coredump on invalid input to convert

[blackaura]

Hi,

I have been testing the convert command and found out that the following inputs crash 'convert'. I have compiled from source ImageMagick-6.8.5-9.

xxx@localhost:~$ convert --version
Version: ImageMagick 6.8.5-9 2013-06-05 Q16 http://www.imagemagick.org
Copyright: Copyright (C) 1999-2013 ImageMagick Studio LLC
Features: DPC OpenMP
Delegates: bzlib jpeg ps xml zlib

Commands:
convert img.jpg -frame +0x50! /tmp/img1.jpg
convert img.jpg -frame ++0x50! /tmp/img1.jpg
convert img.jpg -frame --0x50! /tmp/img1.jpg
convert img.jpg -splice +50x50< /tmp/img1.jpg
convert img.jpg -splice ++50x50< /tmp/img1.jpg
convert img.jpg -splice --50x50< /tmp/img1.jpg
convert img.jpg -splice +50 /tmp/img1.jpg
convert img.jpg -splice ++50 /tmp/img1.jpg
convert img.jpg -splice --50 /tmp/img1.jpg
convert img.jpg -frame +50x50! /tmp/img1.jpg
convert img.jpg -frame 50x+50! /tmp/img1.jpg
convert img.jpg -frame ++50x50! /tmp/img1.jpg
convert img.jpg -frame 50x++50! /tmp/img1.jpg
convert img.jpg -frame --50x50! /tmp/img1.jpg
convert img.jpg -frame 50x--50! /tmp/img1.jpg
convert img.jpg -splice +50 /tmp/img1.jpg
convert img.jpg -splice ++50 /tmp/img1.jpg
convert img.jpg -splice --50 /tmp/img1.jpg
convert img.jpg -splice +50@ /tmp/img1.jpg
convert img.jpg -splice ++50@ /tmp/img1.jpg
convert img.jpg -splice --50@ /tmp/img1.jpg
convert img.jpg -splice +0x50 /tmp/img1.jpg
convert img.jpg -splice ++0x50 /tmp/img1.jpg
convert img.jpg -splice --0x50 /tmp/img1.jpg
convert img.jpg -frame +0x50> /tmp/img1.jpg
convert img.jpg -frame +50% /tmp/img1.jpg
convert img.jpg -frame ++0x50> /tmp/img1.jpg
convert img.jpg -frame --0x50> /tmp/img1.jpg
convert img.jpg -frame ++50% /tmp/img1.jpg
convert img.jpg -frame --50% /tmp/img1.jpg
convert img.jpg -splice +50x50 /tmp/img1.jpg
convert img.jpg -splice ++50x50 /tmp/img1.jpg
convert img.jpg -splice --50x50 /tmp/img1.jpg
convert img.jpg -frame +50x50 /tmp/img1.jpg
convert img.jpg -frame 50x+50 /tmp/img1.jpg
convert img.jpg -frame +0%x50% /tmp/img1.jpg
convert img.jpg -frame +50x50> /tmp/img1.jpg
convert img.jpg -frame ++0%x50% /tmp/img1.jpg
convert img.jpg -frame 50x+50> /tmp/img1.jpg
convert img.jpg -frame --0%x50% /tmp/img1.jpg
convert img.jpg -frame ++50x50> /tmp/img1.jpg
convert img.jpg -frame 50x++50> /tmp/img1.jpg
convert img.jpg -frame --50x50> /tmp/img1.jpg
convert img.jpg -frame 50x--50> /tmp/img1.jpg
convert img.jpg -frame ++50x50 /tmp/img1.jpg
convert img.jpg -frame 50x++50 /tmp/img1.jpg
convert img.jpg -frame --50x50 /tmp/img1.jpg
convert img.jpg -frame 50x--50 /tmp/img1.jpg
convert img.jpg -splice +50% /tmp/img1.jpg
convert img.jpg -splice ++50% /tmp/img1.jpg
convert img.jpg -splice --50% /tmp/img1.jpg
convert img.jpg -splice +0x50^ /tmp/img1.jpg
convert img.jpg -splice ++0x50^ /tmp/img1.jpg
convert img.jpg -splice --0x50^ /tmp/img1.jpg
convert img.jpg -frame +50%x50% /tmp/img1.jpg
convert img.jpg -frame 50%x+50% /tmp/img1.jpg
convert img.jpg -frame ++50%x50% /tmp/img1.jpg
convert img.jpg -frame 50%x++50% /tmp/img1.jpg
convert img.jpg -frame --50%x50% /tmp/img1.jpg
convert img.jpg -frame 50%x--50% /tmp/img1.jpg
convert img.jpg -frame +0x50< /tmp/img1.jpg
convert img.jpg -frame ++0x50< /tmp/img1.jpg
convert img.jpg -frame --0x50< /tmp/img1.jpg
convert img.jpg -splice +50x50^ /tmp/img1.jpg
convert img.jpg -splice ++50x50^ /tmp/img1.jpg
convert img.jpg -splice --50x50^ /tmp/img1.jpg
convert img.jpg -splice +0x50> /tmp/img1.jpg
convert img.jpg -frame +50x50< /tmp/img1.jpg
convert img.jpg -frame 50x+50< /tmp/img1.jpg
convert img.jpg -frame ++50x50< /tmp/img1.jpg
convert img.jpg -frame 50x++50< /tmp/img1.jpg
convert img.jpg -frame --50x50< /tmp/img1.jpg
convert img.jpg -frame 50x--50< /tmp/img1.jpg
convert img.jpg -splice ++0x50> /tmp/img1.jpg
convert img.jpg -splice --0x50> /tmp/img1.jpg
convert img.jpg -frame +50 /tmp/img1.jpg
convert img.jpg -frame ++50 /tmp/img1.jpg
convert img.jpg -frame --50 /tmp/img1.jpg
convert img.jpg -splice +0x50! /tmp/img1.jpg
convert img.jpg -splice ++0x50! /tmp/img1.jpg
convert img.jpg -splice --0x50! /tmp/img1.jpg
convert img.jpg -frame +50 /tmp/img1.jpg
convert img.jpg -frame ++50 /tmp/img1.jpg
convert img.jpg -frame --50 /tmp/img1.jpg
convert img.jpg -frame +50@ /tmp/img1.jpg
convert img.jpg -splice +50x50! /tmp/img1.jpg
convert img.jpg -splice ++50x50! /tmp/img1.jpg
convert img.jpg -splice --50x50! /tmp/img1.jpg
convert img.jpg -frame +0x50 /tmp/img1.jpg
convert img.jpg -frame ++0x50 /tmp/img1.jpg
convert img.jpg -frame --0x50 /tmp/img1.jpg
convert img.jpg -splice +0%x50% /tmp/img1.jpg
convert img.jpg -splice ++0%x50% /tmp/img1.jpg
convert img.jpg -splice --0%x50% /tmp/img1.jpg
convert img.jpg -frame +0x50^ /tmp/img1.jpg
convert img.jpg -frame ++0x50^ /tmp/img1.jpg
convert img.jpg -frame --0x50^ /tmp/img1.jpg
convert img.jpg -splice +50x50> /tmp/img1.jpg
convert img.jpg -splice ++50x50> /tmp/img1.jpg
convert img.jpg -splice --50x50> /tmp/img1.jpg
convert img.jpg -frame +50x50^ /tmp/img1.jpg
convert img.jpg -frame 50x+50^ /tmp/img1.jpg
convert img.jpg -frame ++50x50^ /tmp/img1.jpg
convert img.jpg -frame 50x++50^ /tmp/img1.jpg
convert img.jpg -frame --50x50^ /tmp/img1.jpg
convert img.jpg -frame 50x--50^ /tmp/img1.jpg
convert img.jpg -splice +50%x50% /tmp/img1.jpg
convert img.jpg -splice 50%x+50% /tmp/img1.jpg
convert img.jpg -splice ++50%x50% /tmp/img1.jpg
convert img.jpg -splice 50%x++50% /tmp/img1.jpg
convert img.jpg -splice --50%x50% /tmp/img1.jpg
convert img.jpg -splice 50%x--50% /tmp/img1.jpg
convert img.jpg -splice +0x50< /tmp/img1.jpg
convert img.jpg -splice ++0x50< /tmp/img1.jpg
convert img.jpg -splice --0x50< /tmp/img1.jpg


backtrace of convert img.jpg -frame +0x50! /tmp/img1.jpg

Core was generated by `convert img.jpg -frame +0x50! /tmp/img1.jpg'.
Program terminated with signal 6, Aborted.
#0 0x00007f36c8e23425 in __GI_raise (sig=<optimized out>)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007f36c8e23425 in __GI_raise (sig=<optimized out>)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1 0x00007f36c8e26b8b in __GI_abort () at abort.c:91
#2 0x00007f36c97d8d7b in MagickSignalHandler (signal_number=6)
at magick/magick.c:1151
#3 <signal handler called>
#4 0x00007f36c8e23425 in __GI_raise (sig=<optimized out>)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#5 0x00007f36c8e26b8b in __GI_abort () at abort.c:91
#6 0x00007f36c97d8d7b in MagickSignalHandler (signal_number=11)
at magick/magick.c:1151
#7 <signal handler called>
#8 SyncAuthenticPixelCacheNexus (image=<optimized out>,
nexus_info=<optimized out>, exception=exception@entry=0x2452990)
at magick/cache.c:4943
#9 0x00007f36c9716661 in SyncCacheViewAuthenticPixels (
cache_view=cache_view@entry=0x2480100, exception=exception@entry=0x2452990)
at magick/cache-view.c:1006
#10 0x00007f36c975c9d4 in FrameImage (image=<optimized out>,
frame_info=frame_info@entry=0x7fffee672b40,
---Type <return> to continue, or q <return> to quit---
exception=exception@entry=0x2452990) at magick/decorate.c:406
#11 0x00007f36c94540c7 in MogrifyImage (image_info=image_info@entry=0x2457060,
argc=argc@entry=3, argv=argv@entry=0x2451858,
image=image@entry=0x7fffee673d58, exception=exception@entry=0x2452990)
at wand/mogrify.c:1641
#12 0x00007f36c9457c17 in MogrifyImages (image_info=0x2457060,
post=post@entry=MagickTrue, argc=3, argv=0x2451858,
images=images@entry=0x7fffee673d58, exception=exception@entry=0x2452990)
at wand/mogrify.c:8484
#13 0x00007f36c93fde10 in ConvertImageCommand (image_info=0x2457060, argc=5,
argv=0x2451850, metadata=0x0, exception=<optimized out>)
at wand/convert.c:3104
#14 0x00007f36c944de3c in MagickCommandGenesis (
image_info=image_info@entry=0x2452b10,
command=0x4007e0 <ConvertImageCommand@plt>, argc=argc@entry=5,
argv=argv@entry=0x7fffee6751e8, metadata=metadata@entry=0x0,
exception=exception@entry=0x2452990) at wand/mogrify.c:166
#15 0x0000000000400857 in ConvertMain (argv=0x7fffee6751e8, argc=5)
at utilities/convert.c:81
#16 main (argc=5, argv=0x7fffee6751e8) at utilities/convert.c:92


Regards,
Alfred Farrugia

[magick]

We cannot reproduce the problem with 6.8.5-10. Its possible you are running out of temporary disk space. Try your command on a partition with plenty of disk space. Set the MAGICK_TMPDIR environment variable to a path that has plenty of disk space.

[blackaura]

I have 16GB of free disk space and the original image is only 631bytes. There were instances where it tried to generate a temporary file of 2T (for example having scale % with a massive number) however in these cases it does not even try to create a temporary file.

In the case that there is no space for the temporary file, shouldn't it gracefully terminate?

[magick]

Add -debug cache to your command line to track resource requirements. Your errant option is most likely asking for huge amounts of resources. When it exceeds the memory limits, ImageMagick allocates the pixels on disk and attempts to memory map it on disk. When a memory map exceeds the available free disk space, the OS generates a SIGBUS which ImageMagick cannot intercept. Set -limit map 8GiB on your command line. This forces requests greater than 8GiB to disk without memory mapping. It will then fail gracefully with an I/O error. Alternatively, use MAGICK_TMPDIR to force temporary disk to a partition with free space that exceeds the memory map limits (type convert -list resource to see those limit). That will fix the problem as well.

[blackaura]

Cool, it works like that. Found this during a bug finding exercise using fuzzing

[magick]

We missed this one, see http://www.imagemagick.org/script/resources.php and look for MAGICK_SYNCHRONIZE:

Set to "true" to ensure all image data is fully flushed and synchronized to disk. There is a performance penalty, however, the benefits include ensuring a valid image file in the event of a system crash and early reporting if there is not enough disk space for the image pixel cache.