Legacy ImageMagick Discussions Archive

Use https://github.com/ImageMagick/ImageMagick/discussions instead.
https://imagemagick.com/discourse-server/

convert SIGSEGV on malformed jng file format

https://imagemagick.com/discourse-server/viewtopic.php?t=30831

Page 1 of 1

convert SIGSEGV on malformed jng file format

Posted: 2016-11-09T15:49:34-07:00
by blackaura
segmentation fault in convert when a malformed jng file is loaded.

convert version:

Code: Select all

~# convert -version
Version: ImageMagick 7.0.3-6 Q16 x86_64 2016-11-09 http://www.imagemagick.org
Copyright: Copyright (C) 1999-2016 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP
Delegates (built-in): bzlib djvu fftw fontconfig freetype gvc jbig jng jpeg lcms lqr lzma openexr png tiff webp wmf x xml zlib
environment:

Code: Select all

dist: Ubuntu 16.04 xenial
linux_distribution: Ubuntu 16.04 xenial
system: Linux
machine: x86_64
platform: Linux-4.4.0-45-generic-x86_64-with-Ubuntu-16.04-xenial
uname: Linux ubuntu-xenial 4.4.0-45-generic #66-Ubuntu SMP Wed Oct 19 14:12:37 UTC 2016 x86_64 x86_64
version: #66-Ubuntu SMP Wed Oct 19 14:12:37 UTC 2016
crash reproduction:

Code: Select all

echo "i0pORw0KGgoAAAAQSkhEUgQAAAoAAAAKCggIAAAAAADnkp1aAAAAAXNSR0IArs4c6QAAAAl2cEFnAAAACgAAAAoATqZ25QAAASJKREFU/9j/4AAQSkZJRgABAQAAAQABAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAAKAAoDAREAAhEBAxEB/8QAFQABAQAAAAAAAAAAAAAAAAAAAAf/xAAUEAEAAAAAAAAAAAAAAAAAAAAA/8QAFgEBAQEAAAAAAAAAAAAAAAAAAAQG/8QAFBEBAAAAAAAAAAAAAAAAAAAAAP/aAAwDAQACEQMRAD8Ar7KqwAAH/9mnav1rAAAAAElFTkSuQmCC" | base64 -d | convert - bmp:-
gdb output:

Code: Select all

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
ReadOneJNGImage (mng_info=mng_info@entry=0x1936c10, image_info=image_info@entry=0x18ffc90, exception=exception@entry=0x18f6410) at coders/png.c:4671
4671	      SetPixelRed(image,GetPixelRed(jng_image,s),q);

backtrace:
#0  ReadOneJNGImage (mng_info=mng_info@entry=0x1936c10, image_info=image_info@entry=0x18ffc90, exception=exception@entry=0x18f6410) at coders/png.c:4671
        alpha_image = 0x0
        color_image = <optimized out>
        image = 0x192d250
        jng_image = 0x194fbd0
        alpha_image_info = 0x0
        color_image_info = <optimized out>
        logging = MagickFalse
        y = 0
        status = <optimized out>
        jng_height = 10
        jng_width = 67108874
        jng_color_type = 10 '\n'
        jng_image_sample_depth = <optimized out>
        jng_image_compression_method = <optimized out>
        jng_image_interlace_method = <optimized out>
        jng_alpha_sample_depth = <optimized out>
        jng_alpha_compression_method = 0 '\000'
        jng_alpha_filter_method = <optimized out>
        jng_alpha_interlace_method = <optimized out>
        s = <optimized out>
        i = <optimized out>
        x = 67108874
        q = <optimized out>
        p = <optimized out>
        read_JSEP = <optimized out>
        reading_idat = 67108874
        length = <optimized out>
        __func__ = "ReadOneJNGImage"
        __PRETTY_FUNCTION__ = "ReadOneJNGImage"
#1  0x0000000000a8ad50 in ReadJNGImage (image_info=0x18ffc90, exception=0x18f6410) at coders/png.c:4875
        image = 0x192d250
        have_mng_structure = MagickTrue
        logging = MagickFalse
        status = <optimized out>
        mng_info = 0x1936c10
        magic_number = "\213JNG\r\n\032\n3\022U\000\000\000\000\000\226\nU\000\000\000\000\000@o\220\001", '\000' <repeats 12 times>, "@o\220\001\000\000\000\000P`\217\001\000\000\000\000\340i\220\001\000\000\000\000a\000\000\000\000\000\000\000\240\232\220\001\000\000\000\000\240]\217\001\000\000\000\000\063\022U\000\000\000\000\000\226\nU\000\000\000\000\000@o\220\001", '\000' <repeats 12 times>, "@o\220\001\000\000\000\000P`\217\001\000\000\000\000\020d\220\001\000\000\000\000_\000\000\000\000\000\000\000\240\232\220\001\000\000\000\000\220\302\220\001\000\000\000\000\063\022U\000\000\000\000\000\226\nU\000\000\000\000\000@o\220\001", '\000' <repeats 12 times>, "@"...
        count = <optimized out>
        __PRETTY_FUNCTION__ = "ReadJNGImage"
        __func__ = "ReadJNGImage"
#2  0x0000000000bd7430 in ReadImage (image_info=image_info@entry=0x18fc9f0, exception=exception@entry=0x18f6410) at MagickCore/constitute.c:554
        status = <optimized out>
        filename = "/opt/imagemagick/findings.convert/crashes/id:000015,sig:06,src:000051,op:flip1,pos:16", '\000' <repeats 4010 times>
        magick = "JNG", '\000' <repeats 109 times>, "-\000p\000-\000\060\061\065,sig:06,src:000051,op:flip1,pos:16\000:000015,sig:06,src:000051,op:flip1,pos:16", '\000' <repeats 3898 times>
        magick_filename = "/opt/imagemagick/findings.convert/crashes/id:000015,sig:06,src:000051,op:flip1,pos:16", '\000' <repeats 27 times>, "bmp\000-\000magemagick/findings.convert/crashes/id:000015,sig:06,src:000051,op:flip1,pos:16", '\000' <repeats 1379 times>...
        value = <optimized out>
        delegate_info = <optimized out>
        magick_info = 0x1914fd0
        sans_exception = <optimized out>
        geometry_info = {rho = 0, sigma = 0, xi = 0, psi = 0, chi = 0}
        image = <optimized out>
        next = 0x7fffffff6950
        read_info = 0x18ffc90
        flags = <optimized out>
        domain = CoderPolicyDomain
        rights = ReadPolicyRights
        __PRETTY_FUNCTION__ = "ReadImage"
        __func__ = "ReadImage"
#3  0x0000000000bda25b in ReadImages (image_info=image_info@entry=0x18f97c0, filename=filename@entry=0x18f3a10 "/opt/imagemagick/findings.convert/crashes/id:000015,sig:06,src:000051,op:flip1,pos:16", exception=exception@entry=0x18f6410) at MagickCore/constitute.c:851
        read_filename = "/opt/imagemagick/findings.convert/crashes/id:000015,sig:06,src:000051,op:flip1,pos:16\000\000\000\000\000\000\000\002\000\000\000P\232\377\377\377\177\000\000\000\000\000\000\000\000\000\000\377\377\377\377\377\377\377\377\000\000\000\000\002", '\000' <repeats 11 times>, "t\026O\001", '\000' <repeats 60 times>...
        image = <optimized out>
        images = 0x0
        read_info = 0x18fc9f0
        __PRETTY_FUNCTION__ = "ReadImages"
        __func__ = "ReadImages"
#4  0x00000000011341e3 in ConvertImageCommand (image_info=0x18f97c0, image_info@entry=0x18f6590, argc=argc@entry=3, argv=0x18f5910, argv@entry=0x7fffffffe628, metadata=metadata@entry=0x7fffffffc2d0, exception=exception@entry=0x18f6410) at MagickWand/convert.c:639
        images = <optimized out>
        filename = 0x18f3a10 "/opt/imagemagick/findings.convert/crashes/id:000015,sig:06,src:000051,op:flip1,pos:16"
        option = <optimized out>
        format = <optimized out>
        image = 0x0
        image_stack = {{image_info = 0x18f97c0, image = 0x0}, {image_info = 0x0, image = 0x0} <repeats 39 times>, {image_info = 0x0, image = 0x7ffff7de0c44 <check_match+324>}, {image_info = 0x0, image = 0x80c}, {image_info = 0x7ffff7fdf000, image = 0x7ffff3e1bd80}, {image_info = 0x7ffff3e28ff8, image = 0x7ffff7de147b <do_lookup_x+2011>}, {image_info = 0x80c, image = 0x7ffff3e28ff8}, {image_info = 0x7ffff7fdf000, image = 0x7fffffffad78}, {image_info = 0x7fffffffad74, image = 0x7ffff7de0c44 <check_match+324>}, {image_info = 0x0, image = 0xe9}, {image_info = 0x7ffff7fe0000, image = 0x7ffff47010d8}, {image_info = 0x7ffff4703298, image = 0x7ffff7de147b <do_lookup_x+2011>}, {image_info = 0xe9, image = 0x7ffff4703298}, {image_info = 0x7ffff7fe0000, image = 0x7fffffffadd8}, {image_info = 0x7fffffffadd4, image = 0x7ffff7de0e11 <do_lookup_x+369>}, {image_info = 0x7ffff7fd9190, image = 0x40695a}, {image_info = 0x4013f0, image = 0x7fffffffadd8}, {image_info = 0xafb1a55f, image = 0x2bec695}, {image_info = 0x1f, image = 0x7fffffffaeb0}, {image_info = 0x7ffff4703298, image = 0x7ffff47010d8}, {image_info = 0x7fffffffadd4, image = 0x7fffffffaea0}, {image_info = 0x7ffff7fd9190, image = 0x0}, {image_info = 0x27, image = 0x7fffffffae38}, {image_info = 0xf375846, image = 0x0}, {image_info = 0x6, image = 0x7ffff7ffe4c0}, {image_info = 0x7fff0000000c, image = 0xb0}, {image_info = 0x7fffffffae70, image = 0x7ffff7ffe168}, {image_info = 0x7fff0000000c, image = 0xb0}, {image_info = 0x7fffffffae90, image = 0x7fffffffae6f}, {image_info = 0x10000000c, image = 0xb0}, {image_info = 0x7fffffffaeb0, image = 0x7fffffffae8f}, {image_info = 0xc, image = 0xb0}, {image_info = 0x7fffffffaed0, image = 0x7fffffffaeaf}, {image_info = 0x100000003, image = 0x330000000c}, {image_info = 0xffff800000005131, image = 0x7fffffffaecf}, {image_info = 0x3, image = 0x330000000c}, {image_info = 0x0, image = 0x0}, {image_info = 0x6e0000005b, image = 0x0}, {image_info = 0x0, image = 0x7c00000077}, {image_info = 0x54cac2 <UnlockSemaphoreInfo+178>, image = 0x18f3840}, {image_info = 0x54c746 <RelinquishSemaphoreInfo+374>, image = 0xabacadab}, {image_info = 0x1, image = 0x18edbb8}, {image_info = 0x15076cd, image = 0x18edb90}, {image_info = 0x54c746 <RelinquishSemaphoreInfo+374>, image = 0x7ffff3e51786 <__GI_getenv+22>}, {image_info = 0x1, image = 0x0}, {image_info = 0x483780 <MagickSignalHandler>, image = 0x7fffffffaf70}, {image_info = 0x7fffffffe620, image = 0x0}, {image_info = 0x7fffffffd388, image = 0x5419bb <__afl_setup_first+218>}, {image_info = 0x7fffffffafd0, image = 0x1610fa9}, {image_info = 0x1, image = 0x600}, {image_info = 0xc3f1, image = 0x18f6300}, {image_info = 0x100000003, image = 0x0}, {image_info = 0x18f6350, image = 0x1}, {image_info = 0x7ffff41dbc28 <main_arena+264>, image = 0xf}, {image_info = 0x0, image = 0x0}, {image_info = 0x6e0000005b, image = 0x0}, {image_info = 0x0, image = 0x0}, {image_info = 0x54c186 <AcquireSemaphoreInfo+502>, image = 0x4d49545f4b434947}, {image_info = 0xc, image = 0xb0}, {image_info = 0x7fffffffb080, image = 0x0}, {image_info = 0x7fffffffb090, image = 0x5a5a5a5a5a5a5a5a}, {image_info = 0xffff800000004f81, image = 0x7fffffffb07f}, {image_info = 0x100000003, image = 0x330000000c}, {image_info = 0x0, image = 0x0}, {image_info = 0x6e0000005b, image = 0x0}, {image_info = 0x0, image = 0x7c00000077}, {image_info = 0x0, image = 0xffff0000000000ff}, {image_info = 0x0, image = 0x48d472 <ResetMagickMemory+98>}, {image_info = 0x54c186 <AcquireSemaphoreInfo+502>, image = 0x40}, {image_info = 0x0, image = 0x18f63c0}, {image_info = 0x18f63c0, image = 0x90}, {image_info = 0x7fffffffd388, image = 0x7ffff3e9a302 <_int_memalign+386>}, {image_info = 0x485dc2 <MagickCoreGenesis+2354>, image = 0x40}, {image_info = 0x0, image = 0x0}, {image_info = 0x0, image = 0x7ffff3e9eb6d <__posix_memalign+285>}, {image_info = 0x0, image = 0x0}, {image_info = 0x483780 <MagickSignalHandler>, image = 0x1}, {image_info = 0x7fffffffe620, image = 0x54c13c <AcquireSemaphoreInfo+428>}, {image_info = 0x18f63c0, image = 0xcbe6ab439501c500}, {image_info = 0x18f5e80, image = 0x0}, {image_info = 0x483780 <MagickSignalHandler>, image = 0x540bd1 <RegistryComponentGenesis+145>}, {image_info = 0x483780 <MagickSignalHandler>, image = 0x485d86 <MagickCoreGenesis+2294>}, {image_info = 0x1000000 <StreamImagePixels+9696>, image = 0x0}, {image_info = 0x0, image = 0x0}, {image_info = 0x0, image = 0x0}, {image_info = 0x0, image = 0x0}, {image_info = 0x0, image = 0x0}, {image_info = 0x0, image = 0x0}, {image_info = 0x0, image = 0x0}, {image_info = 0x0, image = 0x0}, {image_info = 0x18f6590, image = 0x1000000 <StreamImagePixels+9696>}}
        fire = <optimized out>
        pend = MagickFalse
        respect_parenthesis = MagickFalse
        status = 1
        i = <optimized out>
        j = 1
        k = <optimized out>
        __PRETTY_FUNCTION__ = "ConvertImageCommand"
        __func__ = "ConvertImageCommand"
#5  0x00000000012d9f9a in MagickCommandGenesis (image_info=image_info@entry=0x18f6590, command=command@entry=0x11323c0 <ConvertImageCommand>, argc=argc@entry=3, argv=argv@entry=0x7fffffffe628, metadata=0x0, exception=exception@entry=0x18f6410) at MagickWand/mogrify.c:183
        text = 0x0
        client_name = "convert\000al/bin/convert\000\000\000\000\000\000\000\000\000\000convert\000al/bin/convert", '\000' <repeats 3026 times>...
        option = <optimized out>
        duration = <optimized out>
        serial = <optimized out>
        concurrent = <optimized out>
        regard_warnings = <optimized out>
        status = <optimized out>
        i = <optimized out>
        iterations = <optimized out>
        number_threads = <optimized out>
        n = <optimized out>
#6  0x0000000000424ec1 in MagickMain (argc=3, argv=0x7fffffffe628) at utilities/magick.c:145
        MagickCommands = {{client_name = 0x14f1457 "magick", extent = 6, use_metadata = MagickFalse, command = 0x1290310 <MagickImageCommand>}, {client_name = 0x14f145e "convert", extent = 7, use_metadata = MagickFalse, command = 0x11323c0 <ConvertImageCommand>}, {client_name = 0x14f862e "composite", extent = 9, use_metadata = MagickFalse, command = 0x10e4210 <CompositeImageCommand>}, {client_name = 0x14f8b23 "identify", extent = 8, use_metadata = MagickTrue, command = 0x124de70 <IdentifyImageCommand>}, {client_name = 0x14f1466 "animate", extent = 7, use_metadata = MagickFalse, command = 0x108a8a0 <AnimateImageCommand>}, {client_name = 0x14f85f8 "compare", extent = 7, use_metadata = MagickTrue, command = 0x10b2d10 <CompareImagesCommand>}, {client_name = 0x14f146e "conjure", extent = 7, use_metadata = MagickFalse, command = 0x112f480 <ConjureImageCommand>}, {client_name = 0x14f87e1 "display", extent = 7, use_metadata = MagickFalse, command = 0x11e98c0 <DisplayImageCommand>}, {client_name = 0x14f1476 "import", extent = 6, use_metadata = MagickFalse, command = 0x1266a10 <ImportImageCommand>}, {client_name = 0x14f147d "mogrify", extent = 7, use_metadata = MagickFalse, command = 0x12fec70 <MogrifyImageCommand>}, {client_name = 0x15e4764 "montage", extent = 7, use_metadata = MagickFalse, command = 0x13ca620 <MontageImageCommand>}, {client_name = 0x15df505 "stream", extent = 6, use_metadata = MagickFalse, command = 0x1464b40 <StreamImageCommand>}}
        client_name = "convert\000al/bin/convert\000\000R\345td\004\000\000\000\360M\000\000\000\000\000\000\360M \000\000\000\000\000\360M \000\000\000\000\000\020\002\000\000\000\000\000\000\020\002\000\000\000\000\000\000\001\000\000\000\000\000\000\000\004\000\000\000\024\000\000\000\003\000\000\000GNU\000\357\360\342\270#\t\002}\322\372we\211\276\004eQ\000\230\006\000\000\000\000%\000\000\000\025\000\000\000\004\000\000\000\b\000\000\000\t@\245\024,@\024 \250\001\001\000\b@\200\b\210aP\330\032\342\251M\212\241\034e\301\214\002\000\025\000\000\000\026\000\000\000\030\000\000\000\032\000\000\000\033\000\000\000\036\000\000\000\000\000\000\000 \000\000\000"...
        metadata = 0x0
        exception = 0x18f6410
        image_info = 0x18f6590
        exit_code = <optimized out>
        offset = <optimized out>
        status = <optimized out>
        i = <optimized out>
#7  0x00007ffff3e38830 in __libc_start_main (main=0x411280 <main>, argc=3, argv=0x7fffffffe628, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe618) at ../csu/libc-start.c:291
        result = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, 8540447583371178305, 4344368, 140737488348704, 0, 0, -8540444809120272063, -8540471365885578943}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x14f1430 <__libc_csu_fini>, 0x7ffff7de78e0 <_dl_fini>}, data = {prev = 0x0, cleanup = 0x0, canceltype = 21959728}}}
        not_first_call = <optimized out>
#8  0x0000000000424a59 in _start ()

Re: convert SIGSEGV on malformed jng file format

Posted: 2016-11-09T17:01:30-07:00
by magick
ImageMagick best practices strongly encourages you to configure a security policy that suits your local environment. See https://www.imagemagick.org/script/security-policy.php. With the example security policy we provide, your image exits gracefully:
  • convert: width or height exceeds limit `/tmp/magick-25669wahcy36ncbRu' @ error/cache.c/OpenPixelCache/3439.
    convert: no images defined `bmp:-' @ error/convert.c/ConvertImageCommand/3253.
Without setting the width and height limits in policy.xml, our CentOS 7 host returns:
  • convert: DistributedPixelCache '127.0.0.1' @ error/distribute-cache.c/ConnectPixelCacheServer/242.
    convert: cache resources exhausted `/tmp/magick-21719ECMkFs2G7E15' @ error/cache.c/OpenPixelCache/3588.
    convert: no images defined `null:' @ error/convert.c/ConvertImageCommand/3253.
Post the output of `identify -list configure`. We'll try to replicate your build environment and attempt to reproduce the fault.

Re: convert SIGSEGV on malformed jng file format

Posted: 2016-11-10T02:03:28-07:00
by blackaura
this is a dedicated virtual machine for fuzz testing using afl. The output of `identify -list configure` is:

Code: Select all

Path: /usr/local/lib/ImageMagick-7.0.3//config-Q16HDRI/configure.xml

Name           Value
-------------------------------------------------------------------------------
CC             afl-gcc
CFLAGS         -I/usr/include/libxml2 -I/usr/include/libpng12 -I/usr/include/OpenEXR  -I/usr/include/lqr-1 -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include  -I/usr/include/graphviz -I/usr/include/freetype2 -I/usr/include/freetype2 -pthread    -fopenmp -g -O2 -Wall -mtune=sandybridge -fexceptions -pthread -DMAGICKCORE_HDRI_ENABLE=1 -DMAGICKCORE_QUANTUM_DEPTH=16
CODER_PATH     /usr/local/lib/ImageMagick-7.0.3/modules-Q16HDRI/coders
CONFIGURE      ./configure  '--disable-shared' '--enable-delegate-build' 'CC=afl-gcc'
CONFIGURE_PATH /usr/local/etc/ImageMagick-7/
COPYRIGHT      Copyright (C) 1999-2016 ImageMagick Studio LLC
CPPFLAGS       -I/usr/local/include/ImageMagick-7
CXX            g++
CXXFLAGS       -g -O2 -pthread
DEFS           -DHAVE_CONFIG_H
DELEGATES      bzlib djvu mpeg fftw fontconfig freetype jbig jng jpeg lcms lqr lzma openexr png ps tiff webp wmf x xml zlib
DISTCHECK_CONFIG_FLAGS 'CC=afl-gcc'  --disable-deprecated  --with-quantum-depth=16  --with-jemalloc=no  --with-umem=no  --with-autotrace=no  --with-gslib=no  --with-fontpath=  --with-rsvg=no  --with-perl=no 
DOCUMENTATION_PATH /usr/local/share/doc/ImageMagick-7
EXEC-PREFIX    /usr/local
EXECUTABLE_PATH /usr/local/bin
FEATURES       DPC HDRI Cipher OpenMP
FILTER_PATH    /usr/local/lib/ImageMagick-7.0.3/modules-Q16HDRI/filters
GIT_REVISION   11313
HOST           x86_64-unknown-linux-gnu
INCLUDE_PATH   /usr/local/include/ImageMagick-7
LDFLAGS        -L/usr/local/lib  
LIB_VERSION    0x703
LIB_VERSION_NUMBER 7,0,3,6
LIBRARY_PATH   /usr/local/lib/ImageMagick-7.0.3
LIBS            -ljbig -llcms2 -ltiff -lfreetype  -ljpeg  -llqr-1 -lglib-2.0 -lpng12  -ldjvulibre -lfftw3   -lfontconfig -lfreetype -lwebp -lwmflite  -lXext -lXt   -lSM -lICE -lX11  -llzma -lbz2 -lIlmImf -lImath -lHalf -lIex -lIexMath -lIlmThread -lpthread    -lxml2 -lgvc -lcgraph -lcdt -lz  -lm -lgomp    
NAME           ImageMagick
PCFLAGS        -fopenmp -DMAGICKCORE_HDRI_ENABLE=1 -DMAGICKCORE_QUANTUM_DEPTH=16
PREFIX         /usr/local
QuantumDepth   16
RELEASE_DATE   2016-11-10
SHARE_PATH     /usr/local/share/ImageMagick-7
SHAREARCH_PATH /usr/local/lib/ImageMagick-7.0.3/config-Q16HDRI
TARGET_CPU     x86_64
TARGET_OS      linux-gnu
TARGET_VENDOR  unknown
VERSION        7.0.3
WEBSITE        http://www.imagemagick.org

Path: [built-in]

Name           Value
-------------------------------------------------------------------------------
FEATURES       OpenMP 
NAME           ImageMagick
QuantumDepth   16

Re: convert SIGSEGV on malformed jng file format

Posted: 2016-11-10T05:11:58-07:00
by magick
We replicated your build and your command completed without complaint on our Fedora virtual machine. Add -limit map 0 to your convert command line. Does it still fault? Next, set the TMPDIR environment variable to point to somewhere other than /tmp. Does it still fault? Next, add -debug cache to your convert command line. Do you see anything interesting in the debugging output? Otherwise set width and height limits in policy.xml as recommended and that prevents the fault.

Re: convert SIGSEGV on malformed jng file format

Posted: 2016-11-10T06:45:25-07:00
by blackaura
What I noticed is that the temp file created will be huge >7gb which is roughly the free empty space in the virtual machine. With security policy in place this problem was fixed. I'll add it to my fuzz testing environments to remove these "false positives"

Re: convert SIGSEGV on malformed jng file format

Posted: 2016-11-10T14:15:48-07:00
by glennrp
I think I took care of this or a similar bug last week in a fork of IM but neglected to port back. I'll have a look.
All times are UTC-07:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited