Code: Select all
x@x:~/Desktop/clean-imagick/bin$ ./convert --version
Version: ImageMagick 7.0.4-2 Q16 i686 2017-01-04 http://www.imagemagick.org
Copyright: © 1999-2017 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP
Delegates (built-in): bzlib fontconfig freetype jbig jng jpeg lzma png tiff webp wmf x xml zlib
x@x:~/Desktop/clean-imagick/bin$ ./convert ./crash_0 /dev/null
AbortedCode: Select all
(gdb) r ./crash_0 /dev/null
Starting program: /home/x/Desktop/clean-imagick/bin/convert ./crash_0 /dev/null
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0xb7c9af38 in PushQuantumPixel (quantum=0xbfff46b4,
pixels=0x814b0ac <error: Cannot access memory at address 0x814b0ac>, quantum_info=0x8076610)
at MagickCore/quantum-import.c:209
209 quantum_info->state.pixel=(*pixels++);
(gdb) bt
#0 0xb7c9af38 in PushQuantumPixel (quantum=0xbfff46b4,
pixels=0x814b0ac <error: Cannot access memory at address 0x814b0ac>, quantum_info=0x8076610)
at MagickCore/quantum-import.c:209
#1 ImportGrayQuantum (image=image@entry=0x806cf48, quantum_info=quantum_info@entry=0x8076610, number_pixels=1328,
p=<optimized out>, p@entry=0x812a770 '0' <repeats 200 times>..., q=<optimized out>, q@entry=0xb3131040)
at MagickCore/quantum-import.c:2314
#2 0xb7ca010b in ImportQuantumPixels (image=image@entry=0x806cf48, image_view=image_view@entry=0x0,
quantum_info=quantum_info@entry=0x8076610, quantum_type=quantum_type@entry=GrayQuantum,
pixels=pixels@entry=0x812a770 '0' <repeats 200 times>..., exception=exception@entry=0x804c508)
at MagickCore/quantum-import.c:4189
#3 0xb7e3dc13 in ReadTIFFImage (image_info=0x8057ce8, exception=0x804c508) at coders/tiff.c:1668
#4 0xb7b8fc0e in ReadImage (image_info=image_info@entry=0x8054a88, exception=exception@entry=0x804c508)
at MagickCore/constitute.c:555
#5 0xb7b91034 in ReadImages (image_info=image_info@entry=0x8051828, filename=filename@entry=0x804cb20 "./crash_0",
exception=exception@entry=0x804c508) at MagickCore/constitute.c:852
#6 0xb7a1f107 in ConvertImageCommand (image_info=0x8051828, argc=3, argv=0xbffff1f4, metadata=0xbfffcfd8,
exception=0x804c508) at MagickWand/convert.c:639
#7 0xb7a9177e in MagickCommandGenesis (image_info=image_info@entry=0x804e5c8,
command=command@entry=0x8048a70 <ConvertImageCommand@plt>, argc=argc@entry=3, argv=argv@entry=0xbffff1f4,
metadata=0x0, exception=exception@entry=0x804c508) at MagickWand/mogrify.c:183
#8 0x08048dc0 in MagickMain (argc=argc@entry=3, argv=argv@entry=0xbffff1f4) at utilities/magick.c:149
#9 0x08048bb1 in main (argc=3, argv=0xbffff1f4) at utilities/magick.c:180
(gdb) l
204 *quantum=(QuantumAny) 0;
205 for (i=(ssize_t) quantum_info->depth; i > 0L; )
206 {
207 if (quantum_info->state.bits == 0UL)
208 {
209 quantum_info->state.pixel=(*pixels++);
210 quantum_info->state.bits=8UL;
211 }
212 quantum_bits=(size_t) i;
213 if (quantum_bits > quantum_info->state.bits)Code: Select all
=================================================================
==7850==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xac5089a0 at pc 0xb6b3f60b bp 0xbfc861e8 sp 0xbfc861dc
READ of size 1 at 0xac5089a0 thread T0
[frame=0, function=PushQuantumPixel]
[frame=1, function=ImportGrayQuantum]
[frame=2, function=ImportQuantumPixels]
[frame=3, function=ReadTIFFImage]
[frame=4, function=ReadImage]
[frame=5, function=ReadImages]
[frame=6, function=ConvertImageCommand]
[frame=7, function=MagickCommandGenesis]
[frame=8, function=MagickMain]
[frame=9, function=main]
[frame=10, function=__libc_start_main]
[frame=11, function=_start]
0xac5089a0 is located 174 bytes to the right of 34034-byte region [0xac500400,0xac5088f2)
allocated by thread T0 here:
[frame=0, function=__interceptor_malloc]
[frame=1, function=AcquireMagickMemory]
[frame=2, function=ReadTIFFImage]
[frame=3, function=ReadImage]
[frame=4, function=ReadImages]
[frame=5, function=ConvertImageCommand]
[frame=6, function=MagickCommandGenesis]
[frame=7, function=MagickMain]
[frame=8, function=main]
[frame=9, function=__libc_start_main]
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/x/Desktop/clang-imagick/lib/libMagickCore-7.Q16HDRI.so.1+0x74c60a) in PushQuantumPixel
Shadow bytes around the buggy address:
0x358a10e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x358a10f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x358a1100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x358a1110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 fa
0x358a1120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x358a1130: fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa
0x358a1140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x358a1150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x358a1160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x358a1170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x358a1180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==7850==ABORTING
