Bug 1993193

Summary:	Segfaults on s390x
Product:	[Fedora] Fedora	Reporter:	Vít Ondruch <vondruch>
Component:	ImageMagick	Assignee:	Vít Ondruch <vondruch>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	rawhide	CC:	fedora, mike, nforro, pahan, phracek
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	ImageMagick-6.9.11.27-8.fc36	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2021-08-31 15:14:41 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Vít Ondruch 2021-08-12 13:57:40 UTC

Description of problem:
It started with rubygem-activestorage test suite failures on s390x:

https://github.com/rails/rails/issues/42957

And continues with upstream report:

https://github.com/ImageMagick/ImageMagick6/issues/164




Version-Release number of selected component (if applicable):
$ rpm -q ImageMagick
ImageMagick-6.9.11.27-5.fc35.s390x


How reproducible:


Steps to Reproduce:
1. $ curl -OL https://github.com/rails/rails/raw/77b7835a6af96cf85bc9e01ee0c19924063a9af0/activestorage/test/fixtures/files/racecar.tif
2. $ convert racecar.tif -auto-orient -resize 50x50 racecar.png
Aborted (core dumped)


or

3. $ curl -OL https://github.com/rails/rails/raw/13722000baa4ba896682255fc2a3cd975d2a177d/activestorage/test/fixtures/files/racecar.tif
4. $ convert racecar.tif -auto-orient -resize 50x50 racecar.png
malloc(): unsorted double linked list corrupted
Aborted (core dumped)


Actual results:


Expected results:


Additional info:


It seems that ImageMagick is borked on s390x. Is it due to LTO? Here are the relevant backtraces:

~~~
$ gdb --args convert racecar.tif -auto-orient -resize 50x50 racecar.png
GNU gdb (GDB) Fedora 10.2-6.fc35
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "s390x-redhat-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from convert...
Reading symbols from /usr/lib/debug/usr/bin/convert-6.9.11.27-5.fc35.s390x.debug...
(gdb) r
Starting program: /usr/bin/convert racecar.tif -auto-orient -resize 50x50 racecar.png
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x000003fffd930762 in __GI___strcasecmp (s1=0xaa020000c0500300 <error: Cannot access memory at address 0xaa020000c0500300>, s2=0x2aa00078160 "tiff:timestamp") at strcasecmp.c:58
58	  while ((result = TOLOWER (*p1) - TOLOWER (*p2++)) == 0)
(gdb) bt
#0  0x000003fffd930762 in __GI___strcasecmp (s1=0xaa020000c0500300 <error: Cannot access memory at address 0xaa020000c0500300>, s2=0x2aa00078160 "tiff:timestamp") at strcasecmp.c:58
#1  0x000003fffdd7fc50 in Splay (splay_tree=splay_tree@entry=0x2aa00034fa0, depth=depth@entry=2, key=key@entry=0x2aa00078160, node=0x2aa00035158, parent=parent@entry=0x2aa0007d858, grandparent=0x2aa00034fa0)
    at magick/splay-tree.c:1533
#2  0x000003fffdd7fca4 in Splay (splay_tree=splay_tree@entry=0x2aa00034fa0, depth=depth@entry=1, key=key@entry=0x2aa00078160, node=0x2aa0007d858, parent=parent@entry=0x2aa00034fa0, grandparent=0x0)
    at magick/splay-tree.c:1549
#3  0x000003fffdd7fca4 in Splay (splay_tree=splay_tree@entry=0x2aa00034fa0, depth=depth@entry=0, key=key@entry=0x2aa00078160, node=node@entry=0x2aa00034fa0, parent=parent@entry=0x0, grandparent=0x0)
    at magick/splay-tree.c:1549
#4  0x000003fffdd85fce in SplaySplayTree (splay_tree=splay_tree@entry=0x2aa00034fa0, key=key@entry=0x2aa00078160) at magick/splay-tree.c:1624
#5  0x000003fffdd86f12 in AddValueToSplayTree (splay_tree=0x2aa00034fa0, key=0x2aa00078160, value=0x2aa00077fc0) at magick/splay-tree.c:163
#6  0x000003fffb791e9e in TIFFGetProperties (image=0x2aa0002f940, tiff=0x2aa00032dd0) at coders/tiff.c:705
#7  ReadTIFFImage (image_info=0x2aa0001a6f0, exception=0x2aa0000ba50) at coders/tiff.c:1444
#8  0x000003fffdc7d95c in ReadImage (image_info=0x2aa00016270, exception=0x2aa0000ba50) at magick/constitute.c:554
#9  0x000003fffdc7ea42 in ReadImages (image_info=0x2aa00011df0, exception=0x2aa0000ba50) at magick/constitute.c:955
#10 0x000003fffdac1810 in ConvertImageCommand (image_info=0x2aa00011df0, image_info@entry=0x2aa0000d310, argc=<optimized out>, argc@entry=6, argv=<optimized out>, argv@entry=0x3fffffff448, 
    metadata=<optimized out>, metadata@entry=0x0, exception=exception@entry=0x2aa0000ba50) at wand/convert.c:601
#11 0x000003fffdb3458c in MagickCommandGenesis (image_info=0x2aa0000d310, command=0x3fffdac0ca0 <ConvertImageCommand>, argc=<optimized out>, argv=0x3fffffff448, metadata=<optimized out>, 
    exception=0x2aa0000ba50) at wand/mogrify.c:173
#12 0x000002aa00000966 in ConvertMain (argv=0x3fffffff448, argc=6) at utilities/convert.c:81
#13 main (argc=<optimized out>, argv=0x3fffffff448) at utilities/convert.c:92
~~~

and

~~~
$ gdb --args convert racecar.tif -auto-orient -resize 50x50 racecar.png
GNU gdb (GDB) Fedora 10.2-6.fc35
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "s390x-redhat-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from convert...
Reading symbols from /usr/lib/debug/usr/bin/convert-6.9.11.27-5.fc35.s390x.debug...
(gdb) r
Starting program: /usr/bin/convert racecar.tif -auto-orient -resize 50x50 racecar.png
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
malloc(): unsorted double linked list corrupted

Program received signal SIGABRT, Aborted.
__pthread_kill_internal (threadid=<optimized out>, signo=<optimized out>) at pthread_kill.c:45
45	      val = (INTERNAL_SYSCALL_ERROR_P (val)
(gdb) bt
#0  __pthread_kill_internal (threadid=<optimized out>, signo=<optimized out>) at pthread_kill.c:45
#1  0x000003fffd91ed02 in __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at pthread_kill.c:62
#2  0x000003fffd8d03e0 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3  0x000003fffd8b3480 in __GI_abort () at abort.c:79
#4  0x000003fffd911d94 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x3fffda113ea "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#5  0x000003fffd928f20 in malloc_printerr (str=str@entry=0x3fffda0fb2c "malloc(): unsorted double linked list corrupted") at malloc.c:5543
#6  0x000003fffd92c374 in _int_malloc (av=av@entry=0x3fffda49d48 <main_arena>, bytes=bytes@entry=4128) at malloc.c:3897
#7  0x000003fffd92d534 in __GI___libc_malloc (bytes=4128) at malloc.c:3208
#8  0x000003fffdd92d68 in AcquireStringInfoContainer () at magick/string.c:177
#9  BlobToStringInfo (blob=0x2aa000340c0, length=1725) at magick/string.c:234
#10 0x000003fffb78af12 in ReadProfile (image=image@entry=0x2aa0002f940, name=name@entry=0x3fffb797a94 "iptc", datum=<optimized out>, length=<optimized out>) at coders/tiff.c:564
#11 0x000003fffb79187e in ReadProfile (length=<optimized out>, datum=<optimized out>, name=<optimized out>, image=<optimized out>) at coders/tiff.c:562
#12 TIFFGetProfiles (image=0x2aa0002f940, tiff=0x2aa00032dd0) at coders/tiff.c:650
#13 ReadTIFFImage (image_info=0x2aa0001a6f0, exception=0x2aa0000ba50) at coders/tiff.c:1437
#14 0x000003fffdc7d95c in ReadImage (image_info=0x2aa00016270, exception=0x2aa0000ba50) at magick/constitute.c:554
#15 0x000003fffdc7ea42 in ReadImages (image_info=0x2aa00011df0, exception=0x2aa0000ba50) at magick/constitute.c:955
#16 0x000003fffdac1810 in ConvertImageCommand (image_info=0x2aa00011df0, image_info@entry=0x2aa0000d310, argc=<optimized out>, argc@entry=6, argv=<optimized out>, argv@entry=0x3fffffff448, 
    metadata=<optimized out>, metadata@entry=0x0, exception=exception@entry=0x2aa0000ba50) at wand/convert.c:601
#17 0x000003fffdb3458c in MagickCommandGenesis (image_info=0x2aa0000d310, command=0x3fffdac0ca0 <ConvertImageCommand>, argc=<optimized out>, argv=0x3fffffff448, metadata=<optimized out>, 
    exception=0x2aa0000ba50) at wand/mogrify.c:173
#18 0x000002aa00000966 in ConvertMain (argv=0x3fffffff448, argc=6) at utilities/convert.c:81
#19 main (argc=<optimized out>, argv=0x3fffffff448) at utilities/convert.c:92
(gdb) 
~~~

Comment 1 Vít Ondruch 2021-08-12 13:58:32 UTC

@dhorak since this seems to be platform specific and rather strange that IM would be that broken, could you please take a look?

Comment 2 Vít Ondruch 2021-08-23 15:14:31 UTC

Doing quick check, the convert command above worked on Fedora 33 with ImageMagick-1:6.9.11.27-1.fc33.s390x + libtiff-4.1.0-8.fc33.s390x, but it does not work in:

* Fedora 34 with ImageMagick-1:6.9.11.27-3.fc34.s390x + libtiff-4.2.0-1.fc34.s390x
* Fedora 35 with ImageMagick-1:6.9.11.27-6.fc35.s390x + libtiff-4.3.0-2.fc35.s390x
* Fedora Rawhide with ImageMagick-1:6.9.11.27-7.fc36.s390x + libtiff-4.3.0-2.fc35.s390x

So this really might be libtiff issue.

Comment 3 Nikola Forró 2021-08-26 15:04:40 UTC

This is not a libtiff issue. The problem is in coders/tiff.c:

 637 #if defined(TIFFTAG_RICHTIFFIPTC) && (TIFFLIB_VERSION >= 20191103)
 638   if ((TIFFGetField(tiff,TIFFTAG_RICHTIFFIPTC,&length,&profile) == 1) &&
 639       (profile != (unsigned char *) NULL))
 640     {
 641       const TIFFField
 642         *field;
 643 
 644       if (TIFFIsByteSwapped(tiff) != 0)
 645         TIFFSwabArrayOfLong((uint32 *) profile,(size_t) length);
 646       field=TIFFFieldWithTag(tiff,TIFFTAG_RICHTIFFIPTC);
 647       if (TIFFFieldDataType(field) == TIFF_LONG)
 648         status=ReadProfile(image,"iptc",profile,4L*length);
 649       else
 650         status=ReadProfile(image,"iptc",profile,length);
 651     }
 652 #endif

TIFFSwabArrayOfLong() expects as its second argument the length of an array of 4-byte elements, but in this case the length variable represents a length in bytes, because the input image contains TIFFTAG_RICHTIFFIPTC with associated profile data stored as TIFF_UNDEFINED, not TIFF_LONG. So the function accesses and modifies memory it's not supposed to and that later leads to the crash.

It's already fixed upstream:
https://github.com/ImageMagick/ImageMagick/commit/d1b3b2513f8fb48a3958230e3a1de0e3c21913a0

Comment 4 Michael Cronenworth 2021-08-26 15:08:02 UTC

If someone wants to take primary ownership of ImageMagick please step forward. I do not have the time to dedicate to this package. I only picked it up because it was going to be orphaned and so many applications rely on it.

Comment 5 Vít Ondruch 2021-08-27 14:04:31 UTC

There is also ImageMagick6 fix:
https://github.com/ImageMagick/ImageMagick6/commit/112051a709f83f13ca2b9ab63007d4a41b0a9beb

I have opened PR:
https://src.fedoraproject.org/rpms/ImageMagick/pull-request/4

I'll merge ~Monday if nobody objects.

Comment 6 Vít Ondruch 2021-08-27 14:05:26 UTC

(In reply to Nikola Forró from comment #3)
BTW thx a lot for your analysis!

Comment 7 Vít Ondruch 2021-08-31 14:29:06 UTC

I took the liberty and merged the PR myself. The build is underway.

Comment 8 Fedora Update System 2021-08-31 15:13:38 UTC

FEDORA-2021-7f3753c9e8 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2021-7f3753c9e8

Comment 9 Fedora Update System 2021-08-31 15:14:41 UTC

FEDORA-2021-7f3753c9e8 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.