Graphviz Issue Tracker
Mantis Bug Tracker

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001721graphvizOutput Generationpublic2009-09-23 10:092014-05-11 08:37
ReporterT. Farago 
Assigned ToArif Bilgin 
PrioritynormalSeveritymajorReproducibilityalways
StatusacknowledgedResolutionopen 
PlatformOSx86-Windows-XPOS Version
Summary0001721: gvRenderData heap corruption
Description



when using gvRenderData() to render to a memory location, freeing that memory location results in a heap corruption; If I understand the code correctly gv allocates the memory himself, so the following code should be valid:
<CD>
..
char* buf = NULL;
unsigned int len = 0;
gvRenderData(gv, g, format, &buf, &length);
..
free(buf);
</CD>



However, this triggers a heap corruption exception on Windows. Probably somewhere inside the function a buffer overflow occurs.



Output tested was bmp, png and jpg, possibly more are affected
Steps To Reproduce

GVC_t* gv = gvContext();
Agraph_t* g = agopen("test", AGDIGRAPH);
agnodeattr(g, "shape", "note");

Agnode_t* n1 = agnode(g, "node 1");
Agnode_t* n2 = agnode(g, "node 2");
Agedge_t* e = agedge(g, n1, n2);
gvLayout(gv, g, "dot");

char* buf = NULL;
unsigned int len = 0;
gvRenderData(gv, g, format, &buf, &length);
free(buf);

gvFreeLayout(gv, g);
agclose(g);
gvFreeContext(gv);
Additional Information

[erg] No problem on mac or linux.

[arif] That code runs fine on release libs too.
He needs to send us more information.
Since the original code didn't work on visual studio I suspect he uses a
different compiler.

[tamas]

Sorry for the very late reply but there is no status notification when people react to your bug. So I checked the status for a while but nothing happened then just gave up. Back on topic:

I am using MSVC 9.0 compiler, attached you will find a zip file of the whole application including project file. The example also works (the example I posted didn't cause I mistyped 'length' and didn't define 'format') I have tried this code with graphviz 2.25.20090923.0445, 2.24 and 2.22.

There is a heap corruption when free(buf) is executed.

> HEAP[test2.exe]: Invalid Address specified to RtlFreeHeap( 00500000, 00FFE9C8 )

> Windows has triggered a breakpoint in test2.exe.


> This may be due to a corruption of the heap, which indicates a bug in test2.exe or any of the DLLs it has loaded.


> This may also be due to the user pressing F12 while test2.exe has focus.


> The output window may have more diagnostic information.

\<A HREF="b1775.vcproj"\>test2.vcproj\<\A\> and \<A HREF="b1775.cpp"\>main.cpp\<\A\>

[tamas]
... zip files are rejected by your domain...

[north]
Thank you for submitting the bug report.

We will investigate this further when we can.
We appreciate your providing the information.

[arif]
Change to extension to something else and try to resend. that might work
And also there is a 10 mb limit i believe.

[amelek]
This bug ( http://www.graphviz.org/bugs/b1775.html [^] ) is probably
caused by incompatibility of heap implementation used by graphviz dll
(in which malloc was called) and program heap (in which free is
called). It's (usually) impossible to free memory allocated by
software compiled in different compiler. See
<CD>
http://forums.ni.com/ni/board/message?board.id=180&thread.id=39190 [^] .
</CD>
Only possible fix I see, is to provide free() method from dll. Adding
something like gvFreeMemory(void*) could probably fix this bug.

[erg]

I suppose this could be the problem, though since we both use MS compilers (but different versions),
one might have hoped for binary compatibility. And if it's really a case of different heaps, that's
just sicko. It's certainly contrary to the spirit of the C library.

There is also the issue that came up earlier, in that the API uses FILE, which can be very different
depending on what compilation system is used.

A workaround is to use the provided project files to build Graphviz from source. This would handle
any compiler incompatibilities, but would not take care of the DLL and main using separate heaps.


TagsNo tags attached.
AUXILLARY-FILEShttp://www.graphviz.org/bugs/b1775.vcproj [^] http://www.graphviz.org/bugs/b1775.cpp [^]
DATE-FIXED
FIX-COMMENT
FORMER-ID1775
INPUT-FILE
OUTPUT-FILE
STATUS-COMMENT*
VERSION     2.22, 2.24 and 2.25
Attached Files

- Relationships

-  Notes
User avatar (0000348)
erg (administrator)
2013-05-30 14:20

I have added a library function gvFreeRenderData() which can be used to free the
data allocated by gvRenderData(). This should get around any incompatibilities in the various system libraries used.
User avatar (0000739)
mokeykrop (reporter)
2014-05-11 08:37
edited on: 2014-05-11 08:46

The problem occurs starting with version 2.30, which uses cgraph.dll; version 2.28 works fine (old graph.dll); new function gvFreeRenderData() has not resolved the issue; the problem seems to be in function gvRenderData() itself.


- Issue History
Date Modified Username Field Change
2011-04-28 04:03 user1 New Issue
2011-04-28 04:03 user1 Assigned To => Arif Bilgin
2013-05-30 14:20 erg Note Added: 0000348
2014-05-11 08:37 mokeykrop Note Added: 0000739
2014-05-11 08:46 mokeykrop Note Edited: 0000739 View Revisions


MantisBT 1.2.5[^]
Copyright © 2000 - 2011 MantisBT Group
Powered by Mantis Bugtracker