Legacy ImageMagick Discussions Archive

Use https://github.com/ImageMagick/ImageMagick/discussions instead.
https://www.imagemagick.org/discourse-server/

Segfault in ReadRLEImage

https://www.imagemagick.org/discourse-server/viewtopic.php?t=29710

Page 1 of 1

Segfault in ReadRLEImage

Posted: 2016-05-17T10:18:45-07:00
by levigross
File: https://drive.google.com/open?id=0B1BY0 ... TFCekpBeDg

Stack Trace
(gdb) info stack
#0 0x000000000090e0b0 in ReadRLEImage (image_info=0x18d97b0, exception=0x18c77d0) at coders/rle.c:589
#1 0x0000000000bc68a0 in ReadImage (image_info=image_info@entry=0x18d4210, exception=exception@entry=0x18c77d0) at MagickCore/constitute.c:554
#2 0x0000000001005b68 in ReadStream (image_info=image_info@entry=0x18d0fe0, stream=stream@entry=0xbc46c0 <PingStream>, exception=exception@entry=0x18c77d0)
at MagickCore/stream.c:1012
#3 0x0000000000bc4f5d in PingImage (image_info=<optimized out>, exception=0x18c77d0) at MagickCore/constitute.c:226
#4 0x0000000000bc5a4b in PingImages (image_info=image_info@entry=0x18cddb0, filename=0x18c4ea0 "crash.png", exception=exception@entry=0x18c77d0)
at MagickCore/constitute.c:326
#5 0x0000000001240369 in IdentifyImageCommand (image_info=0x18cab80, image_info@entry=0x18c7950, argc=argc@entry=2, argv=0x18c4ba0, argv@entry=0x7fffffffe260,
metadata=metadata@entry=0x7fffffffbf00, exception=exception@entry=0x18c77d0) at MagickWand/identify.c:319
#6 0x00000000012cb1fa in MagickCommandGenesis (image_info=image_info@entry=0x18c7950, command=command@entry=0x123f150 <IdentifyImageCommand>, argc=argc@entry=2,
argv=argv@entry=0x7fffffffe260, metadata=0x7fffffffcfa8, exception=exception@entry=0x18c77d0) at MagickWand/mogrify.c:183
#7 0x00000000004244bd in MagickMain (argc=2, argv=0x7fffffffe260) at utilities/magick.c:145
#8 0x00007ffff4492830 in __libc_start_main (main=0x410860 <main>, argc=3, argv=0x7fffffffe258, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffe248) at ../csu/libc-start.c:291
#9 0x0000000000424039 in _start ()
Current Frame
(gdb) info frame
Stack level 0, frame at 0x7fffffff53f0:
rip = 0x90e0b0 in ReadRLEImage (coders/rle.c:589); saved rip = 0xbc68a0
called by frame at 0x7fffffffa4b0
source language c.
Arglist at 0x7fffffff5218, args: image_info=0x18d97b0, exception=0x18c77d0
Locals at 0x7fffffff5218, Previous frame's sp is 0x7fffffff53f0
Saved registers:
rbx at 0x7fffffff53b8, rbp at 0x7fffffff53c0, r12 at 0x7fffffff53c8, r13 at 0x7fffffff53d0, r14 at 0x7fffffff53d8, r15 at 0x7fffffff53e0, rip at 0x7fffffff53e8

Command to Crash
(gdb) r identify crash.png
Starting program: /home/fuzzer/work/ImageMagick/utilities/magick identify crash.png
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x000000000090e0b0 in ReadRLEImage (image_info=0x18d97b0, exception=0x18c77d0) at coders/rle.c:589
589 ValidateColormapValue(image,(ssize_t) *p++,&index,exception);
Found by AFL

Re: Segfault in ReadRLEImage

Posted: 2016-05-17T11:43:44-07:00
by dlemstra
Can you specify your IM version and operating system?

Re: Segfault in ReadRLEImage

Posted: 2016-05-17T12:03:33-07:00
by magick
Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.
All times are UTC-07:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited