Legacy ImageMagick Discussions Archive

Use https://github.com/ImageMagick/ImageMagick/discussions instead.
https://imagemagick.com/discourse-server/

JPEG related crash

https://imagemagick.com/discourse-server/viewtopic.php?t=24366

Page 1 of 1

JPEG related crash

Posted: 2013-10-31T10:57:17-07:00
by mkoppanen
Hello,

the following code crashes with double-free / corruption. My GDB refuses to produce a proper backtrace:

Code: Select all

#include <wand/MagickWand.h>
#include <assert.h>

int main ()
{
    MagickBooleanType ret;

    MagickWand *wand = NewMagickWand ();
    assert (wand);

    ret = MagickReadImage (wand, "magick:rose");
    assert (ret == MagickTrue);

    ret = MagickSetImageFormat (wand, "jpg");
    assert (ret == MagickTrue);

    ret = MagickSetOption (wand, "jpeg:extent", "30kb");
    assert (ret == MagickTrue);

    size_t siz;
    unsigned char *rc = MagickGetImageBlob (wand, &siz);
    assert (rc);

    return 0;
}

Re: JPEG related crash

Posted: 2013-10-31T11:17:29-07:00
by mkoppanen
lldb seems to work, its the jpeg_finish_compress line:

Code: Select all

(lldb) bt
* thread #1: tid = 0x2e1be, 0x00007fff906c9866 libsystem_kernel.dylib`__pthread_kill + 10, queue = 'com.apple.main-thread, stop reason = signal SIGABRT
    frame #0: 0x00007fff906c9866 libsystem_kernel.dylib`__pthread_kill + 10
    frame #1: 0x00007fff9559635c libsystem_pthread.dylib`pthread_kill + 92
    frame #2: 0x00007fff939c0bba libsystem_c.dylib`abort + 125
    frame #3: 0x00007fff973cd093 libsystem_malloc.dylib`free + 411
    frame #4: 0x000000010077dfd7 libjpeg.8.dylib`free_pool + 282
    frame #5: 0x000000010075c640 libjpeg.8.dylib`jpeg_abort + 29
    frame #6: 0x0000000100496d4f libMagickCore-6.Q16.1.dylib`WriteJPEGImage(image_info=0x000000010102de00, image=0x0000000101032000) + 11167 at jpeg.c:2776
    frame #7: 0x0000000100494e1f libMagickCore-6.Q16.1.dylib`WriteJPEGImage(image_info=0x0000000101017400, image=0x0000000101026a00) + 3183 at jpeg.c:2252
    frame #8: 0x0000000100201220 libMagickCore-6.Q16.1.dylib`WriteImage(image_info=0x0000000101013200, image=0x0000000101026a00) + 2384 at constitute.c:1164
    frame #9: 0x00000001001b8657 libMagickCore-6.Q16.1.dylib`ImageToBlob(image_info=0x000000010100f000, image=0x0000000101026a00, length=0x00007fff5fbffb98, exception=0x0000000100b0f950) + 1063 at blob.c:1548
    frame #10: 0x00000001000b71ea libMagickWand-6.Q16.1.dylib`MagickGetImageBlob(wand=0x000000010100d800, length=0x00007fff5fbffb98) + 410 at magick-image.c:4113
    frame #11: 0x0000000100000e91 wand`main + 385 at crash.c:21
    frame #12: 0x00007fff938775fd libdyld.dylib`start + 1
    frame #13: 0x00007fff938775fd libdyld.dylib`start + 1

Re: JPEG related crash

Posted: 2013-11-01T00:16:40-07:00
by dlemstra
Which version of ImageMagick are you using?

Re: JPEG related crash

Posted: 2013-11-03T03:27:16-07:00
by mkoppanen
ImageMagick 6, trunk version. This seems to be reproducible with other versions as well, tested with 6.8.7 Q16 as well

Re: JPEG related crash

Posted: 2013-11-03T07:15:15-07:00
by magick
We can reproduce the problem you posted and have a patch in ImageMagick 6.8.7-5 Beta available by sometime tomorrow. In the mean-time, do not set jpeg:extent.

Re: JPEG related crash

Posted: 2013-11-03T21:00:13-07:00
by mkoppanen
Thanks!

Re: JPEG related crash

Posted: 2013-11-30T07:35:04-07:00
by broucaries
Seems security related maybe ? How easy to trigger from command line ?

Re: JPEG related crash

Posted: 2013-11-30T09:13:05-07:00
by magick
The bug only occurs when creating a blob with a call to ImageToBlob() when jpeg:extent is defined and the output format is JPEG. These conditions are never met from the command-line.
All times are UTC-07:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited