||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Adam Kolář <akolar> | ||||||
Severity: | high | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 7.0 | CC: | bkabrda, david.m.highley, dmalcolm, ivazqueznet, jamatos, jcapik, jonathansteffan, lilyfan, manisandro, tomspur, tsmetana | ||||||
Target Milestone: | rc | ||||||||
Target Release: | --- | ||||||||
Hardware: | x86_64 | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | python-pillow-2.0.0-14.gitd1c6db8.el7 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | 995783 | Environment: | |||||||
Last Closed: | 2014-06-13 10:29:36 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 995783 | ||||||||
Bug Blocks: | 982412 | ||||||||
Attachments: |
|
Description
Roman Rakus
2013-08-26 14:17:07 UTC
Roman, are you looking at this, or should I have a look? (In reply to Sandro Mani from comment #2) > Roman, are you looking at this, or should I have a look? Not right now. You can look at this, or I will next week. Ok, I will give it a shot today or tomorrow. Hi Sandro. If you're going to look at that, please, consider looking at the patch attached to the Bug 995783. It doesn't resolve the issue, but it replaces all libc memory manipulations with the PyMem ones (recommended by the python upstream). I tried to do some analysis yesterday and it seems the allocation called from ImagingNewPrologueSubtype does not cause the corruption. The memory is very probably corrupted elsewhere and consequently the ImagingNewPrologueSubtype allocation fails. Regards, Jaromir. Hi Jaromir, did you check whether valgrind memcheck gives any useful info? Hi Sandro. Yes, I did, but it was not much helpful without a deep analysis. Created attachment 791430 [details]
pysol-valgrind.txt
The missing piece of puzzle is called _putpalette. Debugging now ... Created attachment 791495 [details]
Valgrind output with debuginfo
I'm at it too. So basically the palettesize value passed to putpalette is wrong (i.e. 3510). The palette is passed at Image.py:601, which is called from Image.py:699, and at Image.py:697 the palette is constructed. Now we would need to find out who is responsible for the wrong palettesize value.
(attached is a valgrind output with debuginfos installed).
That's exactly what I've found out. But it has no sense to duplicate the effort. If you're looking at the issue right now, it has no sense for me to continue. Hopefully you'll find the root cause soon. Thanks and good luck :] Cheers, Jaromir. Right, well basically the incorrect statement is at Image.py:696 bytePalette = bytes([i//3 for i in range(768)]) yields an array of size 3510 instead of 768 as intended. I guess the problem is that the i//3 entries should be uint8_t? The internal expression returns 768. It's the bytes() conversion that makes the evil. Btw ... maybe there should be an assert in the ImagingUnpackRGB, checking if the palettesize is < 256. That would help to resolve future issues like that ... The author probably wanted to use bytearray() instead of bytes(). That needs to be analysed first. Right, reported upstream with suggested fix: https://github.com/python-imaging/Pillow/pull/325 Assertion: I'll add it to the pull request. *** Bug 995783 has been marked as a duplicate of this bug. *** I've pushed fixed builds to f19, f20 and rawhide, but I guess this bug should be closed when the update hits rhel7? Of course. Right, reassigning. Thanks Jaromir for your effort. I thank you for taking care of it so quickly. This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |