Several undefined behaviors in ImageMagick-6.9.1-8

Post any defects you find in the released or beta versions of the ImageMagick software here. Include the ImageMagick version, OS, and any command-line required to reproduce the problem. Got a patch for a bug? Post it here.
Locked
xiedingbao
Posts: 2
Joined: 2015-06-11T15:49:40-07:00
Authentication code: 6789

Several undefined behaviors in ImageMagick-6.9.1-8

Post by xiedingbao »

I have found several undefined behaviors in 'convert' and 'display' of ImageMagick-6.9.1-8.
To reproduce them, you need to build the source code with flag '-fsanitize=undefined' (require gcc-5.0 or clang-3.3).
For test inputs in folder input-convert.tar.gz https://www.dropbox.com/s/zjpi3i52q9n4w ... ar.gz?dl=0, execute command

Code: Select all

convert $file png:/dev/null
You will see the following undefined behaviors:

Code: Select all

tif_dirread.c:3783:24: runtime error: shift exponent 98 is too large for 64-bit type 'long'
./magick/quantum-private.h:97:33: runtime error: shift exponent 97 is too large for 64-bit type 'MagickSizeType' (aka 'unsigned long long')
tif_dir.c:326:20: runtime error: shift exponent 132 is too large for 64-bit type 'long'
tif_dirread.c:2896:24: runtime error: division by zero
For test inputs in folder input-display.tar.gz https://www.dropbox.com/s/9lqnxmjqx9rbq ... ar.gz?dl=0, execute command

Code: Select all

display $file
.
You will see the following undefined behaviors:

Code: Select all

uantum-private.h:275: runtime error: value 209712 is outside the range of representable values of type 'unsigned short'
ntum-import.c:192: runtime error: value -1.53699e+41 is outside the range of representable values of type 'float'


User avatar
magick
Site Admin
Posts: 11254
Joined: 2003-05-31T11:32:55-07:00

Re: Several undefined behaviors in ImageMagick-6.9.1-8

Post by magick »

We can reproduce the problem you posted and have a patch in ImageMagick 6.9.1-10 Beta available within a few days. Thanks.

Locked