Description
Prerequisites
- I have written a descriptive issue title
- I have verified that I am using the latest version of ImageMagick
- I have searched open and closed issues to ensure it has not already been reported
Description
There are a heap-use-after-free(sometimes heap-buffer-overflow) vulnerability in MagickCore/resize.c:2604:28 in .omp_outlined.debug_.69 and a double-free bug in RelinquishAlignedMemory MagickCore/memory.c:1037:3 with the same input.
For each run, different bugs are triggered so please run the command for several times.
related: #1344
Steps to Reproduce
run cmd:
magick -seed 0 -black-point-compensation -units Undefined "(" magick:granite -opaque "rgb(224,28,104)" -gaussian-blur 2 -strip ")" "(" magick:rose -black-threshold 15 -preview Despeckle ")" -density 3x83 -stretch ExtraCondensed -copy "937x560ls" "-52-59" ""
This is about Heap-use-after-free in .omp_outlined.debug_.69 MagickCore/resize.c:2604:28
==26215==ERROR: AddressSanitizer: heap-use-after-free on address 0x62800000036c at pc 0x000000efe4dc bp 0x7f637b304e90 sp 0x7f637b304e88
READ of size 4 at 0x62800000036c thread T1
#0 0xefe4db in .omp_outlined._debug__.69 MagickCore/resize.c:2604:28
#1 0xeff106 in .omp_outlined..70 MagickCore/resize.c:2488:3
#2 0x7f6383e13452 in __kmp_invoke_microtask (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x7c452)
#3 0x7f6383dcd1b6 (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x361b6)
#4 0x7f6383dcbb20 (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x34b20)
#5 0x7f6383e0b417 (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x74417)
#6 0x7f63864476da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#7 0x7f63838af88e in clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)
0x62800000036c is located 620 bytes inside of 14400-byte region [0x628000000100,0x628000003940)
freed by thread T2 here:
#0 0x4ef768 in __interceptor_free (install/bin/magick+0x4ef768)
#1 0x583e5c in RelinquishAlignedMemory MagickCore/memory.c:1037:3
#2 0xafe7c6 in RelinquishCacheNexusPixels MagickCore/cache.c:1089:12
#3 0xb0d5db in SetPixelCacheNexusPixels MagickCore/cache.c:5080:9
#4 0xb04b7c in GetVirtualPixelCacheNexus MagickCore/cache.c:2751:10
#5 0xb28621 in GetCacheViewVirtualPixels MagickCore/cache-view.c:664:10
#6 0xefd9e9 in .omp_outlined._debug__.69 MagickCore/resize.c:2542:7
#7 0xeff106 in .omp_outlined..70 MagickCore/resize.c:2488:3
#8 0x7f6383e13452 in __kmp_invoke_microtask (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x7c452)
#9 0x7f6383dcd1b6 (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x361b6)
previously allocated by thread T1 here:
#0 0x4f09b0 in __interceptor_posix_memalign (install/bin/magick+0x4f09b0)
#1 0x5822fa in AcquireAlignedMemory MagickCore/memory.c:265:7
#2 0xb24539 in AcquireCacheNexusPixels MagickCore/cache.c:4968:37
#3 0xb0d587 in SetPixelCacheNexusPixels MagickCore/cache.c:5076:12
#4 0xb04b7c in GetVirtualPixelCacheNexus MagickCore/cache.c:2751:10
#5 0xb28621 in GetCacheViewVirtualPixels MagickCore/cache-view.c:664:10
#6 0xefd9e9 in .omp_outlined._debug__.69 MagickCore/resize.c:2542:7
#7 0xeff106 in .omp_outlined..70 MagickCore/resize.c:2488:3
#8 0x7f6383e13452 in __kmp_invoke_microtask (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x7c452)
#9 0x7f6383dcd1b6 (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x361b6)
Thread T1 created by T0 here:
#0 0x43fcd0 in pthread_create (install/bin/magick+0x43fcd0)
#1 0x7f6383e09110 (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x72110)
Thread T2 created by T0 here:
#0 0x43fcd0 in pthread_create (install/bin/magick+0x43fcd0)
#1 0x7f6383e09110 (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x72110)
SUMMARY: AddressSanitizer: heap-use-after-free MagickCore/resize.c:2604:28 in .omp_outlined._debug__.69
This is about the heap-buffer-overflow in .omp_outlined.debug_.69 MagickCore/resize.c:2604
==26841==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00001d670 at pc 0x000000efe4dc bp 0x7f78c5104e90 sp 0x7f78c5104e88
READ of size 4 at 0x61d00001d670 thread T1
#0 0xefe4db in .omp_outlined._debug__.69 MagickCore/resize.c:2604:28
#1 0xeff106 in .omp_outlined..70 MagickCore/resize.c:2488:3
#2 0x7f78cdc28452 in __kmp_invoke_microtask (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x7c452)
#3 0x7f78cdbe21b6 (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x361b6)
#4 0x7f78cdbe0b20 (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x34b20)
#5 0x7f78cdc20417 (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x74417)
#6 0x7f78d025c6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#7 0x7f78cd6c488e in clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)
Address 0x61d00001d670 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/resize.c:2604:28 in .omp_outlined._debug__.69
This is about double-free bug in RelinquishAlignedMemory of MagickCore/memory.c:1037:3
==26601==ERROR: AddressSanitizer: attempting double-free on 0x61d00001fe80 in thread T1:
#0 0x4ef768 in __interceptor_free (install/bin/magick+0x4ef768)
#1 0x583e5c in RelinquishAlignedMemory MagickCore/memory.c:1037:3
#2 0xafe7c6 in RelinquishCacheNexusPixels MagickCore/cache.c:1089:12
#3 0xb0d5db in SetPixelCacheNexusPixels MagickCore/cache.c:5080:9
#4 0xb04b7c in GetVirtualPixelCacheNexus MagickCore/cache.c:2751:10
#5 0xb28621 in GetCacheViewVirtualPixels MagickCore/cache-view.c:664:10
#6 0xefd9e9 in .omp_outlined._debug__.69 MagickCore/resize.c:2542:7
#7 0xeff106 in .omp_outlined..70 MagickCore/resize.c:2488:3
#8 0x7fed18cb6452 in __kmp_invoke_microtask (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x7c452)
#9 0x7fed18c701b6 (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x361b6)
#10 0x7fed18c6eb20 (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x34b20)
#11 0x7fed18cae417 (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x74417)
#12 0x7fed1b2ea6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#13 0x7fed1875288e in clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)
0x61d00001fe80 is located 0 bytes inside of 2240-byte region [0x61d00001fe80,0x61d000020740)
freed by thread T2 here:
#0 0x4ef768 in __interceptor_free (install/bin/magick+0x4ef768)
#1 0x583e5c in RelinquishAlignedMemory MagickCore/memory.c:1037:3
#2 0xafe7c6 in RelinquishCacheNexusPixels MagickCore/cache.c:1089:12
#3 0xb0d5db in SetPixelCacheNexusPixels MagickCore/cache.c:5080:9
#4 0xb04b7c in GetVirtualPixelCacheNexus MagickCore/cache.c:2751:10
#5 0xb28621 in GetCacheViewVirtualPixels MagickCore/cache-view.c:664:10
#6 0xefd9e9 in .omp_outlined._debug__.69 MagickCore/resize.c:2542:7
#7 0xeff106 in .omp_outlined..70 MagickCore/resize.c:2488:3
#8 0x7fed18cb6452 in __kmp_invoke_microtask (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x7c452)
#9 0x7fed18c701b6 (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x361b6)
previously allocated by thread T1 here:
#0 0x4f09b0 in __interceptor_posix_memalign (install/bin/magick+0x4f09b0)
#1 0x5822fa in AcquireAlignedMemory MagickCore/memory.c:265:7
#2 0xb24539 in AcquireCacheNexusPixels MagickCore/cache.c:4968:37
#3 0xb0d587 in SetPixelCacheNexusPixels MagickCore/cache.c:5076:12
#4 0xb04b7c in GetVirtualPixelCacheNexus MagickCore/cache.c:2751:10
#5 0xb28621 in GetCacheViewVirtualPixels MagickCore/cache-view.c:664:10
#6 0xefd9e9 in .omp_outlined._debug__.69 MagickCore/resize.c:2542:7
#7 0xeff106 in .omp_outlined..70 MagickCore/resize.c:2488:3
#8 0x7fed18cb6452 in __kmp_invoke_microtask (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x7c452)
#9 0x7fed18c701b6 (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x361b6)
Thread T1 created by T0 here:
#0 0x43fcd0 in pthread_create (install/bin/magick+0x43fcd0)
#1 0x7fed18cac110 (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x72110)
Thread T2 created by T0 here:
#0 0x43fcd0 in pthread_create (install/bin/magick+0x43fcd0)
#1 0x7fed18cac110 (/usr/lib/x86_64-linux-gnu/libomp.so.5+0x72110)
SUMMARY: AddressSanitizer: double-free (install/bin/magick+0x4ef768) in __interceptor_free
==26601==ABORTING
System Configuration
-
ImageMagick version:
Version: ImageMagick 7.0.8-50 Q16 x86_64 2019-06-10 -
Environment (Operating system, version and so on):
Description: Ubuntu 18.04.1 LTS
Release: 18.04
Codename: bionic -
Additional information: CC=clang-7 CXX=clang++-7