IM 7.0.2-7 Q16 x86_64 2016-08-04 - Use after free when using identify or convert
Posted: 2016-08-05T03:52:07-07:00
Version
Repro file:
https://www.dropbox.com/s/9ln4uutgcfhzg ... repro?dl=0
ASAN trace
https://www.dropbox.com/s/d4537qainck4j ... d.txt?dl=0
Reproduce:
BT
System:
AMD64
Ubuntu 16.04 LTS
Found with libFuzzer.
https://github.com/ouspg/libfuzzerfication
Code: Select all
mikko@mikko-Latitude-E6330:~$ identify --version
Version: ImageMagick 7.0.2-7 Q16 x86_64 2016-08-04 http://www.imagemagick.org
Copyright: Copyright (C) 1999-2016 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher HDRI
Delegates (built-in): x
https://www.dropbox.com/s/9ln4uutgcfhzg ... repro?dl=0
ASAN trace
https://www.dropbox.com/s/d4537qainck4j ... d.txt?dl=0
Reproduce:
Code: Select all
mikko@mikko-Latitude-E6330:~$ identify ImageMagick-heap-use-after-free-967-d5f-ded.repro
identify: MagickCore/blob.c:887: EOFBlob: Assertion `image->blob != (BlobInfo *) NULL' failed.
Aborted (core dumped)
Code: Select all
(gdb) bt
#0 0x00007ffff6e4b418 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1 0x00007ffff6e4d01a in __GI_abort () at abort.c:89
#2 0x00007ffff6e43bd7 in __assert_fail_base (fmt=<optimized out>,
assertion=assertion@entry=0x7ffff7a282f0 "image->signature == MagickCoreSignature", file=file@entry=0x7ffff7a28b68 "MagickCore/blob.c",
line=line@entry=882, function=function@entry=0x7ffff7a29678 <__PRETTY_FUNCTION__.11395> "EOFBlob") at assert.c:92
#3 0x00007ffff6e43c82 in __GI___assert_fail (assertion=assertion@entry=0x7ffff7a282f0 "image->signature == MagickCoreSignature",
file=file@entry=0x7ffff7a28b68 "MagickCore/blob.c", line=line@entry=882,
function=function@entry=0x7ffff7a29678 <__PRETTY_FUNCTION__.11395> "EOFBlob") at assert.c:101
#4 0x00007ffff77a5a22 in EOFBlob (image=image@entry=0x665fd0) at MagickCore/blob.c:882
#5 0x00007ffff79bee88 in ReadPWPImage (image_info=0x639010, exception=0x626a50) at coders/pwp.c:252
#6 0x00007ffff77d05bd in ReadImage (image_info=image_info@entry=0x633890, exception=exception@entry=0x626a50) at MagickCore/constitute.c:554
#7 0x00007ffff78e5529 in ReadStream (image_info=image_info@entry=0x6305f0, stream=stream@entry=0x7ffff77cfe00 <PingStream>,
exception=exception@entry=0x626a50) at MagickCore/stream.c:1012
#8 0x00007ffff77d00d3 in PingImage (image_info=image_info@entry=0x62d180, exception=exception@entry=0x626a50) at MagickCore/constitute.c:226
#9 0x00007ffff77d034b in PingImages (image_info=image_info@entry=0x62d180, filename=<optimized out>, exception=exception@entry=0x626a50)
at MagickCore/constitute.c:326
#10 0x00007ffff74766aa in IdentifyImageCommand (image_info=0x629f20, argc=2, argv=0x6251e0, metadata=0x7fffffffbbb8, exception=0x626a50)
at MagickWand/identify.c:319
#11 0x00007ffff74a36f0 in MagickCommandGenesis (image_info=image_info@entry=0x626bd0, command=command@entry=0x400dd0 <IdentifyImageCommand@plt>,
argc=argc@entry=2, argv=argv@entry=0x7fffffffdec8, metadata=0x7fffffffcc18, exception=exception@entry=0x626a50) at MagickWand/mogrify.c:183
#12 0x00000000004011bc in MagickMain (argc=2, argv=0x7fffffffdec8) at utilities/magick.c:145
#13 0x00007ffff6e36830 in __libc_start_main (main=0x400f60 <main>, argc=2, argv=0x7fffffffdec8, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffdeb8) at ../csu/libc-start.c:291
#14 0x0000000000400f99 in _start ()
Add Comment CollapseAMD64
Ubuntu 16.04 LTS
Found with libFuzzer.
https://github.com/ouspg/libfuzzerfication