Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

memory allocation failure in AcquireMagickMemory (memory.c) different from #267 #271

Closed
asarubbo opened this issue Sep 14, 2016 · 27 comments

Comments

Projects
None yet
4 participants
@asarubbo
Copy link

commented Sep 14, 2016

A crafted image causes a memory allocation failure.
Reproduce with: identify $FILE
I'm attaching the testcase as a zip because of the github's limitation.
Tested on 7.0.3.0

==14275==ERROR: AddressSanitizer failed to allocate 0x99ad49000 (41252327424) bytes of LargeMmapAllocator (error code: 12)
==14275==Process memory map follows:
        0x000000400000-0x000000520000   /usr/bin/magick
        0x000000720000-0x000000721000   /usr/bin/magick
        0x000000721000-0x000000724000   /usr/bin/magick
        0x000000724000-0x000001397000
        0x00007fff7000-0x00008fff7000
        0x00008fff7000-0x02008fff7000
        0x02008fff7000-0x10007fff8000
        0x600000000000-0x602000000000
        0x602000000000-0x602000010000
        0x602000010000-0x603000000000
        0x603000000000-0x603000010000
        0x603000010000-0x604000000000
        0x604000000000-0x604000010000
        0x604000010000-0x606000000000
        0x606000000000-0x606000010000
        0x606000010000-0x607000000000
        0x607000000000-0x607000010000
        0x607000010000-0x608000000000
        0x608000000000-0x608000010000
        0x608000010000-0x60a000000000
        0x60a000000000-0x60a000020000
        0x60a000020000-0x60b000000000
        0x60b000000000-0x60b000010000
        0x60b000010000-0x60c000000000
        0x60c000000000-0x60c000010000
        0x60c000010000-0x60e000000000
        0x60e000000000-0x60e000010000
        0x60e000010000-0x60f000000000
        0x60f000000000-0x60f000010000
        0x60f000010000-0x610000000000
        0x610000000000-0x610000010000
        0x610000010000-0x611000000000
        0x611000000000-0x611000010000
        0x611000010000-0x612000000000
        0x612000000000-0x612000010000
        0x612000010000-0x614000000000
        0x614000000000-0x614000020000
        0x614000020000-0x615000000000
        0x615000000000-0x615000020000
        0x615000020000-0x616000000000
        0x616000000000-0x616000020000
        0x616000020000-0x618000000000
        0x618000000000-0x618000020000
        0x618000020000-0x619000000000
        0x619000000000-0x619000020000
        0x619000020000-0x61a000000000
        0x61a000000000-0x61a000020000
        0x61a000020000-0x61b000000000
        0x61b000000000-0x61b000020000
        0x61b000020000-0x61d000000000
        0x61d000000000-0x61d000020000
        0x61d000020000-0x621000000000
        0x621000000000-0x621000020000
        0x621000020000-0x622000000000
        0x622000000000-0x622000020000
        0x622000020000-0x623000000000
        0x623000000000-0x623000020000
        0x623000020000-0x624000000000
        0x624000000000-0x624000020000
        0x624000020000-0x625000000000
        0x625000000000-0x625000020000
        0x625000020000-0x627000000000
        0x627000000000-0x627000030000
        0x627000030000-0x629000000000
        0x629000000000-0x629000010000
        0x629000010000-0x640000000000
        0x640000000000-0x640000003000
        0x7fe564f76000-0x7fe564f8d000   /usr/lib64/ImageMagick-7.0.3/modules-Q64HDRI/coders/pcx.so
        0x7fe564f8d000-0x7fe56518c000   /usr/lib64/ImageMagick-7.0.3/modules-Q64HDRI/coders/pcx.so
        0x7fe56518c000-0x7fe56518d000   /usr/lib64/ImageMagick-7.0.3/modules-Q64HDRI/coders/pcx.so
        0x7fe56518d000-0x7fe56518e000   /usr/lib64/ImageMagick-7.0.3/modules-Q64HDRI/coders/pcx.so
        0x7fe56518e000-0x7fe56b800000   /usr/lib64/locale/locale-archive
        0x7fe56b800000-0x7fe56b900000
        0x7fe56ba00000-0x7fe56bb00000
        0x7fe56bbe6000-0x7fe56df38000
        0x7fe56df38000-0x7fe56df5f000   /usr/lib64/libexpat.so.1.6.0
        0x7fe56df5f000-0x7fe56e15e000   /usr/lib64/libexpat.so.1.6.0
        0x7fe56e15e000-0x7fe56e161000   /usr/lib64/libexpat.so.1.6.0
        0x7fe56e161000-0x7fe56e162000   /usr/lib64/libexpat.so.1.6.0
        0x7fe56e162000-0x7fe56e297000   /usr/lib64/libglib-2.0.so.0.4600.2
        0x7fe56e297000-0x7fe56e497000   /usr/lib64/libglib-2.0.so.0.4600.2
        0x7fe56e497000-0x7fe56e498000   /usr/lib64/libglib-2.0.so.0.4600.2
        0x7fe56e498000-0x7fe56e499000   /usr/lib64/libglib-2.0.so.0.4600.2
        0x7fe56e499000-0x7fe56e49a000
        0x7fe56e49a000-0x7fe56e4a3000   /usr/lib64/libltdl.so.7.3.1
        0x7fe56e4a3000-0x7fe56e6a2000   /usr/lib64/libltdl.so.7.3.1
        0x7fe56e6a2000-0x7fe56e6a3000   /usr/lib64/libltdl.so.7.3.1
        0x7fe56e6a3000-0x7fe56e6a4000   /usr/lib64/libltdl.so.7.3.1
        0x7fe56e6a4000-0x7fe56e6b9000   /lib64/libz.so.1.2.8
        0x7fe56e6b9000-0x7fe56e8b8000   /lib64/libz.so.1.2.8
        0x7fe56e8b8000-0x7fe56e8b9000   /lib64/libz.so.1.2.8
        0x7fe56e8b9000-0x7fe56e8ba000   /lib64/libz.so.1.2.8
        0x7fe56e8ba000-0x7fe56e8c9000   /lib64/libbz2.so.1.0.6
        0x7fe56e8c9000-0x7fe56eac8000   /lib64/libbz2.so.1.0.6
        0x7fe56eac8000-0x7fe56eac9000   /lib64/libbz2.so.1.0.6
        0x7fe56eac9000-0x7fe56eaca000   /lib64/libbz2.so.1.0.6
        0x7fe56eaca000-0x7fe56eb71000   /usr/lib64/libfreetype.so.6.12.3
        0x7fe56eb71000-0x7fe56ed71000   /usr/lib64/libfreetype.so.6.12.3
        0x7fe56ed71000-0x7fe56ed77000   /usr/lib64/libfreetype.so.6.12.3
        0x7fe56ed77000-0x7fe56ed78000   /usr/lib64/libfreetype.so.6.12.3
        0x7fe56ed78000-0x7fe56edb3000   /usr/lib64/libfontconfig.so.1.8.0
        0x7fe56edb3000-0x7fe56efb2000   /usr/lib64/libfontconfig.so.1.8.0
        0x7fe56efb2000-0x7fe56efb4000   /usr/lib64/libfontconfig.so.1.8.0
        0x7fe56efb4000-0x7fe56efb5000   /usr/lib64/libfontconfig.so.1.8.0
        0x7fe56efb5000-0x7fe56f1aa000   /usr/lib64/libfftw3.so.3.4.4
        0x7fe56f1aa000-0x7fe56f3a9000   /usr/lib64/libfftw3.so.3.4.4
        0x7fe56f3a9000-0x7fe56f3bd000   /usr/lib64/libfftw3.so.3.4.4
        0x7fe56f3bd000-0x7fe56f3be000   /usr/lib64/libfftw3.so.3.4.4
        0x7fe56f3be000-0x7fe56f3cc000   /usr/lib64/liblqr-1.so.0.3.2
        0x7fe56f3cc000-0x7fe56f5cb000   /usr/lib64/liblqr-1.so.0.3.2
        0x7fe56f5cb000-0x7fe56f5cc000   /usr/lib64/liblqr-1.so.0.3.2
        0x7fe56f5cc000-0x7fe56f5cd000   /usr/lib64/liblqr-1.so.0.3.2
        0x7fe56f5cd000-0x7fe56f620000   /usr/lib64/liblcms2.so.2.0.6
        0x7fe56f620000-0x7fe56f820000   /usr/lib64/liblcms2.so.2.0.6
        0x7fe56f820000-0x7fe56f821000   /usr/lib64/liblcms2.so.2.0.6
        0x7fe56f821000-0x7fe56f826000   /usr/lib64/liblcms2.so.2.0.6
        0x7fe56f826000-0x7fe56f9b9000   /lib64/libc-2.22.so
        0x7fe56f9b9000-0x7fe56fbb9000   /lib64/libc-2.22.so
        0x7fe56fbb9000-0x7fe56fbbd000   /lib64/libc-2.22.so
        0x7fe56fbbd000-0x7fe56fbbf000   /lib64/libc-2.22.so
        0x7fe56fbbf000-0x7fe56fbc3000
        0x7fe56fbc3000-0x7fe56fbd9000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7fe56fbd9000-0x7fe56fdd8000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7fe56fdd8000-0x7fe56fdd9000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7fe56fdd9000-0x7fe56fdda000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7fe56fdda000-0x7fe56fde0000   /lib64/librt-2.22.so
        0x7fe56fde0000-0x7fe56ffe0000   /lib64/librt-2.22.so
        0x7fe56ffe0000-0x7fe56ffe1000   /lib64/librt-2.22.so
        0x7fe56ffe1000-0x7fe56ffe2000   /lib64/librt-2.22.so
        0x7fe56ffe2000-0x7fe56fff9000   /lib64/libpthread-2.22.so
        0x7fe56fff9000-0x7fe5701f8000   /lib64/libpthread-2.22.so
        0x7fe5701f8000-0x7fe5701f9000   /lib64/libpthread-2.22.so
        0x7fe5701f9000-0x7fe5701fa000   /lib64/libpthread-2.22.so
        0x7fe5701fa000-0x7fe5701fe000
        0x7fe5701fe000-0x7fe5702fb000   /lib64/libm-2.22.so
        0x7fe5702fb000-0x7fe5704fa000   /lib64/libm-2.22.so
        0x7fe5704fa000-0x7fe5704fb000   /lib64/libm-2.22.so
        0x7fe5704fb000-0x7fe5704fc000   /lib64/libm-2.22.so
        0x7fe5704fc000-0x7fe5704fe000   /lib64/libdl-2.22.so
        0x7fe5704fe000-0x7fe5706fe000   /lib64/libdl-2.22.so
        0x7fe5706fe000-0x7fe5706ff000   /lib64/libdl-2.22.so
        0x7fe5706ff000-0x7fe570700000   /lib64/libdl-2.22.so
        0x7fe570700000-0x7fe570bc6000   /usr/lib64/libMagickWand-7.Q64HDRI.so.0.0.0
        0x7fe570bc6000-0x7fe570dc5000   /usr/lib64/libMagickWand-7.Q64HDRI.so.0.0.0
        0x7fe570dc5000-0x7fe570dda000   /usr/lib64/libMagickWand-7.Q64HDRI.so.0.0.0
        0x7fe570dda000-0x7fe570e1c000   /usr/lib64/libMagickWand-7.Q64HDRI.so.0.0.0
        0x7fe570e1c000-0x7fe5719af000   /usr/lib64/libMagickCore-7.Q64HDRI.so.0.0.0
        0x7fe5719af000-0x7fe571bae000   /usr/lib64/libMagickCore-7.Q64HDRI.so.0.0.0
        0x7fe571bae000-0x7fe571be7000   /usr/lib64/libMagickCore-7.Q64HDRI.so.0.0.0
        0x7fe571be7000-0x7fe571c59000   /usr/lib64/libMagickCore-7.Q64HDRI.so.0.0.0
        0x7fe571c59000-0x7fe571c5c000
        0x7fe571c5c000-0x7fe571c7e000   /lib64/ld-2.22.so
        0x7fe571cf9000-0x7fe571da4000
        0x7fe571da4000-0x7fe571dc7000   /usr/share/locale/it/LC_MESSAGES/libc.mo
        0x7fe571dc7000-0x7fe571e70000
        0x7fe571e70000-0x7fe571e7d000
        0x7fe571e7d000-0x7fe571e7e000   /lib64/ld-2.22.so
        0x7fe571e7e000-0x7fe571e7f000   /lib64/ld-2.22.so
        0x7fe571e7f000-0x7fe571e80000
        0x7ffddcca3000-0x7ffddccc4000   [stack]
        0x7ffddcd4d000-0x7ffddcd4f000   [vvar]
        0x7ffddcd4f000-0x7ffddcd51000   [vdso]
        0xffffffffff600000-0xffffffffff601000   [vsyscall]
==14275==End of process memory map.
==14275==AddressSanitizer CHECK failed: /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183 "((0 && "unable to mmap")) != (0)" (0x0, 0x0)
    #0 0x4c9f9d in AsanCheckFailed /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_rtl.cc:67
    #1 0x4d0ad3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:159
    #2 0x4d0cc1 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183
    #3 0x4d9cfa in __sanitizer::MmapOrDie(unsigned long, char const*, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:122
    #4 0x42208f in __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback>::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1033
    #5 0x42208f in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap<17ul, 128ul, 16ul>, __asan::AsanMapUnmapCallback>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap<17ul, 128ul, 16ul>, __asan::AsanMapUnmapCallback> >, __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback> >::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap<17ul, 128ul, 16ul>, __asan::AsanMapUnmapCallback> >*, unsigned long, unsigned long, bool, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1302
    #6 0x42208f in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:368
    #7 0x42208f in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:718
    #8 0x4c0661 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:53
    #9 0x7fe5713b3b3b in AcquireMagickMemory /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/memory.c:460:10
    #10 0x7fe5713b3b3b in AcquireVirtualMemory /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/memory.c:642
    #11 0x7fe564f7af95 in ReadPCXImage /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/coders/pcx.c:400:16
    #12 0x7fe571087b12 in ReadImage /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/constitute.c:496:13
    #13 0x7fe57181f406 in ReadStream /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/stream.c:1012:9
    #14 0x7fe5710865ca in PingImage /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/constitute.c:226:9
    #15 0x7fe571086e25 in PingImages /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/constitute.c:326:10
    #16 0x7fe57090c4c3 in IdentifyImageCommand /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickWand/identify.c:319:18
    #17 0x7fe5709a226a in MagickCommandGenesis /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickWand/mogrify.c:183:14
    #18 0x4f1fb5 in MagickMain /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/utilities/magick.c:145:10
    #19 0x4f1fb5 in main /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/utilities/magick.c:176
    #20 0x7fe56f84661f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #21 0x419138 in _init (/usr/bin/magick+0x419138)

2.crashes.zip

@mikayla-grace

This comment has been minimized.

Copy link

commented Sep 14, 2016

This is likely a problem with libASAN trying to allocate a huge array. With ASAN, we get expected results:

-> identify 2.crashes 
identify: memory allocation failed `2.crashes' @ error/pcx.c/ReadPCXImage/408.

To prevent DOS due to unreasonably large image dimensions, add image width / height limits in the ImageMagick security policy @ http://www.imagemagick.org/script/security-policy.php.

@asarubbo

This comment has been minimized.

Copy link
Author

commented Sep 15, 2016

same as here:
#267 (comment)

@asarubbo

This comment has been minimized.

Copy link
Author

commented Sep 15, 2016

I can't reproduce after enabling the security policy described here:
http://www.imagemagick.org/script/security-policy.php
Feel free to close.

@dlemstra dlemstra closed this Sep 15, 2016

@asarubbo

This comment has been minimized.

Copy link
Author

commented Sep 15, 2016

I was unable to reproduce with the provided testcase, but after enabling the security policy another round of fuzzing turned on the issue. Before to proceed I'd like to a confirm that the list policy is what we want before filiing these types of bug:

# identify -list policy

Path: /etc/ImageMagick-7/policy.xml
  Policy: Resource
    name: time
    value: 120
  Policy: Resource
    name: throttle
    value: 0
  Policy: Resource
    name: thread
    value: 2
  Policy: Resource
    name: file
    value: 768
  Policy: Resource
    name: disk
    value: 1GiB
  Policy: Resource
    name: map
    value: 512MiB
  Policy: Resource
    name: memory
    value: 256MiB
  Policy: Resource
    name: area
    value: 128MB
  Policy: Resource
    name: height
    value: 8KP
  Policy: Resource
    name: width
    value: 8KP
  Policy: Resource
    name: temporary-path
    value: /tmp
  Policy: System
    name: precision
    value: 6
  Policy: Coder
    rights: None 
    pattern: MVG
  Policy: Delegate
    rights: None 
    pattern: HTTPS
  Policy: Path
    rights: None 
    pattern: @*

Path: [built-in]
  Policy: Undefined
    rights: None

@dlemstra dlemstra reopened this Sep 15, 2016

@asarubbo

This comment has been minimized.

Copy link
Author

commented Sep 15, 2016

The stacktrace is the same at comment 0
3.crashes.zip

@mikayla-grace

This comment has been minimized.

Copy link

commented Sep 16, 2016

Your policy is ok for fuzzing. We're using ImageMagick 7.0.3-1 and we get expected results with your test image:

-> identify 3.crashes 
identify: unexpected end-of-file `3.crashes' @ error/pcx.c/ReadPCXImage/439.
@asarubbo

This comment has been minimized.

Copy link
Author

commented Sep 16, 2016

Your policy is ok for fuzzing. We're using ImageMagick 7.0.3-1 and we get expected results with your test image:

I really don't know what you mean by 7.0.3-1 since the latest available I can see here is 7.0.3-0

@mikayla-grace

This comment has been minimized.

Copy link

commented Sep 16, 2016

See pending release @ http://www.imagemagick.org/download/beta. Or grab the latest source from git master.

@asarubbo

This comment has been minimized.

Copy link
Author

commented Oct 7, 2016

I'm re-checking.

@asarubbo

This comment has been minimized.

Copy link
Author

commented Oct 7, 2016

I can reproduce with the latest 7.0.3-2 (security policy enabled)

Interesting trace:

    #9 0x7f5eec3d6bf7 in AcquireMagickMemory /tmp/portage/media-gfx/imagemagick-7.0.3.2/work/ImageMagick-7.0.3-2/MagickCore/memory.c:460:10
    #10 0x7f5eec3d6bf7 in AcquireQuantumMemory /tmp/portage/media-gfx/imagemagick-7.0.3.2/work/ImageMagick-7.0.3-2/MagickCore/memory.c:533
    #11 0x7f5edf7f8018 in ReadRLEImage /tmp/portage/media-gfx/imagemagick-7.0.3.2/work/ImageMagick-7.0.3-2/coders/rle.c:267:36
    #12 0x7f5eec1b1a62 in ReadImage /tmp/portage/media-gfx/imagemagick-7.0.3.2/work/ImageMagick-7.0.3-2/MagickCore/constitute.c:496:13
    #13 0x7f5eec6b9d4f in ReadStream /tmp/portage/media-gfx/imagemagick-7.0.3.2/work/ImageMagick-7.0.3-2/MagickCore/stream.c:1012:9
    #14 0x7f5eec1b067d in PingImage /tmp/portage/media-gfx/imagemagick-7.0.3.2/work/ImageMagick-7.0.3-2/MagickCore/constitute.c:226:9
    #15 0x7f5eec1b0e8e in PingImages /tmp/portage/media-gfx/imagemagick-7.0.3.2/work/ImageMagick-7.0.3-2/MagickCore/constitute.c:326:10
    #16 0x7f5eebad451a in IdentifyImageCommand /tmp/portage/media-gfx/imagemagick-7.0.3.2/work/ImageMagick-7.0.3-2/MagickWand/identify.c:319:18
    #17 0x7f5eebb4f884 in MagickCommandGenesis /tmp/portage/media-gfx/imagemagick-7.0.3.2/work/ImageMagick-7.0.3-2/MagickWand/mogrify.c:183:14
    #18 0x4f1fae in MagickMain /tmp/portage/media-gfx/imagemagick-7.0.3.2/work/ImageMagick-7.0.3-2/utilities/magick.c:145:10
    #19 0x4f1fae in main /tmp/portage/media-gfx/imagemagick-7.0.3.2/work/ImageMagick-7.0.3-2/utilities/magick.c:176
    #20 0x7f5eeaa2261f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #21 0x4192a8 in _init (/usr/bin/magick+0x4192a8)

Testcase:
testcase.zip

@mikayla-grace

This comment has been minimized.

Copy link

commented Oct 7, 2016

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

dlemstra pushed a commit that referenced this issue Oct 7, 2016

Cristy
@asarubbo

This comment has been minimized.

Copy link
Author

commented Oct 13, 2016

This issue is still unfixed to me (re-tested on a version which includes the commit fix).

Interesting trace:

    #9 0x7f467fd11c67 in AcquireMagickMemory /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickCore/memory.c:460:10
    #10 0x7f467fd11c67 in AcquireQuantumMemory /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickCore/memory.c:533
    #11 0x7f4673379018 in ReadRLEImage /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/coders/rle.c:267:36
    #12 0x7f467faeca85 in ReadImage /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickCore/constitute.c:496:13
    #13 0x7f467fff4def in ReadStream /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickCore/stream.c:1012:9
    #14 0x7f467faeb69d in PingImage /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickCore/constitute.c:226:9
    #15 0x7f467faebeae in PingImages /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickCore/constitute.c:326:10
    #16 0x7f467f40f4da in IdentifyImageCommand /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickWand/identify.c:319:18
    #17 0x7f467f48a844 in MagickCommandGenesis /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickWand/mogrify.c:183:14
    #18 0x4f1fae in MagickMain /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/utilities/magick.c:145:10
    #19 0x4f1fae in main /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/utilities/magick.c:176
    #20 0x7f467e35d61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #21 0x4192a8 in _init (/usr/bin/magick+0x4192a8)

Reproducer:
178.crashes.zip

dlemstra added a commit that referenced this issue Nov 21, 2016

dlemstra added a commit that referenced this issue Nov 21, 2016

@dlemstra

This comment has been minimized.

Copy link
Member

commented Nov 21, 2016

Can you give it another try @asarubbo?

@asarubbo

This comment has been minimized.

Copy link
Author

commented Nov 21, 2016

I'll fuzz the next release as well...

@asarubbo

This comment has been minimized.

Copy link
Author

commented Feb 19, 2017

the issue is still present on 7.0.4.9

    #8 0x7f2aeaea2812 in AcquireMagickMemory /tmp/portage/media-gfx/imagemagick-7.0.4.9/work/ImageMagick-7.0.4-9/MagickCore/memory.c:460:10
    #9 0x7f2aeaea2812 in AcquireVirtualMemory /tmp/portage/media-gfx/imagemagick-7.0.4.9/work/ImageMagick-7.0.4-9/MagickCore/memory.c:642
    #10 0x7f2ae32d941a in ReadPCXImage /tmp/portage/media-gfx/imagemagick-7.0.4.9/work/ImageMagick-7.0.4-9/coders/pcx.c:400:16
    #11 0x7f2aea9cdb26 in ReadImage /tmp/portage/media-gfx/imagemagick-7.0.4.9/work/ImageMagick-7.0.4-9/MagickCore/constitute.c:497:13
    #12 0x7f2aeb3a2df9 in ReadStream /tmp/portage/media-gfx/imagemagick-7.0.4.9/work/ImageMagick-7.0.4-9/MagickCore/stream.c:1013:9
    #13 0x7f2aea9cb3a6 in PingImage /tmp/portage/media-gfx/imagemagick-7.0.4.9/work/ImageMagick-7.0.4-9/MagickCore/constitute.c:226:9
    #14 0x7f2aea9cc2a6 in PingImages /tmp/portage/media-gfx/imagemagick-7.0.4.9/work/ImageMagick-7.0.4-9/MagickCore/constitute.c:327:10
    #15 0x7f2ae97a6118 in IdentifyImageCommand /tmp/portage/media-gfx/imagemagick-7.0.4.9/work/ImageMagick-7.0.4-9/MagickWand/identify.c:319:18
    #16 0x7f2ae98f800a in MagickCommandGenesis /tmp/portage/media-gfx/imagemagick-7.0.4.9/work/ImageMagick-7.0.4-9/MagickWand/mogrify.c:183:14
    #17 0x50a389 in MagickMain /tmp/portage/media-gfx/imagemagick-7.0.4.9/work/ImageMagick-7.0.4-9/utilities/magick.c:149:10
    #18 0x50a389 in main /tmp/portage/media-gfx/imagemagick-7.0.4.9/work/ImageMagick-7.0.4-9/utilities/magick.c:180
    #19 0x7f2ae7dda78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #20 0x419da8 in _init (/usr/bin/magick+0x419da8)
@asarubbo

This comment has been minimized.

Copy link
Author

commented Mar 27, 2017

An updated testcase to see the issue:
1.crashes.zip

@mikayla-grace

This comment has been minimized.

Copy link

commented Mar 27, 2017

We.re using ImageMagick 7.0.5-4. It returns:

-> convert 1.pcx null:
convert: unexpected end-of-file `1.pcx' @ error/pcx.c/ReadPCXImage/429.

Does it fail for you with 7.0.5-4? The PCX source code in 7.0.4-9 and 7.0.5-4 are identical.

@asarubbo

This comment has been minimized.

Copy link
Author

commented Mar 27, 2017

yes, it does.

@mikayla-grace

This comment has been minimized.

Copy link

commented Mar 27, 2017

We're using afl-clang and valgrind on Fedora and CentOS, neither report an error. We tried under Windows and the command completed without complaint.

@asarubbo

This comment has been minimized.

Copy link
Author

commented Mar 27, 2017

Did you try to enable asan? I noticed that in the above comments you had the same issue:
#271 (comment)

@mikayla-grace

This comment has been minimized.

Copy link

commented Mar 27, 2017

Yes, we use the -fsanitize=address flag. If you have other compiler flags we should enable, let us know.

@asarubbo

This comment has been minimized.

Copy link
Author

commented Mar 28, 2017

I really don't know how make you able to reproduce the issue. I was asked to give another try...well the past testcase does not work but another round of fuzzing turned up the issue again.

@mikayla-grace

This comment has been minimized.

Copy link

commented Mar 28, 2017

Understood. We appreciate your efforts but as you realize, we cannot provide a patch if we cannot reproduce the problem.

@pgajdos

This comment has been minimized.

Copy link

commented May 19, 2017

Could it be rather an asan problem? I have not it enabled:

(gdb) n
642 memory_info->blob=AcquireMagickMemory(extent);
(gdb) s
AcquireMagickMemory (size=16260665600) at MagickCore/memory.c:460
460 memory=memory_methods.acquire_memory_handler(size == 0 ? 1UL : size);
(gdb) whatis memory_methods.acquire_memory_handler
type = AcquireMemoryHandler
(gdb) p memory_methods.acquire_memory_handler
$2 = (AcquireMemoryHandler) 0x7ffff6f15370
(gdb) p size
$3 = 16260665600
(gdb) n
497 return(memory);
(gdb) p memory
$4 = (void *) 0x0
(gdb)

So this is just memory_methods.acquire_memory_handler is just malloc for me which correctly returns NULL as I have not 16G memory on this system. If I would have enough memory, then it would return pointer to it. Not sure what could went wrong there.

@asarubbo, what is asan actually telling us? See also
google/sanitizers#697

@asarubbo

This comment has been minimized.

Copy link
Author

commented Aug 9, 2017

can you retry with the attached testcase? it works for me with 7.0.6.5
130 crashes

@dlemstra

This comment has been minimized.

Copy link
Member

commented Sep 3, 2017

You are getting an allocation error because the size of the colormap is ridiculous high. On our systems we can allocate this but it then fails at a later moment. Can we close this issue @asarubbo?

@asarubbo

This comment has been minimized.

Copy link
Author

commented Sep 6, 2017

if it is fine for you, it is fine for me too.

@asarubbo asarubbo closed this Sep 6, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.