Number: 1775
Title: gvRenderData heap corruption
Submitter: T. Farago
Date: Wed Sep 23 10:09:09 2009
Subsys: Output generation
Version: 2.22, 2.24 and 2.25
System: x86-Windows-XP
Severity: major
Problem:
when using gvRenderData() to render to a memory location, freeing that memory location results in a heap corruption; If I understand the code correctly gv allocates the memory himself, so the following code should be valid:

..
char* buf = NULL;
unsigned int len = 0;
gvRenderData(gv, g, format, &buf, &length);
..
free(buf);

However, this triggers a heap corruption exception on Windows. Probably somewhere inside the function a buffer overflow occurs.

Output tested was bmp, png and jpg, possibly more are affected
Input:

GVC_t* gv = gvContext();
Agraph_t* g = agopen("test", AGDIGRAPH);
agnodeattr(g, "shape", "note");

Agnode_t* n1 = agnode(g, "node 1");
Agnode_t* n2 = agnode(g, "node 2");
Agedge_t* e  = agedge(g, n1, n2);
gvLayout(gv, g, "dot");

char* buf = NULL;
unsigned int len = 0;
gvRenderData(gv, g, format, &buf, &length);
free(buf);

gvFreeLayout(gv, g);
agclose(g);
gvFreeContext(gv);
Comments:
[erg] No problem on mac or linux.

[arif] That code runs fine on release libs too. He needs to send us more information. Since the original code didn't work on visual studio I suspect he uses a different compiler.

[tamas]

Sorry for the very late reply but there is no status notification when people react to your bug. So I checked the status for a while but nothing happened then just gave up. Back on topic:

I am using MSVC 9.0 compiler, attached you will find a zip file of the whole application including project file. The example also works (the example I posted didn't cause I mistyped 'length' and didn't define 'format') I have tried this code with graphviz 2.25.20090923.0445, 2.24 and 2.22.

There is a heap corruption when free(buf) is executed.

> HEAP[test2.exe]: Invalid Address specified to RtlFreeHeap( 00500000, 00FFE9C8 )

> Windows has triggered a breakpoint in test2.exe.

> This may be due to a corruption of the heap, which indicates a bug in test2.exe or any of the DLLs it has loaded.

> This may also be due to the user pressing F12 while test2.exe has focus.

> The output window may have more diagnostic information.

test2.vcproj and main.cpp

[tamas] ... zip files are rejected by your domain...

[north] Thank you for submitting the bug report.

We will investigate this further when we can. We appreciate your providing the information.

[arif] Change to extension to something else and try to resend. that might work And also there is a 10 mb limit i believe.

[amelek] This bug ( http://www.graphviz.org/bugs/b1775.html ) is probably caused by incompatibility of heap implementation used by graphviz dll (in which malloc was called) and program heap (in which free is called). It's (usually) impossible to free memory allocated by software compiled in different compiler. See


http://forums.ni.com/ni/board/message?board.id=180&thread.id=39190 .
Only possible fix I see, is to provide free() method from dll. Adding something like gvFreeMemory(void*) could probably fix this bug.

[erg]

I suppose this could be the problem, though since we both use MS compilers (but different versions), one might have hoped for binary compatibility. And if it's really a case of different heaps, that's just sicko. It's certainly contrary to the spirit of the C library.

There is also the issue that came up earlier, in that the API uses FILE, which can be very different depending on what compilation system is used.

A workaround is to use the provided project files to build Graphviz from source. This would handle any compiler incompatibilities, but would not take care of the DLL and main using separate heaps.
Owner: arif
Status: *