memory allocation failure in AcquireMagickMemory (memory.c) different from #267

[asarubbo]

A crafted image causes a memory allocation failure.
Reproduce with: identify $FILE
I'm attaching the testcase as a zip because of the github's limitation.
Tested on 7.0.3.0

==14275==ERROR: AddressSanitizer failed to allocate 0x99ad49000 (41252327424) bytes of LargeMmapAllocator (error code: 12)
==14275==Process memory map follows:
        0x000000400000-0x000000520000   /usr/bin/magick
        0x000000720000-0x000000721000   /usr/bin/magick
        0x000000721000-0x000000724000   /usr/bin/magick
        0x000000724000-0x000001397000
        0x00007fff7000-0x00008fff7000
        0x00008fff7000-0x02008fff7000
        0x02008fff7000-0x10007fff8000
        0x600000000000-0x602000000000
        0x602000000000-0x602000010000
        0x602000010000-0x603000000000
        0x603000000000-0x603000010000
        0x603000010000-0x604000000000
        0x604000000000-0x604000010000
        0x604000010000-0x606000000000
        0x606000000000-0x606000010000
        0x606000010000-0x607000000000
        0x607000000000-0x607000010000
        0x607000010000-0x608000000000
        0x608000000000-0x608000010000
        0x608000010000-0x60a000000000
        0x60a000000000-0x60a000020000
        0x60a000020000-0x60b000000000
        0x60b000000000-0x60b000010000
        0x60b000010000-0x60c000000000
        0x60c000000000-0x60c000010000
        0x60c000010000-0x60e000000000
        0x60e000000000-0x60e000010000
        0x60e000010000-0x60f000000000
        0x60f000000000-0x60f000010000
        0x60f000010000-0x610000000000
        0x610000000000-0x610000010000
        0x610000010000-0x611000000000
        0x611000000000-0x611000010000
        0x611000010000-0x612000000000
        0x612000000000-0x612000010000
        0x612000010000-0x614000000000
        0x614000000000-0x614000020000
        0x614000020000-0x615000000000
        0x615000000000-0x615000020000
        0x615000020000-0x616000000000
        0x616000000000-0x616000020000
        0x616000020000-0x618000000000
        0x618000000000-0x618000020000
        0x618000020000-0x619000000000
        0x619000000000-0x619000020000
        0x619000020000-0x61a000000000
        0x61a000000000-0x61a000020000
        0x61a000020000-0x61b000000000
        0x61b000000000-0x61b000020000
        0x61b000020000-0x61d000000000
        0x61d000000000-0x61d000020000
        0x61d000020000-0x621000000000
        0x621000000000-0x621000020000
        0x621000020000-0x622000000000
        0x622000000000-0x622000020000
        0x622000020000-0x623000000000
        0x623000000000-0x623000020000
        0x623000020000-0x624000000000
        0x624000000000-0x624000020000
        0x624000020000-0x625000000000
        0x625000000000-0x625000020000
        0x625000020000-0x627000000000
        0x627000000000-0x627000030000
        0x627000030000-0x629000000000
        0x629000000000-0x629000010000
        0x629000010000-0x640000000000
        0x640000000000-0x640000003000
        0x7fe564f76000-0x7fe564f8d000   /usr/lib64/ImageMagick-7.0.3/modules-Q64HDRI/coders/pcx.so
        0x7fe564f8d000-0x7fe56518c000   /usr/lib64/ImageMagick-7.0.3/modules-Q64HDRI/coders/pcx.so
        0x7fe56518c000-0x7fe56518d000   /usr/lib64/ImageMagick-7.0.3/modules-Q64HDRI/coders/pcx.so
        0x7fe56518d000-0x7fe56518e000   /usr/lib64/ImageMagick-7.0.3/modules-Q64HDRI/coders/pcx.so
        0x7fe56518e000-0x7fe56b800000   /usr/lib64/locale/locale-archive
        0x7fe56b800000-0x7fe56b900000
        0x7fe56ba00000-0x7fe56bb00000
        0x7fe56bbe6000-0x7fe56df38000
        0x7fe56df38000-0x7fe56df5f000   /usr/lib64/libexpat.so.1.6.0
        0x7fe56df5f000-0x7fe56e15e000   /usr/lib64/libexpat.so.1.6.0
        0x7fe56e15e000-0x7fe56e161000   /usr/lib64/libexpat.so.1.6.0
        0x7fe56e161000-0x7fe56e162000   /usr/lib64/libexpat.so.1.6.0
        0x7fe56e162000-0x7fe56e297000   /usr/lib64/libglib-2.0.so.0.4600.2
        0x7fe56e297000-0x7fe56e497000   /usr/lib64/libglib-2.0.so.0.4600.2
        0x7fe56e497000-0x7fe56e498000   /usr/lib64/libglib-2.0.so.0.4600.2
        0x7fe56e498000-0x7fe56e499000   /usr/lib64/libglib-2.0.so.0.4600.2
        0x7fe56e499000-0x7fe56e49a000
        0x7fe56e49a000-0x7fe56e4a3000   /usr/lib64/libltdl.so.7.3.1
        0x7fe56e4a3000-0x7fe56e6a2000   /usr/lib64/libltdl.so.7.3.1
        0x7fe56e6a2000-0x7fe56e6a3000   /usr/lib64/libltdl.so.7.3.1
        0x7fe56e6a3000-0x7fe56e6a4000   /usr/lib64/libltdl.so.7.3.1
        0x7fe56e6a4000-0x7fe56e6b9000   /lib64/libz.so.1.2.8
        0x7fe56e6b9000-0x7fe56e8b8000   /lib64/libz.so.1.2.8
        0x7fe56e8b8000-0x7fe56e8b9000   /lib64/libz.so.1.2.8
        0x7fe56e8b9000-0x7fe56e8ba000   /lib64/libz.so.1.2.8
        0x7fe56e8ba000-0x7fe56e8c9000   /lib64/libbz2.so.1.0.6
        0x7fe56e8c9000-0x7fe56eac8000   /lib64/libbz2.so.1.0.6
        0x7fe56eac8000-0x7fe56eac9000   /lib64/libbz2.so.1.0.6
        0x7fe56eac9000-0x7fe56eaca000   /lib64/libbz2.so.1.0.6
        0x7fe56eaca000-0x7fe56eb71000   /usr/lib64/libfreetype.so.6.12.3
        0x7fe56eb71000-0x7fe56ed71000   /usr/lib64/libfreetype.so.6.12.3
        0x7fe56ed71000-0x7fe56ed77000   /usr/lib64/libfreetype.so.6.12.3
        0x7fe56ed77000-0x7fe56ed78000   /usr/lib64/libfreetype.so.6.12.3
        0x7fe56ed78000-0x7fe56edb3000   /usr/lib64/libfontconfig.so.1.8.0
        0x7fe56edb3000-0x7fe56efb2000   /usr/lib64/libfontconfig.so.1.8.0
        0x7fe56efb2000-0x7fe56efb4000   /usr/lib64/libfontconfig.so.1.8.0
        0x7fe56efb4000-0x7fe56efb5000   /usr/lib64/libfontconfig.so.1.8.0
        0x7fe56efb5000-0x7fe56f1aa000   /usr/lib64/libfftw3.so.3.4.4
        0x7fe56f1aa000-0x7fe56f3a9000   /usr/lib64/libfftw3.so.3.4.4
        0x7fe56f3a9000-0x7fe56f3bd000   /usr/lib64/libfftw3.so.3.4.4
        0x7fe56f3bd000-0x7fe56f3be000   /usr/lib64/libfftw3.so.3.4.4
        0x7fe56f3be000-0x7fe56f3cc000   /usr/lib64/liblqr-1.so.0.3.2
        0x7fe56f3cc000-0x7fe56f5cb000   /usr/lib64/liblqr-1.so.0.3.2
        0x7fe56f5cb000-0x7fe56f5cc000   /usr/lib64/liblqr-1.so.0.3.2
        0x7fe56f5cc000-0x7fe56f5cd000   /usr/lib64/liblqr-1.so.0.3.2
        0x7fe56f5cd000-0x7fe56f620000   /usr/lib64/liblcms2.so.2.0.6
        0x7fe56f620000-0x7fe56f820000   /usr/lib64/liblcms2.so.2.0.6
        0x7fe56f820000-0x7fe56f821000   /usr/lib64/liblcms2.so.2.0.6
        0x7fe56f821000-0x7fe56f826000   /usr/lib64/liblcms2.so.2.0.6
        0x7fe56f826000-0x7fe56f9b9000   /lib64/libc-2.22.so
        0x7fe56f9b9000-0x7fe56fbb9000   /lib64/libc-2.22.so
        0x7fe56fbb9000-0x7fe56fbbd000   /lib64/libc-2.22.so
        0x7fe56fbbd000-0x7fe56fbbf000   /lib64/libc-2.22.so
        0x7fe56fbbf000-0x7fe56fbc3000
        0x7fe56fbc3000-0x7fe56fbd9000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7fe56fbd9000-0x7fe56fdd8000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7fe56fdd8000-0x7fe56fdd9000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7fe56fdd9000-0x7fe56fdda000   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1
        0x7fe56fdda000-0x7fe56fde0000   /lib64/librt-2.22.so
        0x7fe56fde0000-0x7fe56ffe0000   /lib64/librt-2.22.so
        0x7fe56ffe0000-0x7fe56ffe1000   /lib64/librt-2.22.so
        0x7fe56ffe1000-0x7fe56ffe2000   /lib64/librt-2.22.so
        0x7fe56ffe2000-0x7fe56fff9000   /lib64/libpthread-2.22.so
        0x7fe56fff9000-0x7fe5701f8000   /lib64/libpthread-2.22.so
        0x7fe5701f8000-0x7fe5701f9000   /lib64/libpthread-2.22.so
        0x7fe5701f9000-0x7fe5701fa000   /lib64/libpthread-2.22.so
        0x7fe5701fa000-0x7fe5701fe000
        0x7fe5701fe000-0x7fe5702fb000   /lib64/libm-2.22.so
        0x7fe5702fb000-0x7fe5704fa000   /lib64/libm-2.22.so
        0x7fe5704fa000-0x7fe5704fb000   /lib64/libm-2.22.so
        0x7fe5704fb000-0x7fe5704fc000   /lib64/libm-2.22.so
        0x7fe5704fc000-0x7fe5704fe000   /lib64/libdl-2.22.so
        0x7fe5704fe000-0x7fe5706fe000   /lib64/libdl-2.22.so
        0x7fe5706fe000-0x7fe5706ff000   /lib64/libdl-2.22.so
        0x7fe5706ff000-0x7fe570700000   /lib64/libdl-2.22.so
        0x7fe570700000-0x7fe570bc6000   /usr/lib64/libMagickWand-7.Q64HDRI.so.0.0.0
        0x7fe570bc6000-0x7fe570dc5000   /usr/lib64/libMagickWand-7.Q64HDRI.so.0.0.0
        0x7fe570dc5000-0x7fe570dda000   /usr/lib64/libMagickWand-7.Q64HDRI.so.0.0.0
        0x7fe570dda000-0x7fe570e1c000   /usr/lib64/libMagickWand-7.Q64HDRI.so.0.0.0
        0x7fe570e1c000-0x7fe5719af000   /usr/lib64/libMagickCore-7.Q64HDRI.so.0.0.0
        0x7fe5719af000-0x7fe571bae000   /usr/lib64/libMagickCore-7.Q64HDRI.so.0.0.0
        0x7fe571bae000-0x7fe571be7000   /usr/lib64/libMagickCore-7.Q64HDRI.so.0.0.0
        0x7fe571be7000-0x7fe571c59000   /usr/lib64/libMagickCore-7.Q64HDRI.so.0.0.0
        0x7fe571c59000-0x7fe571c5c000
        0x7fe571c5c000-0x7fe571c7e000   /lib64/ld-2.22.so
        0x7fe571cf9000-0x7fe571da4000
        0x7fe571da4000-0x7fe571dc7000   /usr/share/locale/it/LC_MESSAGES/libc.mo
        0x7fe571dc7000-0x7fe571e70000
        0x7fe571e70000-0x7fe571e7d000
        0x7fe571e7d000-0x7fe571e7e000   /lib64/ld-2.22.so
        0x7fe571e7e000-0x7fe571e7f000   /lib64/ld-2.22.so
        0x7fe571e7f000-0x7fe571e80000
        0x7ffddcca3000-0x7ffddccc4000   [stack]
        0x7ffddcd4d000-0x7ffddcd4f000   [vvar]
        0x7ffddcd4f000-0x7ffddcd51000   [vdso]
        0xffffffffff600000-0xffffffffff601000   [vsyscall]
==14275==End of process memory map.
==14275==AddressSanitizer CHECK failed: /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183 "((0 && "unable to mmap")) != (0)" (0x0, 0x0)
    #0 0x4c9f9d in AsanCheckFailed /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_rtl.cc:67
    #1 0x4d0ad3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:159
    #2 0x4d0cc1 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183
    #3 0x4d9cfa in __sanitizer::MmapOrDie(unsigned long, char const*, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:122
    #4 0x42208f in __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback>::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1033
    #5 0x42208f in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap<17ul, 128ul, 16ul>, __asan::AsanMapUnmapCallback>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap<17ul, 128ul, 16ul>, __asan::AsanMapUnmapCallback> >, __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback> >::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap<17ul, 128ul, 16ul>, __asan::AsanMapUnmapCallback> >*, unsigned long, unsigned long, bool, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1302
    #6 0x42208f in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:368
    #7 0x42208f in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:718
    #8 0x4c0661 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:53
    #9 0x7fe5713b3b3b in AcquireMagickMemory /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/memory.c:460:10
    #10 0x7fe5713b3b3b in AcquireVirtualMemory /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/memory.c:642
    #11 0x7fe564f7af95 in ReadPCXImage /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/coders/pcx.c:400:16
    #12 0x7fe571087b12 in ReadImage /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/constitute.c:496:13
    #13 0x7fe57181f406 in ReadStream /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/stream.c:1012:9
    #14 0x7fe5710865ca in PingImage /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/constitute.c:226:9
    #15 0x7fe571086e25 in PingImages /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickCore/constitute.c:326:10
    #16 0x7fe57090c4c3 in IdentifyImageCommand /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickWand/identify.c:319:18
    #17 0x7fe5709a226a in MagickCommandGenesis /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/MagickWand/mogrify.c:183:14
    #18 0x4f1fb5 in MagickMain /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/utilities/magick.c:145:10
    #19 0x4f1fb5 in main /tmp/portage/media-gfx/imagemagick-7.0.3.0/work/ImageMagick-7.0.3-0/utilities/magick.c:176
    #20 0x7fe56f84661f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #21 0x419138 in _init (/usr/bin/magick+0x419138)

2.crashes.zip

[mikayla-grace]

This is likely a problem with libASAN trying to allocate a huge array. With ASAN, we get expected results:

-> identify 2.crashes 
identify: memory allocation failed `2.crashes' @ error/pcx.c/ReadPCXImage/408.

To prevent DOS due to unreasonably large image dimensions, add image width / height limits in the ImageMagick security policy @ http://www.imagemagick.org/script/security-policy.php.

[asarubbo]

same as here:
#267 (comment)

[asarubbo]

I can't reproduce after enabling the security policy described here:
http://www.imagemagick.org/script/security-policy.php
Feel free to close.

[asarubbo]

I was unable to reproduce with the provided testcase, but after enabling the security policy another round of fuzzing turned on the issue. Before to proceed I'd like to a confirm that the list policy is what we want before filiing these types of bug:

# identify -list policy

Path: /etc/ImageMagick-7/policy.xml
  Policy: Resource
    name: time
    value: 120
  Policy: Resource
    name: throttle
    value: 0
  Policy: Resource
    name: thread
    value: 2
  Policy: Resource
    name: file
    value: 768
  Policy: Resource
    name: disk
    value: 1GiB
  Policy: Resource
    name: map
    value: 512MiB
  Policy: Resource
    name: memory
    value: 256MiB
  Policy: Resource
    name: area
    value: 128MB
  Policy: Resource
    name: height
    value: 8KP
  Policy: Resource
    name: width
    value: 8KP
  Policy: Resource
    name: temporary-path
    value: /tmp
  Policy: System
    name: precision
    value: 6
  Policy: Coder
    rights: None 
    pattern: MVG
  Policy: Delegate
    rights: None 
    pattern: HTTPS
  Policy: Path
    rights: None 
    pattern: @*

Path: [built-in]
  Policy: Undefined
    rights: None

[asarubbo]

The stacktrace is the same at comment 0
3.crashes.zip

[mikayla-grace]

Your policy is ok for fuzzing. We're using ImageMagick 7.0.3-1 and we get expected results with your test image:

-> identify 3.crashes 
identify: unexpected end-of-file `3.crashes' @ error/pcx.c/ReadPCXImage/439.

[asarubbo]

Your policy is ok for fuzzing. We're using ImageMagick 7.0.3-1 and we get expected results with your test image:

I really don't know what you mean by 7.0.3-1 since the latest available I can see here is 7.0.3-0

[mikayla-grace]

See pending release @ http://www.imagemagick.org/download/beta. Or grab the latest source from git master.

[asarubbo]

I'm re-checking.

[asarubbo]

I can reproduce with the latest 7.0.3-2 (security policy enabled)

Interesting trace:

    #9 0x7f5eec3d6bf7 in AcquireMagickMemory /tmp/portage/media-gfx/imagemagick-7.0.3.2/work/ImageMagick-7.0.3-2/MagickCore/memory.c:460:10
    #10 0x7f5eec3d6bf7 in AcquireQuantumMemory /tmp/portage/media-gfx/imagemagick-7.0.3.2/work/ImageMagick-7.0.3-2/MagickCore/memory.c:533
    #11 0x7f5edf7f8018 in ReadRLEImage /tmp/portage/media-gfx/imagemagick-7.0.3.2/work/ImageMagick-7.0.3-2/coders/rle.c:267:36
    #12 0x7f5eec1b1a62 in ReadImage /tmp/portage/media-gfx/imagemagick-7.0.3.2/work/ImageMagick-7.0.3-2/MagickCore/constitute.c:496:13
    #13 0x7f5eec6b9d4f in ReadStream /tmp/portage/media-gfx/imagemagick-7.0.3.2/work/ImageMagick-7.0.3-2/MagickCore/stream.c:1012:9
    #14 0x7f5eec1b067d in PingImage /tmp/portage/media-gfx/imagemagick-7.0.3.2/work/ImageMagick-7.0.3-2/MagickCore/constitute.c:226:9
    #15 0x7f5eec1b0e8e in PingImages /tmp/portage/media-gfx/imagemagick-7.0.3.2/work/ImageMagick-7.0.3-2/MagickCore/constitute.c:326:10
    #16 0x7f5eebad451a in IdentifyImageCommand /tmp/portage/media-gfx/imagemagick-7.0.3.2/work/ImageMagick-7.0.3-2/MagickWand/identify.c:319:18
    #17 0x7f5eebb4f884 in MagickCommandGenesis /tmp/portage/media-gfx/imagemagick-7.0.3.2/work/ImageMagick-7.0.3-2/MagickWand/mogrify.c:183:14
    #18 0x4f1fae in MagickMain /tmp/portage/media-gfx/imagemagick-7.0.3.2/work/ImageMagick-7.0.3-2/utilities/magick.c:145:10
    #19 0x4f1fae in main /tmp/portage/media-gfx/imagemagick-7.0.3.2/work/ImageMagick-7.0.3-2/utilities/magick.c:176
    #20 0x7f5eeaa2261f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #21 0x4192a8 in _init (/usr/bin/magick+0x4192a8)

Testcase:
testcase.zip

[mikayla-grace]

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

[asarubbo]

This issue is still unfixed to me (re-tested on a version which includes the commit fix).

Interesting trace:

    #9 0x7f467fd11c67 in AcquireMagickMemory /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickCore/memory.c:460:10
    #10 0x7f467fd11c67 in AcquireQuantumMemory /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickCore/memory.c:533
    #11 0x7f4673379018 in ReadRLEImage /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/coders/rle.c:267:36
    #12 0x7f467faeca85 in ReadImage /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickCore/constitute.c:496:13
    #13 0x7f467fff4def in ReadStream /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickCore/stream.c:1012:9
    #14 0x7f467faeb69d in PingImage /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickCore/constitute.c:226:9
    #15 0x7f467faebeae in PingImages /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickCore/constitute.c:326:10
    #16 0x7f467f40f4da in IdentifyImageCommand /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickWand/identify.c:319:18
    #17 0x7f467f48a844 in MagickCommandGenesis /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickWand/mogrify.c:183:14
    #18 0x4f1fae in MagickMain /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/utilities/magick.c:145:10
    #19 0x4f1fae in main /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/utilities/magick.c:176
    #20 0x7f467e35d61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #21 0x4192a8 in _init (/usr/bin/magick+0x4192a8)

Reproducer:
178.crashes.zip

[dlemstra]

Can you give it another try @asarubbo?

[asarubbo]

I'll fuzz the next release as well...

[asarubbo]

the issue is still present on 7.0.4.9

    #8 0x7f2aeaea2812 in AcquireMagickMemory /tmp/portage/media-gfx/imagemagick-7.0.4.9/work/ImageMagick-7.0.4-9/MagickCore/memory.c:460:10
    #9 0x7f2aeaea2812 in AcquireVirtualMemory /tmp/portage/media-gfx/imagemagick-7.0.4.9/work/ImageMagick-7.0.4-9/MagickCore/memory.c:642
    #10 0x7f2ae32d941a in ReadPCXImage /tmp/portage/media-gfx/imagemagick-7.0.4.9/work/ImageMagick-7.0.4-9/coders/pcx.c:400:16
    #11 0x7f2aea9cdb26 in ReadImage /tmp/portage/media-gfx/imagemagick-7.0.4.9/work/ImageMagick-7.0.4-9/MagickCore/constitute.c:497:13
    #12 0x7f2aeb3a2df9 in ReadStream /tmp/portage/media-gfx/imagemagick-7.0.4.9/work/ImageMagick-7.0.4-9/MagickCore/stream.c:1013:9
    #13 0x7f2aea9cb3a6 in PingImage /tmp/portage/media-gfx/imagemagick-7.0.4.9/work/ImageMagick-7.0.4-9/MagickCore/constitute.c:226:9
    #14 0x7f2aea9cc2a6 in PingImages /tmp/portage/media-gfx/imagemagick-7.0.4.9/work/ImageMagick-7.0.4-9/MagickCore/constitute.c:327:10
    #15 0x7f2ae97a6118 in IdentifyImageCommand /tmp/portage/media-gfx/imagemagick-7.0.4.9/work/ImageMagick-7.0.4-9/MagickWand/identify.c:319:18
    #16 0x7f2ae98f800a in MagickCommandGenesis /tmp/portage/media-gfx/imagemagick-7.0.4.9/work/ImageMagick-7.0.4-9/MagickWand/mogrify.c:183:14
    #17 0x50a389 in MagickMain /tmp/portage/media-gfx/imagemagick-7.0.4.9/work/ImageMagick-7.0.4-9/utilities/magick.c:149:10
    #18 0x50a389 in main /tmp/portage/media-gfx/imagemagick-7.0.4.9/work/ImageMagick-7.0.4-9/utilities/magick.c:180
    #19 0x7f2ae7dda78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #20 0x419da8 in _init (/usr/bin/magick+0x419da8)

[asarubbo]

An updated testcase to see the issue:
1.crashes.zip

[mikayla-grace]

We.re using ImageMagick 7.0.5-4. It returns:

-> convert 1.pcx null:
convert: unexpected end-of-file `1.pcx' @ error/pcx.c/ReadPCXImage/429.

Does it fail for you with 7.0.5-4? The PCX source code in 7.0.4-9 and 7.0.5-4 are identical.

[asarubbo]

yes, it does.

[mikayla-grace]

We're using afl-clang and valgrind on Fedora and CentOS, neither report an error. We tried under Windows and the command completed without complaint.

[asarubbo]

Did you try to enable asan? I noticed that in the above comments you had the same issue:
#271 (comment)

[mikayla-grace]

Yes, we use the -fsanitize=address flag. If you have other compiler flags we should enable, let us know.

[asarubbo]

I really don't know how make you able to reproduce the issue. I was asked to give another try...well the past testcase does not work but another round of fuzzing turned up the issue again.

[mikayla-grace]

Understood. We appreciate your efforts but as you realize, we cannot provide a patch if we cannot reproduce the problem.

[pgajdos]

Could it be rather an asan problem? I have not it enabled:

(gdb) n
642 memory_info->blob=AcquireMagickMemory(extent);
(gdb) s
AcquireMagickMemory (size=16260665600) at MagickCore/memory.c:460
460 memory=memory_methods.acquire_memory_handler(size == 0 ? 1UL : size);
(gdb) whatis memory_methods.acquire_memory_handler
type = AcquireMemoryHandler
(gdb) p memory_methods.acquire_memory_handler
$2 = (AcquireMemoryHandler) 0x7ffff6f15370
(gdb) p size
$3 = 16260665600
(gdb) n
497 return(memory);
(gdb) p memory
$4 = (void *) 0x0
(gdb)

So this is just memory_methods.acquire_memory_handler is just malloc for me which correctly returns NULL as I have not 16G memory on this system. If I would have enough memory, then it would return pointer to it. Not sure what could went wrong there.

@asarubbo, what is asan actually telling us? See also
google/sanitizers#697

[asarubbo]

can you retry with the attached testcase? it works for me with 7.0.6.5

[dlemstra]

You are getting an allocation error because the size of the colormap is ridiculous high. On our systems we can allocate this but it then fails at a later moment. Can we close this issue @asarubbo?

[asarubbo]

if it is fine for you, it is fine for me too.