Page 1 of 1

Crash - PushQuantumPixel - Heap-Buffer-Overflow

Posted: 2017-01-05T04:20:24-07:00
by Onur
Crash:

Code: Select all

x@x:~/Desktop/clean-imagick/bin$ ./convert --version
Version: ImageMagick 7.0.4-2 Q16 i686 2017-01-04 http://www.imagemagick.org
Copyright: © 1999-2017 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP 
Delegates (built-in): bzlib fontconfig freetype jbig jng jpeg lzma png tiff webp wmf x xml zlib
x@x:~/Desktop/clean-imagick/bin$ ./convert ./crash_0 /dev/null
Aborted
Debug:

Code: Select all

(gdb) r ./crash_0 /dev/null
Starting program: /home/x/Desktop/clean-imagick/bin/convert ./crash_0 /dev/null
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0xb7c9af38 in PushQuantumPixel (quantum=0xbfff46b4, 
    pixels=0x814b0ac <error: Cannot access memory at address 0x814b0ac>, quantum_info=0x8076610)
    at MagickCore/quantum-import.c:209
209	        quantum_info->state.pixel=(*pixels++);
(gdb) bt
#0  0xb7c9af38 in PushQuantumPixel (quantum=0xbfff46b4, 
    pixels=0x814b0ac <error: Cannot access memory at address 0x814b0ac>, quantum_info=0x8076610)
    at MagickCore/quantum-import.c:209
#1  ImportGrayQuantum (image=image@entry=0x806cf48, quantum_info=quantum_info@entry=0x8076610, number_pixels=1328, 
    p=<optimized out>, p@entry=0x812a770 '0' <repeats 200 times>..., q=<optimized out>, q@entry=0xb3131040)
    at MagickCore/quantum-import.c:2314
#2  0xb7ca010b in ImportQuantumPixels (image=image@entry=0x806cf48, image_view=image_view@entry=0x0, 
    quantum_info=quantum_info@entry=0x8076610, quantum_type=quantum_type@entry=GrayQuantum, 
    pixels=pixels@entry=0x812a770 '0' <repeats 200 times>..., exception=exception@entry=0x804c508)
    at MagickCore/quantum-import.c:4189
#3  0xb7e3dc13 in ReadTIFFImage (image_info=0x8057ce8, exception=0x804c508) at coders/tiff.c:1668
#4  0xb7b8fc0e in ReadImage (image_info=image_info@entry=0x8054a88, exception=exception@entry=0x804c508)
    at MagickCore/constitute.c:555
#5  0xb7b91034 in ReadImages (image_info=image_info@entry=0x8051828, filename=filename@entry=0x804cb20 "./crash_0", 
    exception=exception@entry=0x804c508) at MagickCore/constitute.c:852
#6  0xb7a1f107 in ConvertImageCommand (image_info=0x8051828, argc=3, argv=0xbffff1f4, metadata=0xbfffcfd8, 
    exception=0x804c508) at MagickWand/convert.c:639
#7  0xb7a9177e in MagickCommandGenesis (image_info=image_info@entry=0x804e5c8, 
    command=command@entry=0x8048a70 <ConvertImageCommand@plt>, argc=argc@entry=3, argv=argv@entry=0xbffff1f4, 
    metadata=0x0, exception=exception@entry=0x804c508) at MagickWand/mogrify.c:183
#8  0x08048dc0 in MagickMain (argc=argc@entry=3, argv=argv@entry=0xbffff1f4) at utilities/magick.c:149
#9  0x08048bb1 in main (argc=3, argv=0xbffff1f4) at utilities/magick.c:180
(gdb) l
204	  *quantum=(QuantumAny) 0;
205	  for (i=(ssize_t) quantum_info->depth; i > 0L; )
206	  {
207	    if (quantum_info->state.bits == 0UL)
208	      {
209	        quantum_info->state.pixel=(*pixels++);
210	        quantum_info->state.bits=8UL;
211	      }
212	    quantum_bits=(size_t) i;
213	    if (quantum_bits > quantum_info->state.bits)
ASAN - Log:

Code: Select all

=================================================================
==7850==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xac5089a0 at pc 0xb6b3f60b bp 0xbfc861e8 sp 0xbfc861dc
READ of size 1 at 0xac5089a0 thread T0
[frame=0, function=PushQuantumPixel]
[frame=1, function=ImportGrayQuantum]
[frame=2, function=ImportQuantumPixels]
[frame=3, function=ReadTIFFImage]
[frame=4, function=ReadImage]
[frame=5, function=ReadImages]
[frame=6, function=ConvertImageCommand]
[frame=7, function=MagickCommandGenesis]
[frame=8, function=MagickMain]
[frame=9, function=main]
[frame=10, function=__libc_start_main]
[frame=11, function=_start]

0xac5089a0 is located 174 bytes to the right of 34034-byte region [0xac500400,0xac5088f2)
allocated by thread T0 here:
[frame=0, function=__interceptor_malloc]
[frame=1, function=AcquireMagickMemory]
[frame=2, function=ReadTIFFImage]
[frame=3, function=ReadImage]
[frame=4, function=ReadImages]
[frame=5, function=ConvertImageCommand]
[frame=6, function=MagickCommandGenesis]
[frame=7, function=MagickMain]
[frame=8, function=main]
[frame=9, function=__libc_start_main]

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/x/Desktop/clang-imagick/lib/libMagickCore-7.Q16HDRI.so.1+0x74c60a) in PushQuantumPixel
Shadow bytes around the buggy address:
  0x358a10e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x358a10f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x358a1100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x358a1110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 fa
  0x358a1120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x358a1130: fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa
  0x358a1140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x358a1150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x358a1160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x358a1170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x358a1180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7850==ABORTING

Re: Crash - PushQuantumPixel - Heap-Buffer-Overflow

Posted: 2017-01-05T05:36:49-07:00
by Bonzo
It looks like you are using Imagick which is not written or maintained by the developers of Imagemagick.

You might get a answer here but I would check out some Imagick forums as well.

Re: Crash - PushQuantumPixel - Heap-Buffer-Overflow

Posted: 2017-01-05T05:44:00-07:00
by magick
Post a URL where we can download crash_0. We need to reproduce the problem before we can post a patch.

Re: Crash - PushQuantumPixel - Heap-Buffer-Overflow

Posted: 2017-01-05T06:14:47-07:00
by Onur

Re: Crash - PushQuantumPixel - Heap-Buffer-Overflow

Posted: 2017-01-07T09:00:15-07:00
by dlemstra
Thanks for reporting this issue. It will be resolved in the next version of ImageMagick. We can no longer reproduce this issue with the latest beta.