Legacy ImageMagick Discussions Archive

Use https://github.com/ImageMagick/ImageMagick/discussions instead.
https://imagemagick.com/discourse-server/

SEGV in 8BIM profile in ImageMagick-6.8.9-8

https://imagemagick.com/discourse-server/viewtopic.php?t=26346

Page 1 of 1

SEGV in 8BIM profile in ImageMagick-6.8.9-8

Posted: 2014-10-04T06:25:31-07:00
by JodieC
Hi,

I've been fuzzing ImageMagick and came across the following segfault. I am fuzzing conversion of jpg to png.

cmdline:

Code: Select all

lt-convert ./id:000001,src:000002,op:flip1,pos:4473 png:/dev/null
works: original jpg file: https://www.dropbox.com/s/uhamfas94fpfg ... 4.jpg?dl=0
SEGV example 1: fuzzed file 1, error in offset 4473: https://www.dropbox.com/s/6gu8gnkstsbuy ... A4473?dl=0
SEGV example 2: fuzzed file 2, error in offset 4503: https://www.dropbox.com/s/uonooyi5ys6w1 ... A4503?dl=0

bt:

Code: Select all

#0  0xb62e23a7 in raise () from /lib/i386-linux-gnu/libc.so.6
#1  0xb62e5792 in abort () from /lib/i386-linux-gnu/libc.so.6
#2  0xb71dd0eb in MagickSignalHandler (signal_number=0x6) at magick/magick.c:1171
#3  <signal handler called>
#4  0xb62e23a7 in raise () from /lib/i386-linux-gnu/libc.so.6
#5  0xb62e5792 in abort () from /lib/i386-linux-gnu/libc.so.6
#6  0xb71dd0eb in MagickSignalHandler (signal_number=0xb) at magick/magick.c:1171
#7  <signal handler called>
#8  0xb63327db in strncasecmp () from /lib/i386-linux-gnu/libc.so.6
#9  0xb734b8ca in LocaleNCompare (p=p@entry=0x8f2c28a <Address 0x8f2c28a out of bounds>, q=q@entry=0xb7630472 "8BIM", length=length@entry=0x4) at magick/string.c:1642
#10 0xb72495ef in GetProfilesFromResourceBlock (resource_block=0x9126458, image=0x9117788) at magick/profile.c:1564
#11 SetImageProfileInternal (image=0x9117788, name=0xb7635efb "8bim", profile=0x9126458, recursive=MagickFalse) at magick/profile.c:1732
#12 0xb724a447 in SetImageProfile (image=0x9126458, image@entry=0x9117788, name=0x0, name@entry=0xb7635efb "8bim", profile=profile@entry=0x9126458) at magick/profile.c:1747
#13 0xb75c82da in ReadIPTCProfile (jpeg_info=0xbfb7fb9c) at coders/jpeg.c:597
#14 0xb6c0968b in ?? () from /usr/lib/i386-linux-gnu/libjpeg.so.8
#15 0xb6c06d2e in ?? () from /usr/lib/i386-linux-gnu/libjpeg.so.8
#16 0xb6bff927 in jpeg_consume_input () from /usr/lib/i386-linux-gnu/libjpeg.so.8
#17 0xb6bffba3 in jpeg_read_header () from /usr/lib/i386-linux-gnu/libjpeg.so.8
#18 0xb75ca6fe in ReadJPEGImage (image_info=0x90f5798, exception=0x90ea318) at coders/jpeg.c:1071
#19 0xb705b6de in ReadImage (image_info=image_info@entry=0x90f1690, exception=exception@entry=0x90ea318) at magick/constitute.c:492
#20 0xb705e1f1 in ReadImages (image_info=image_info@entry=0x90f1690, exception=exception@entry=0x90ea318) at magick/constitute.c:853
#21 0xb6dd4a4d in ConvertImageCommand (image_info=0x90f1690, argc=0x3, argv=0x90eb3e8, metadata=0x0, exception=0x90ea318) at wand/convert.c:619
#22 0xb6eaf546 in MagickCommandGenesis (image_info=0x90ed588, command=0x80488f0 <ConvertImageCommand@plt>, argc=0x3, argv=0xbfb895c4, metadata=0x0, exception=0x90ea318) at wand/mogrify.c:168
#23 0x08048aa5 in ConvertMain (argv=0xbfb895c4, argc=0x3) at utilities/convert.c:81
#24 main (argc=0x3, argv=0xbfb895c4) at utilities/convert.c:92
context:

Code: Select all

_______________________________________________________________________________
     eax:00000000 ebx:00003685  ecx:00003685  edx:00000006     eflags:00000202
     esi:00000006 edi:B6401FF4  esp:BFB7BC98  ebp:BFB7BCA0     eip:B62E23A7
     cs:0073  ds:007B  es:007B  fs:0000  gs:0033  ss:007B    o d I t s z a p c 
[007B:BFB7BC98]---------------------------------------------------------[stack]
BFB7BCC8 : 00 00 00 00  00 00 00 00 - 00 00 00 00  00 00 00 00 ................
BFB7BCB8 : 00 00 00 00  00 00 00 00 - 00 00 00 00  00 00 00 00 ................
BFB7BCA8 : 06 00 00 00  40 BD B7 BF - 00 00 00 00  00 00 00 00 ....@...........
BFB7BC98 : F4 1F 40 B6  C0 BD B7 BF - C8 BD B7 BF  92 57 2E B6 ..@..........W..
[007B:B6401FF4]---------------------------------------------------------[ data]
B6401FF4 : 7C 9D 14 00  C0 F2 41 B6 - B0 19 7D B7  06 EC 2C B6 |.....A...}...,.
B6402004 : 16 EC 2C B6  20 D2 32 B6 - 36 EC 2C B6  46 EC 2C B6 ..,. .2.6.,.F.,.
[0073:B62E23A7]---------------------------------------------------------[ code]
=> 0xb62e23a7 <raise+71>:	xchg   %edi,%ebx
   0xb62e23a9 <raise+73>:	cmp    $0xfffff000,%eax
   0xb62e23ae <raise+78>:	ja     0xb62e23d2 <raise+114>
   0xb62e23b0 <raise+80>:	mov    (%esp),%ebx
   0xb62e23b3 <raise+83>:	mov    0x4(%esp),%edi
   0xb62e23b7 <raise+87>:	mov    %ebp,%esp
------------------------------------------------------------------------------
I don't know much about C programming, so I'll leave the fix up to you. I hope it's something simple like p wrapping around in GetProfilesFromResourceBlock.

Re: SEGV in 8BIM profile in ImageMagick-6.8.9-8

Posted: 2014-10-04T14:55:48-07:00
by magick
We're using ImageMagick 6.8.9-8, the latest release, and each of your images return a warning and exits properly (no corruption):
  • -> convert 1cbb1bb37d62c44f67374cd451643dc4.jpg png:/dev/null
    convert: Corrupt JPEG data: premature end of data segment `1cbb1bb37d62c44f67374cd451643dc4.jpg' @ warning/jpeg.c/JPEGWarningHandler/352.

Re: SEGV in 8BIM profile in ImageMagick-6.8.9-8

Posted: 2014-10-04T17:12:59-07:00
by JodieC
I'm using TKL Debian Wheezy i386, 6.8.9-8 from source here and libjpeg8 is 8d-1+deb7u1
http://sourceforge.net/projects/turnkey ... o/download

I was unable to reproduce it on Ubuntu 14.04 x86_64 with 6.8.9-8 built from source here, libjpeg8 was 8c-2ubuntu8. I was unable to produce it on the natively installed 8:6.7.7.10-6ubuntu3 as well.

I can try more distributions and 32/64 arch iterations, VMs only take a few minutes to spin up. Let me know what you think will provide the best test coverage and I will be happy to test it out.

Re: SEGV in 8BIM profile in ImageMagick-6.8.9-8

Posted: 2014-10-05T07:21:53-07:00
by magick
Try your testing against ImageMagick-6.8.9-9 Beta. Let's know if it passes your "fuzz" tests.

Re: SEGV in 8BIM profile in ImageMagick-6.8.9-8

Posted: 2014-10-05T18:57:32-07:00
by JodieC
I tried against ImageMagick-6.8.9-9 (compiled from ImageMagick-6.8.9-9~beta20141005.tar.gz) on the TKL Debian Wheezy 32-bit host.

Same as before.

Code: Select all

Core was generated by `/root/ImageMagick-6.8.9-9/utilities/.libs/lt-convert /root/id:000001,src:000002'.
Program terminated with signal 6, Aborted.
#0  0xb66913a7 in raise () from /lib/i386-linux-gnu/libc.so.6
gdb> bt
#0  0xb66913a7 in raise () from /lib/i386-linux-gnu/libc.so.6
#1  0xb6694792 in abort () from /lib/i386-linux-gnu/libc.so.6
#2  0xb73f0856 in MagickSignalHandler (signal_number=0x6) at magick/magick.c:1175
#3  <signal handler called>
#4  0xb66913a7 in raise () from /lib/i386-linux-gnu/libc.so.6
#5  0xb6694792 in abort () from /lib/i386-linux-gnu/libc.so.6
#6  0xb73f0882 in MagickSignalHandler (signal_number=0xb) at magick/magick.c:1191
#7  <signal handler called>
#8  0xb66e17db in strncasecmp () from /lib/i386-linux-gnu/libc.so.6
#9  0xb746df85 in LocaleNCompare (p=0x7e9012a <Address 0x7e9012a out of bounds>, q=0xb761133c "8BIM", length=0x4) at magick/string.c:1642
#10 0xb7420349 in GetProfilesFromResourceBlock (image=0x807b628, resource_block=0x808a2f8) at magick/profile.c:1564
#11 0xb7420910 in SetImageProfileInternal (image=0x807b628, name=0xb766c780 "8bim", profile=0x808a2f8, recursive=MagickFalse) at magick/profile.c:1732
#12 0xb74209ab in SetImageProfile (image=0x807b628, name=0xb766c780 "8bim", profile=0x808a2f8) at magick/profile.c:1747
#13 0xb75b253b in ReadIPTCProfile (jpeg_info=0xbfe5f8d4) at coders/jpeg.c:597
#14 0xb6fb868b in ?? () from /usr/lib/i386-linux-gnu/libjpeg.so.8
#15 0xb6fb5d2e in ?? () from /usr/lib/i386-linux-gnu/libjpeg.so.8
#16 0xb6fae927 in jpeg_consume_input () from /usr/lib/i386-linux-gnu/libjpeg.so.8
#17 0xb6faeba3 in jpeg_read_header () from /usr/lib/i386-linux-gnu/libjpeg.so.8
#18 0xb75b384e in ReadJPEGImage (image_info=0x805b798, exception=0x8050318) at coders/jpeg.c:1071
#19 0xb7333c4a in ReadImage (image_info=0x8057690, exception=0x8050318) at magick/constitute.c:492
#20 0xb7334fc0 in ReadImages (image_info=0x8057690, exception=0x8050318) at magick/constitute.c:853
#21 0xb7175c89 in ConvertImageCommand (image_info=0x8057690, argc=0x3, argv=0x80513e8, metadata=0x0, exception=0x8050318) at wand/convert.c:620
#22 0xb720b1bb in MagickCommandGenesis (image_info=0x8053588, command=0x80487e0 <ConvertImageCommand@plt>, argc=0x3, argv=0xbfe68494, metadata=0x0, exception=0x8050318) at wand/mogrify.c:168
#23 0x080489a7 in ConvertMain (argc=0x3, argv=0xbfe68494) at utilities/convert.c:81
#24 0x080489f2 in main (argc=0x3, argv=0xbfe68494) at utilities/convert.c:92
context:

Code: Select all

__________________________________________________________________________
     eax:00000000 ebx:00001E75  ecx:00001E75  edx:00000006     eflags:00000202
     esi:07E9012A edi:B67B0FF4  esp:BFE5BA78  ebp:BFE5BA80     eip:B66913A7
     cs:0073  ds:007B  es:007B  fs:0000  gs:0033  ss:007B    o d I t s z a p c 
[007B:BFE5BA78]---------------------------------------------------------[stack]
BFE5BAA8 : 00 00 00 00  00 00 00 00 - 00 00 00 00  00 00 00 00 ................
BFE5BA98 : 00 00 00 00  00 00 00 00 - 00 00 00 00  00 00 00 00 ................
BFE5BA88 : 06 00 00 00  20 BB E5 BF - 00 00 00 00  00 00 00 00 .... ...........
BFE5BA78 : F4 0F 7B B6  A0 BB E5 BF - A8 BB E5 BF  92 47 69 B6 ..{..........Gi.
[007B:07E9012A]---------------------------------------------------------[ data]
07E9012A : Cannot access memory at address 0x7e9012a


So to the debugging side of this, I finally got GDB to hook into the lt-convert binary and I was manually futzing with the file.
The crash occurs based in

In the 8BIM block on this file you have
\x38\x42\x49\x4d (8BIM) and then the unique id (\x04\x11) and then \x40.
I tried changing the \x40 to:
\x10 -- no crash
\x20 -- no crash
\x30 -- no crash
\x35 -- no crash
\x39 -- no crash
\x41 -- crash, SEGV
\x42 -- no crash
\x43 -- no crash
\x50 -- no crash

I have no idea what that is for, I'm still going back and forth from the hex editor to the Adobe docs.

Re: SEGV in 8BIM profile in ImageMagick-6.8.9-8

Posted: 2014-10-22T09:47:09-07:00
by JodieC
The \x40 is being evaluated as a length of 64, which skips ahead in the file about 68-69 bytes when it shouldn't. The next bytes read are from the wrong portion of the file and the resulting evaluation of those bytes provides another length value almost equal to the 32-bit unsigned integer limit.

I have a fuzzer running 24/7 on IM and it's found a couple of more places where things like this occurs.

So far this only effects some 32-bit systems.
I have six distinct crashes. Only two of them also crashed on Solaris/SPARC 32-bit, none have crashed on AMD64 systems.

When the fuzzer has run for about 30 days I can give a full write up of any discovered bugs or hangs, and their corresponding walkthrough in GDB with variable displays. Let me know how/if you'd want to see that.

So far the crashes I have found are just reading from an unallocated vma region. If I catch any writes or executes, I will discuss them with you via PM of course.

The fuzzer in use is AFL (http://lcamtuf.coredump.cx/afl/)
All times are UTC-07:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited