Skip to content

double-free #1025

Closed
Closed
@SmileBugs

Description

@SmileBugs

Prerequisites

  • I have written a descriptive issue title
  • I have verified that I am using the latest version of ImageMagick
  • I have searched open and closed issues to ensure it has not already been reported

Description

Version: ImageMagick 7.0.7-25 Q16 i686 2018-03-08 http://www.imagemagick.org
Copyright: © 1999-2018 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI Modules OpenMP
Delegates (built-in): bzlib djvu fftw flif fontconfig fpx freetype jbig jng jp2 jpeg lcms ltdl openexr pangocairo png raw tiff webp x xml zlib

ASAN OUTPUT

root@v22017125319057172:/opt/lib_fuzz/test# convert not_kitty.jpg not_kitty.EPT2 
=================================================================
==13524==ERROR: AddressSanitizer: attempting double-free on 0xadd00800 in thread T0:
    #0 0xb72ab144 in __interceptor_realloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x97144)
    #1 0xb666c14e in ResizeMagickMemory MagickCore/memory.c:1260
    #2 0xb666c217 in ResizeQuantumMemory MagickCore/memory.c:1324
    #3 0xb6215460 in WriteBlob MagickCore/blob.c:5443
    #4 0xb2220123 in TerminateDestination coders/jpeg.c:1948
    #5 0xb20a3d3e in jpeg_finish_compress (/usr/lib/i386-linux-gnu/libjpeg.so.8+0x2d3e)
    #6 0xb223a6d4 in WriteJPEGImage coders/jpeg.c:2928
    #7 0xb630ce64 in WriteImage MagickCore/constitute.c:1118
    #8 0xb6216e5f in InjectImageBlob MagickCore/blob.c:2605
    #9 0xb209000c in WritePS2Image coders/ps2.c:865
    #10 0xb630ce64 in WriteImage MagickCore/constitute.c:1118
    #11 0xb621186c in ImageToBlob MagickCore/blob.c:1912
    #12 0xb220ea44 in WriteEPTImage coders/ept.c:424
    #13 0xb630ce64 in WriteImage MagickCore/constitute.c:1118
    #14 0xb630ed51 in WriteImages MagickCore/constitute.c:1337
    #15 0xb5b5708d in ConvertImageCommand MagickWand/convert.c:3280
    #16 0xb5d77825 in MagickCommandGenesis MagickWand/mogrify.c:183
    #17 0x80498ce in MagickMain utilities/magick.c:149
    #18 0x804907a in main utilities/magick.c:180
    #19 0xb588a636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #20 0x80490fb  (/usr/bin/magick+0x80490fb)

0xadd00800 is located 0 bytes inside of 65536-byte region [0xadd00800,0xadd10800)
freed by thread T0 here:
    #0 0xb72ab144 in __interceptor_realloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x97144)
    #1 0xb666c14e in ResizeMagickMemory MagickCore/memory.c:1260

previously allocated by thread T0 here:
    #0 0xb72aadee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
    #1 0xb6669ab2 in AcquireMagickMemory MagickCore/memory.c:468

SUMMARY: AddressSanitizer: double-free ??:0 __interceptor_realloc
==13524==ABORTING

POC

poc.zip

System Configuration

System Configuration
ImageMagick version: 7.0.7-25
Environment (Operating system, version and so on): ubuntu-16.04.3-server-i386
Additional information:

Found by: Wang Yan

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions