JPEG related crash

Post any defects you find in the released or beta versions of the ImageMagick software here. Include the ImageMagick version, OS, and any command-line required to reproduce the problem. Got a patch for a bug? Post it here.
Locked
mkoppanen
Posts: 309
Joined: 2007-06-09T07:06:32-07:00

JPEG related crash

Post by mkoppanen »

Hello,

the following code crashes with double-free / corruption. My GDB refuses to produce a proper backtrace:

Code: Select all

#include <wand/MagickWand.h>
#include <assert.h>

int main ()
{
    MagickBooleanType ret;

    MagickWand *wand = NewMagickWand ();
    assert (wand);

    ret = MagickReadImage (wand, "magick:rose");
    assert (ret == MagickTrue);

    ret = MagickSetImageFormat (wand, "jpg");
    assert (ret == MagickTrue);

    ret = MagickSetOption (wand, "jpeg:extent", "30kb");
    assert (ret == MagickTrue);

    size_t siz;
    unsigned char *rc = MagickGetImageBlob (wand, &siz);
    assert (rc);

    return 0;
}
Mikko Koppanen
My blog: http://valokuva.org

mkoppanen
Posts: 309
Joined: 2007-06-09T07:06:32-07:00

Re: JPEG related crash

Post by mkoppanen »

lldb seems to work, its the jpeg_finish_compress line:

Code: Select all

(lldb) bt
* thread #1: tid = 0x2e1be, 0x00007fff906c9866 libsystem_kernel.dylib`__pthread_kill + 10, queue = 'com.apple.main-thread, stop reason = signal SIGABRT
    frame #0: 0x00007fff906c9866 libsystem_kernel.dylib`__pthread_kill + 10
    frame #1: 0x00007fff9559635c libsystem_pthread.dylib`pthread_kill + 92
    frame #2: 0x00007fff939c0bba libsystem_c.dylib`abort + 125
    frame #3: 0x00007fff973cd093 libsystem_malloc.dylib`free + 411
    frame #4: 0x000000010077dfd7 libjpeg.8.dylib`free_pool + 282
    frame #5: 0x000000010075c640 libjpeg.8.dylib`jpeg_abort + 29
    frame #6: 0x0000000100496d4f libMagickCore-6.Q16.1.dylib`WriteJPEGImage(image_info=0x000000010102de00, image=0x0000000101032000) + 11167 at jpeg.c:2776
    frame #7: 0x0000000100494e1f libMagickCore-6.Q16.1.dylib`WriteJPEGImage(image_info=0x0000000101017400, image=0x0000000101026a00) + 3183 at jpeg.c:2252
    frame #8: 0x0000000100201220 libMagickCore-6.Q16.1.dylib`WriteImage(image_info=0x0000000101013200, image=0x0000000101026a00) + 2384 at constitute.c:1164
    frame #9: 0x00000001001b8657 libMagickCore-6.Q16.1.dylib`ImageToBlob(image_info=0x000000010100f000, image=0x0000000101026a00, length=0x00007fff5fbffb98, exception=0x0000000100b0f950) + 1063 at blob.c:1548
    frame #10: 0x00000001000b71ea libMagickWand-6.Q16.1.dylib`MagickGetImageBlob(wand=0x000000010100d800, length=0x00007fff5fbffb98) + 410 at magick-image.c:4113
    frame #11: 0x0000000100000e91 wand`main + 385 at crash.c:21
    frame #12: 0x00007fff938775fd libdyld.dylib`start + 1
    frame #13: 0x00007fff938775fd libdyld.dylib`start + 1
Mikko Koppanen
My blog: http://valokuva.org

User avatar
dlemstra
Posts: 1625
Joined: 2013-05-04T15:28:54-07:00
Authentication code: 6789
Contact:

Re: JPEG related crash

Post by dlemstra »

Which version of ImageMagick are you using?
.NET + ImageMagick = Magick.NET https://github.com/dlemstra/Magick.NET, @MagickNET, Donate

mkoppanen
Posts: 309
Joined: 2007-06-09T07:06:32-07:00

Re: JPEG related crash

Post by mkoppanen »

ImageMagick 6, trunk version. This seems to be reproducible with other versions as well, tested with 6.8.7 Q16 as well
Mikko Koppanen
My blog: http://valokuva.org

User avatar
magick
Site Admin
Posts: 11254
Joined: 2003-05-31T11:32:55-07:00

Re: JPEG related crash

Post by magick »

We can reproduce the problem you posted and have a patch in ImageMagick 6.8.7-5 Beta available by sometime tomorrow. In the mean-time, do not set jpeg:extent.

mkoppanen
Posts: 309
Joined: 2007-06-09T07:06:32-07:00

Re: JPEG related crash

Post by mkoppanen »

Thanks!
Mikko Koppanen
My blog: http://valokuva.org

broucaries
Posts: 467
Joined: 2008-12-21T11:51:10-07:00

Re: JPEG related crash

Post by broucaries »

Seems security related maybe ? How easy to trigger from command line ?

User avatar
magick
Site Admin
Posts: 11254
Joined: 2003-05-31T11:32:55-07:00

Re: JPEG related crash

Post by magick »

The bug only occurs when creating a blob with a call to ImageToBlob() when jpeg:extent is defined and the output format is JPEG. These conditions are never met from the command-line.

Locked