Null pointer dereference in GetJPEGMethod()

Post any defects you find in the released or beta versions of the ImageMagick software here. Include the ImageMagick version, OS, and any command-line required to reproduce the problem. Got a patch for a bug? Post it here.
Post Reply
fumfel
Posts: 12
Joined: 2016-09-20T06:30:11-07:00
Authentication code: 1151

Null pointer dereference in GetJPEGMethod()

Post by fumfel »

After some fuzz testing I found a crashing test case.

Git HEAD: 4e46ad9dd95d68c1c8c630e6d27338ae3f57d5c7

OS & Compiler: Ubuntu 16.04 x64 + Clang 4.0

Command:

Code: Select all

convert im_nullptr_GetJPEGMethod /dev/null
Faulting input: https://frankowicz.me/storage/crashes/i ... JPEGMethod

ASAN:

Code: Select all

==5167==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f9f8638c717 bp 0x7ffd5a285470 sp 0x7ffd5a2811a0 T0)
==5167==The signal is caused by a READ memory access.
==5167==Hint: address points to the zero page.
    #0 0x7f9f8638c716 in GetJPEGMethod XYZ/ImageMagick/coders/tiff.c:1044:30
    #1 0x7f9f8638c716 in ReadTIFFImage XYZ/ImageMagick/coders/tiff.c:1742
    #2 0x7f9f85929274 in ReadImage XYZ/ImageMagick/MagickCore/constitute.c:497:13
    #3 0x7f9f8592c931 in ReadImages XYZ/ImageMagick/MagickCore/constitute.c:866:9
    #4 0x7f9f84f38b67 in ConvertImageCommand XYZ/ImageMagick/MagickWand/convert.c:641:18
    #5 0x7f9f850f49a5 in MagickCommandGenesis XYZ/ImageMagick/MagickWand/mogrify.c:183:14
    #6 0x4ee3e9 in MagickMain XYZ/ImageMagick/utilities/magick.c:149:10
    #7 0x4ee3e9 in main XYZ/ImageMagick/utilities/magick.c:180
    #8 0x7f9f8095382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x41a338 in _start (/usr/local/bin/magick+0x41a338)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/ImageMagick/coders/tiff.c:1044:30 in GetJPEGMethod
==5167==ABORTING
Regards,
Kamil Frankowicz
User avatar
magick
Site Admin
Posts: 11064
Joined: 2003-05-31T11:32:55-07:00

Re: Null pointer dereference in GetJPEGMethod()

Post by magick »

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.
Post Reply