Several undefined behaviors in ImageMagick-6.9.1-8
Posted: 2015-07-18T11:28:47-07:00
I have found several undefined behaviors in 'convert' and 'display' of ImageMagick-6.9.1-8.
To reproduce them, you need to build the source code with flag '-fsanitize=undefined' (require gcc-5.0 or clang-3.3).
For test inputs in folder input-convert.tar.gz https://www.dropbox.com/s/zjpi3i52q9n4w ... ar.gz?dl=0, execute command
You will see the following undefined behaviors:
For test inputs in folder input-display.tar.gz https://www.dropbox.com/s/9lqnxmjqx9rbq ... ar.gz?dl=0, execute command .
You will see the following undefined behaviors:
To reproduce them, you need to build the source code with flag '-fsanitize=undefined' (require gcc-5.0 or clang-3.3).
For test inputs in folder input-convert.tar.gz https://www.dropbox.com/s/zjpi3i52q9n4w ... ar.gz?dl=0, execute command
Code: Select all
convert $file png:/dev/nullCode: Select all
tif_dirread.c:3783:24: runtime error: shift exponent 98 is too large for 64-bit type 'long'
./magick/quantum-private.h:97:33: runtime error: shift exponent 97 is too large for 64-bit type 'MagickSizeType' (aka 'unsigned long long')
tif_dir.c:326:20: runtime error: shift exponent 132 is too large for 64-bit type 'long'
tif_dirread.c:2896:24: runtime error: division by zero
Code: Select all
display $fileYou will see the following undefined behaviors:
Code: Select all
uantum-private.h:275: runtime error: value 209712 is outside the range of representable values of type 'unsigned short'
ntum-import.c:192: runtime error: value -1.53699e+41 is outside the range of representable values of type 'float'