conjure SIGSEGV for malformed xml input file

Post any defects you find in the released or beta versions of the ImageMagick software here. Include the ImageMagick version, OS, and any command-line required to reproduce the problem. Got a patch for a bug? Post it here.
Post Reply
blackaura
Posts: 7
Joined: 2013-06-06T03:05:03-07:00
Authentication code: 6789

conjure SIGSEGV for malformed xml input file

Post by blackaura » 2016-11-02T12:19:36-07:00

Multiple errors were found while fuzzing conjure xml input files using afl

Code: Select all

root@ubuntu-xenial:# conjure --version
Version: ImageMagick 7.0.3-5 Q16 x86_64 2016-11-02 http://www.imagemagick.org
Copyright: Copyright (C) 1999-2016 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI
Delegates (built-in): bzlib djvu fftw fontconfig freetype gvc jbig jng jpeg lcms lqr lzma openexr png tiff webp wmf x xml zlib
source code was compiled using afl-clang-fast

command used:

Code: Select all

conjure -dimensions 10x10 <filename>
The files can be generated by:

Code: Select all

python -c "print(b'<?xml version=\"1.0\" encoding=\"UTF-8\"?><image size=\"400x400\" ><read filename=\"image.base-height] to %[widtgif\" /><get w=\"bat\" /><resize geometry=\"VVVVVVVVVVVVV width=\"width\" height=\"heigh /><print output=\"zed from %[base-width]x%[base-height] to %[width]x%[height].\\n\" /><write filenPme=\"image.png\" /></image>\n')" > id_000000,sig_06,src_000000,op_havoc,rep_4.test

python -c "print(b'<?xml version=\"1.0\" encoding=\"UTF-8\"?><image size=\"400x400\" ><read filename=\" filenaing-width]x%[bast\" /><resize geometry=\"%[dim\" /><get width=\"width\" height=\"height\" /><print output=\"zed froencoding-width]x%[base-height] to\x80\x00\x00\x00idth]x%[height].\\n\" /><write filename=\"image.png\" /></image>\n')" > id_000001,sig_06,src_000000,op_havoc,rep_4.test

python -c "print(b'<?xml version=\"1.0\" encoding=\"UTF-8\"?><image size=\"400x400\" ><read filename=\"imag%[base-height] to %[width]x%[e.gif\" /><get w=\"bat\" /><resize geometry=\"%[dim\" \"height\" /><print output=\"zed from %[base-width]x%[base-height] to %[width]x%[height].\\n\" /><write filename=\"image.png\" /></image>\n')" > id_000002,sig_06,src_000000,op_havoc,rep_2.test

python -c "print(b'<?xml version=\"1.0\" encoding=\"UTF-8\"?><image size=\"40Bx400\" ><read filename=\"image.g%[base-width]x%[baif\" /><get w=\"bat\" /><resije geometry=\"%[dim\" /><get width=\"width\" height=\"height\" /><print output=\"zed from %[base-width]x%[base-height] to %[width]x%[height].\\n\" /><write filename=\"image.eight/></image>\n')" > id_000003,sig_06,src_000000,op_havoc,rep_4.test

python -c "print(b'<?xml version=\"1.0\" encoding=\"UTF-8\"?><image cize=\"400x400\" ><read filename=\"ie-height] to %[width]x%[mage.gif\" /><get w=\"bat\" /><resize geometry=\"%[dim\" /><get width=\"width\" height=\"height\" /><print output=\"zed from %[base-width]x%[base-height] to %[width]x%[height].\\n\" /><write filename=\"image.png\" /></image>\n')" > id_000004,sig_06,src_000026,op_havoc,rep_2.test

python -c "print(b'<?xml version=\"1.0\" encoding=\"UTF-8\"?><image size=\"400x400\" ><read filename=\"image.gif from %[rase-width]x%[b\" /><get w=\"bat\" /><resize geometry=\"%[dim\" /><get width=\"width\" height=\"height\" /><print output=\"zed from %[rase-width]x%[base-height] to %[width]x%[he@\x00h\x00].\\n\" /><write filename=\"image.png\" /></image>\n')" > id_000005,sig_06,src_000108,op_havoc,rep_4.test
gdb output of file id_000000,sig_06,src_000000,op_havoc,rep_4.test:

Code: Select all

Program received signal SIGSEGV, Segmentation fault.
0x00000000004a32e4 in CopyMagickString (destination=0x102dd20 "/vagrant/imagemagick/findings.conjure/findings.conjure//crashes/id_000000,sig_06,src_000000,op_havoc,rep_4", source=0x0, length=4096) at MagickCore/string.c:761
761	    *q=(*p++);
backtrace:
#0  0x00000000004a32e4 in CopyMagickString (destination=0x102dd20 "/vagrant/imagemagick/findings.conjure/findings.conjure//crashes/id_000000,sig_06,src_000000,op_havoc,rep_4", source=0x0, length=4096) at MagickCore/string.c:761
        p = 0x0
        q = 0x102dd20 "/vagrant/imagemagick/findings.conjure/findings.conjure//crashes/id_000000,sig_06,src_000000,op_havoc,rep_4"
        n = 4096
#1  0x000000000059fb08 in MSLStartElement (context=0x7fffffff41c8, tag=<optimized out>, attributes=<optimized out>) at coders/msl.c:5050
        image = <optimized out>
        key = "\000\000\000\000\000\000\000\000\320\f\372\000\000\000\000\000\001\000\000\000\000\000\000\000\220\367\371\000\000\000\000\000\\\b\303\000\000\000\000\000\266\000\303\000\000\000\000\000\n\002\000\000\000\000\000\000\214\t^\362\377\177\000\000\203\b\303\000\000\000\000\000\266\000\303\000\000\000\000\000\370\001\000\000\000\000\000\000\330\000\000\000\000\000?\005\000\000\000\000\000\000\320\f\372\000\000\000\000\000\001\000\000\000\000\000\000\000\220\367\371\000\000\000\000\000(\020\274\000\000\000\000\000\034\305C\000\000\000\000\000\373c\000\000\000\000\000\000'\003A\000\000\000\000\000\320\f\372", '\000' <repeats 14 times>, "\200\000\000\000\000\000\000\264\371B\000\000\000\000\000\373c\000\000\000\000\000\000'"...
        exception = 0xfc5310
        n = 1
        geometry_info = <optimized out>
        channel = AllChannels
        geometry = <optimized out>
        attribute = <optimized out>
        value = 0x0
        keyword = <optimized out>
        flags = <optimized out>
        i = <optimized out>
        option = <optimized out>
        channel_mask = <optimized out>
        angle = <optimized out>
        draw_info = <optimized out>
        affine = <optimized out>
        j = <optimized out>
        width = <optimized out>
        height = <optimized out>
        x = <optimized out>
        y = <optimized out>
        image = <optimized out>
#2  0x00007ffff3ec3a21 in xmlParseStartTag () from /usr/lib/x86_64-linux-gnu/libxml2.so.2
No symbol table info available.
#3  0x00007ffff3ed4456 in ?? () from /usr/lib/x86_64-linux-gnu/libxml2.so.2
No symbol table info available.
#4  0x00007ffff3ed562b in xmlParseChunk () from /usr/lib/x86_64-linux-gnu/libxml2.so.2
No symbol table info available.
#5  0x000000000059b316 in ProcessMSLScript (image_info=<optimized out>, image=<optimized out>, exception=<optimized out>) at coders/msl.c:7804
        message = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><image size=\"400x400\" ><read filename=\"image.base-height] to %[widtgif\" /><get w=\"bat\" /><resize geometry=\"", 'V' <repeats 13 times>, " width=\"width\" height=\"heigh /><print outp"...
        msl_image = 0xfd6510
        status = <optimized out>
        msl_info = <optimized out>
        sax_modules = <optimized out>
        sax_handler = <optimized out>
        n = 21170
#6  0x000000000059aa58 in ReadMSLImage (image_info=0xfa9af0, exception=0xfa2410) at coders/msl.c:7840
        image = <error reading variable image (Cannot access memory at address 0x0)>
#7  0x000000000076ee17 in ReadImage (image_info=0xfa68c0, exception=0xfa2410) at MagickCore/constitute.c:496
        filename = "/vagrant/imagemagick/findings.conjure/findings.conjure//crashes/id_000000,sig_06,src_000000,op_havoc,rep_4\000ngs.conjure//crashes/id_000000,sig_06,src_000000,op_havoc,rep_4", '\000' <repeats 1710 times>...
        magick = "MSL", '\000' <repeats 62 times>, "vagrant/imagemagick/findings.conjure/findings.conjure//crashes/id_000000,sig_06,src_000000,op_havoc,rep_4", '\000' <repeats 1566 times>...
        magick_filename = "msl:/vagrant/imagemagick/findings.conjure/findings.conjure//crashes/id_000000,sig_06,src_000000,op_havoc,rep_4", '\000' <repeats 1570 times>...
        read_info = 0xfa9af0
        sans_exception = <optimized out>
        magick_info = <optimized out>
        image = <optimized out>
        delegate_info = <optimized out>
        value = <optimized out>
        flags = <optimized out>
        next = <optimized out>
#8  0x0000000000770c2a in ReadImages (image_info=<optimized out>, filename=0x7fffffffb3d0 "msl:/vagrant/imagemagick/findings.conjure/findings.conjure//crashes/id_000000,sig_06,src_000000,op_havoc,rep_4", exception=0xfa2410) at MagickCore/constitute.c:851
        read_filename = "msl:/vagrant/imagemagick/findings.conjure/findings.conjure//crashes/id_000000,sig_06,src_000000,op_havoc,rep_4", '\000' <repeats 1994 times>...
        read_info = 0xfa68c0
        images = <optimized out>
        image = <optimized out>
#9  0x00000000009bbde9 in ConjureImageCommand (image_info=0xfa2590, argc=<optimized out>, argv=<optimized out>, wand_unused_metadata=0x0, exception=0xfa2410) at MagickWand/conjure.c:293
        filename = "msl:/vagrant/imagemagick/findings.conjure/findings.conjure//crashes/id_000000,sig_06,src_000000,op_havoc,rep_4", '\000' <repeats 2914 times>...
        image = <optimized out>
        number_images = 0
        status = <optimized out>
        i = <optimized out>
        option = <optimized out>
#10 0x0000000000ab696e in MagickCommandGenesis (image_info=0xfa2590, command=0x9bb590 <ConjureImageCommand>, argc=4, argv=0x7fffffffe5f8, metadata=0x0, exception=0xfa2410) at MagickWand/mogrify.c:183
        text = <error reading variable text (Cannot access memory at address 0x0)>
        client_name = "conjure\000al/bin/conjure", '\000' <repeats 2338 times>...
        i = 1
        regard_warnings = MagickFalse
        status = MagickTrue
        iterations = 1
        duration = <optimized out>
        concurrent = MagickFalse
        option = <optimized out>
#11 0x000000000040f902 in MagickMain (argc=<optimized out>, argv=<optimized out>) at utilities/magick.c:145
        client_name = "conjure\000al/bin/conjure\000\000\230\343\377\377\377\177\000\000\230\343\377\377\377\177\000\000\220\343\377\377\377\177\000\000\217\343\377\377\377\177\000\000\374\324\377\377\377\177", '\000' <repeats 13 times>, "\310\377\377\377\377\b\356\t\357\377\177\000\000\020\213\375\367\377\177\000\000\237\255\351\356\377\177\000\000\000\000\000\000\000\000\000\000\330\325\377\377\377\177\000\000\037J\337\367\377\177\000\000\367\360\377\177\000\000P\267\375\367\377\177\000\000\000\344\377\377\377\177\000\000\004\000\000\000\000\000\000\000%\000\000\000\000\000\000\000\310X\336\367\377\177\000\000\000\000\001\000\001\000\001\000\001\000\001\000\001\000\001\000\001\000\001\000\001\000\001\000\001"...
        exception = 0xfa2410
        image_info = 0xfa2590
        i = 0
        offset = <optimized out>
        metadata = <optimized out>
        status = <optimized out>
#12 main (argc=<optimized out>, argv=<optimized out>) at utilities/magick.c:176

User avatar
magick
Site Admin
Posts: 10686
Joined: 2003-05-31T11:32:55-07:00

Re: conjure SIGSEGV for malformed xml input file

Post by magick » 2016-11-02T12:44:13-07:00

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

Post Reply