SIGABRT - lt-convert IM6 SVN - c2d64390 - ./magick/quantum-private.h:366

[JodieC]

Source file: https://www.dropbox.com/s/ix5zvn2tcnpulk0/c2d64390?dl=0

To reproduce:

Code: Select all

convert c2d64390 png:/dev/null

Output:

Code: Select all

Aborted (core dumped)

NOTE: The core dump took up 6GB of disk space on my machine. It may take a bit to write that out
It will also take you around 6GB of free RAM to run this.

Output from /usr/bin/time -v:

Code: Select all

        Command terminated by signal 6
        Command being timed: "/home/jodicun/opt/ImageMagick-2014-12-19/utilities/convert /home/jodicun/Dropbox/im/c2d64390 png:/dev/null"
        User time (seconds): 24.58
        System time (seconds): 6.05
        Percent of CPU this job got: 98%
        Elapsed (wall clock) time (h:mm:ss or m:ss): 0:31.08
        Average shared text size (kbytes): 0
        Average unshared data size (kbytes): 0
        Average stack size (kbytes): 0
        Average total size (kbytes): 0
        Maximum resident set size (kbytes): 6365868
        Average resident set size (kbytes): 0
        Major (requiring I/O) page faults: 0
        Minor (reclaiming a frame) page faults: 1706813
        Voluntary context switches: 53
        Involuntary context switches: 605
        Swaps: 0
        File system inputs: 0
        File system outputs: 0
        Socket messages sent: 0
        Socket messages received: 0
        Signals delivered: 0
        Page size (bytes): 4096
        Exit status: 0

BT:

Code: Select all

#0  0x00007ffff6e87bb9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56      ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
#0  0x00007ffff6e87bb9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff6e8afc8 in __GI_abort () at abort.c:89
#2  0x00007ffff78b4171 in MagickSignalHandler (signal_number=6) at magick/magick.c:1171
#3  <signal handler called>
#4  0x00007ffff6e87bb9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#5  0x00007ffff6e8afc8 in __GI_abort () at abort.c:89
#6  0x00007ffff78b4171 in MagickSignalHandler (signal_number=24) at magick/magick.c:1171
#7  <signal handler called>
#8  0x00007ffff7990b95 in ScaleCharToQuantum (value=0 '\000') at ./magick/quantum-private.h:366
#9  ReadDXT1 (image=0xd79b850, dds_info=0x7fffffff6350, exception=0x604990) at coders/dds.c:1984
#10 0x00007ffff798fdd8 in ReadDDSImage (image_info=0x60e050, exception=0x604990) at coders/dds.c:1865
#11 0x00007ffff780d8b8 in ReadImage (image_info=image_info@entry=0x608ea0, exception=exception@entry=0x604990) at magick/constitute.c:547
#12 0x00007ffff780e953 in ReadImages (image_info=image_info@entry=0x608ea0, exception=exception@entry=0x604990) at magick/constitute.c:853
#13 0x00007ffff7477948 in ConvertImageCommand (image_info=0x608ea0, argc=3, argv=0x604010, metadata=0x0, exception=0x604990) at wand/convert.c:622
#14 0x00007ffff74e5a98 in MagickCommandGenesis (image_info=image_info@entry=0x604b10, command=0x400880 <ConvertImageCommand@plt>, argc=argc@entry=3, argv=argv@entry=0x7fffffffe098, metadata=metadata@entry=0x0, exception=exception@entry=0x604990) at wand/mogrify.c:168
#15 0x0000000000400907 in ConvertMain (argv=0x7fffffffe098, argc=3) at utilities/convert.c:81
#16 main (argc=3, argv=0x7fffffffe098) at utilities/convert.c:92
exe = '/home/jodicun/opt/ImageMagick-2014-12-19/utilities/.libs/lt-convert ./fuzzer141'

System Details:
AMD64
Distributor ID: Ubuntu
Description: Ubuntu 14.04.1 LTS
Release: 14.04
Codename: trusty

ImageMagick 6 compiled from SVN checkout 20141227.

Found with American Fuzzy Lop ( http://lcamtuf.coredump.cx/afl/ )

[magick]

ImageMagick is behaving correctly. The image requires nearly 4 billion copies of a 2048x32 pixel surface. ImageMagick asks the system for memory and disk resources until the system denies the request or sends a signal to kill the process. ImageMagick allows for resource limits from the command line, environment variables, or the system policy.xml configuration file. We can't set these limits because they vary wildly depending on whether you are working on a desktop, server, or iPhone. We, for example, have access to a 1TB memory machine so our limits will differ from your desktop requirements. Instead, the user must set these limits. For example, from the command-line we get an orderly exit for your image:

• convert -limit memory 2GiB -limit map 4GiB -limit disk 1GB c2d64390 null:
  convert: cache resources exhausted `c2d64390' @ error/cache.c/OpenPixelCache/3642.
  convert: no images defined `null:' @ error/convert.c/ConvertImageCommand/3210.

[JodieC]

The SIGABRT is expected behavior here?


Is there a common guidance text for resource control that you send to project owners?
If not addressed by the owners this would fall under CWE-399 and CWE-400.

[magick]

• The SIGABRT is expected behavior here?

A SIGABRT is thrown by the OS and its a signal that some OS's won't let a user application catch. However, try setting the MAGICK_SYNCHRONIZE environment variable. Set it to "true" to ensure all image data is fully flushed and synchronized to disk. There is a performance penalty, however, the benefits include ensuring a valid image file in the event of a system crash and early reporting if there is not enough disk space for the image pixel cache. That may resolve the issue (see http://www.imagemagick.org/script/resources.php).

• Is there a common guidance text for resource control that you send to project owners?

See http://www.imagemagick.org/script/resources.php and http://www.imagemagick.org/script/architecture.php. On the architecture page, scroll down to "Cache Storage and Resource Requirements". It illustrates how to set resource limits in the policy configuration file. For example,

Code: Select all

<policymap>
  <policy domain="resource" name="temporary-path" value="/tmp"/>
  <policy domain="resource" name="memory" value="256MiB"/>
  <policy domain="resource" name="map" value="512MiB"/>
  <policy domain="resource" name="width" value="64KP"/>
  <policy domain="resource" name="height" value="64KP"/>
  <policy domain="resource" name="area" value="128MB"/>
  <policy domain="resource" name="disk" value="1GiB"/>
  <policy domain="resource" name="file" value="768"/>
  <policy domain="resource" name="thread" value="2"/>
  <policy domain="resource" name="throttle" value="0"/>
  <policy domain="resource" name="time" value="120"/>
  <policy domain="system" name="precision" value="6"/>
  <policy domain="cache" name="shared-secret" value="********"/>
</policymap>

[dlemstra]

I have added an extra check in the dds reader. It now decides to stop processing this image a bit earlier:

Code: Select all

D:\Images\Fuzz>convert c2d64390 null:
convert.exe: Unexpected end-of-file `c2d64390' @ error/dds.c/ReadDDSImage/1838.
convert.exe: no images defined `null:' @ error/convert.c/ConvertImageCommand/321
0.

[snibgo]

Off-topic: I love the thought of 4 billion images in a single command. I have only tested up to 100,000 images. (With that many xc: operands, followed by "+append".) IM gave the correct result.

[JodieC]

Dies better after the patch, thanks!