Skip to content

heap use after free in RenderFreetype #781

Closed
@noirfate

Description

@noirfate

Version : ImageMagick 7.0.7-4 Q16 x86_64 2017-09-22 http://www.imagemagick.org

In order to reproduce this bug, need to build ImageMagick and Freetype2 with ASAN.

Add a crafted font in ~/.config/ImageMagick/type.xml

<type
     format="ttf"
     name="test"
     fullname="Z003 Medium Italic"
     family="Z003"
     glyphs="/root/out/crashes/test.ttf"
     />

The crafted font file : https://github.com/noirfate/test/blob/master/test1.ttf

After have added the crafted font, run :

magick -background lightblue -fill blue -font test -size 480x360 caption:hello world 1.gif

ASAN would report :

==3531==ERROR: AddressSanitizer: heap-use-after-free on address 0x6080000092a0 at pc 0x7f31ab1cc934 bp 0x7ffd03c83330 sp 0x7ffd03c83328
READ of size 8 at 0x6080000092a0 thread T0
    #0 0x7f31ab1cc933 in FT_Done_Glyph /root/dep_src/freetype2/src/base/ftglyph.c:637:46
    #1 0x7f31ac530d4c in RenderFreetype /root/dep_src/ImageMagick-master/MagickCore/annotate.c:1797:7
    #2 0x7f31ac529114 in RenderType /root/dep_src/ImageMagick-master/MagickCore/annotate.c:1027:10
    #3 0x7f31ac527944 in GetTypeMetrics /root/dep_src/ImageMagick-master/MagickCore/annotate.c:906:10
    #4 0x7f31ac52aa77 in FormatMagickCaption /root/dep_src/ImageMagick-master/MagickCore/annotate.c:627:12
    #5 0x7f31ac99ea52 in ReadCAPTIONImage /root/dep_src/ImageMagick-master/coders/caption.c:221:11
    #6 0x7f31ac5c8688 in ReadImage /root/dep_src/ImageMagick-master/MagickCore/constitute.c:497:13
    #7 0x7f31ac5cad54 in ReadImages /root/dep_src/ImageMagick-master/MagickCore/constitute.c:866:9
    #8 0x7f31abf87ad9 in CLINoImageOperator /root/dep_src/ImageMagick-master/MagickWand/operation.c:4760:22
    #9 0x7f31abf8a1fc in CLIOption /root/dep_src/ImageMagick-master/MagickWand/operation.c:5255:7
    #10 0x7f31abe84577 in ProcessCommandOptions /root/dep_src/ImageMagick-master/MagickWand/magick-cli.c:424:13
    #11 0x7f31abe853e0 in MagickImageCommand /root/dep_src/ImageMagick-master/MagickWand/magick-cli.c:794:5
    #12 0x7f31abeb7ad7 in MagickCommandGenesis /root/dep_src/ImageMagick-master/MagickWand/mogrify.c:183:14
    #13 0x4ee16d in MagickMain /root/dep_src/ImageMagick-master/utilities/magick.c:149:10
    #14 0x4ee16d in main /root/dep_src/ImageMagick-master/utilities/magick.c:180
    #15 0x7f31a30f482f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #16 0x41a2d8 in _start (/root/deps/bin/magick+0x41a2d8)

0x6080000092a0 is located 0 bytes inside of 88-byte region [0x6080000092a0,0x6080000092f8)
freed by thread T0 here:
    #0 0x4c0c8b in __interceptor_free /home/snd-local/releases/4.0.1/release/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
    #1 0x7f31ac530ad0 in RenderFreetype /root/dep_src/ImageMagick-master/MagickCore/annotate.c:1772:5
    #2 0x7f31ac529114 in RenderType /root/dep_src/ImageMagick-master/MagickCore/annotate.c:1027:10
    #3 0x7f31ac527944 in GetTypeMetrics /root/dep_src/ImageMagick-master/MagickCore/annotate.c:906:10
    #4 0x7f31ac52aa77 in FormatMagickCaption /root/dep_src/ImageMagick-master/MagickCore/annotate.c:627:12
    #5 0x7f31ac99ea52 in ReadCAPTIONImage /root/dep_src/ImageMagick-master/coders/caption.c:221:11
    #6 0x7f31ac5c8688 in ReadImage /root/dep_src/ImageMagick-master/MagickCore/constitute.c:497:13
    #7 0x7f31ac5cad54 in ReadImages /root/dep_src/ImageMagick-master/MagickCore/constitute.c:866:9
    #8 0x7f31abf87ad9 in CLINoImageOperator /root/dep_src/ImageMagick-master/MagickWand/operation.c:4760:22
    #9 0x7f31abf8a1fc in CLIOption /root/dep_src/ImageMagick-master/MagickWand/operation.c:5255:7
    #10 0x7f31abe84577 in ProcessCommandOptions /root/dep_src/ImageMagick-master/MagickWand/magick-cli.c:424:13

previously allocated by thread T0 here:
    #0 0x4c0fdc in __interceptor_malloc /home/snd-local/releases/4.0.1/release/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66:3
    #1 0x7f31ab1952e2 in ft_mem_qalloc /root/dep_src/freetype2/src/base/ftutil.c:76:15
    #2 0x7f31ab1952e2 in ft_mem_alloc /root/dep_src/freetype2/src/base/ftutil.c:55
    #3 0x7f31ac52f508 in RenderFreetype /root/dep_src/ImageMagick-master/MagickCore/annotate.c:1613:15
    #4 0x7f31ac529114 in RenderType /root/dep_src/ImageMagick-master/MagickCore/annotate.c:1027:10
    #5 0x7f31ac527944 in GetTypeMetrics /root/dep_src/ImageMagick-master/MagickCore/annotate.c:906:10
    #6 0x7f31ac52aa77 in FormatMagickCaption /root/dep_src/ImageMagick-master/MagickCore/annotate.c:627:12
    #7 0x7f31ac99ea52 in ReadCAPTIONImage /root/dep_src/ImageMagick-master/coders/caption.c:221:11
    #8 0x7f31ac5c8688 in ReadImage /root/dep_src/ImageMagick-master/MagickCore/constitute.c:497:13
    #9 0x7f31ac5cad54 in ReadImages /root/dep_src/ImageMagick-master/MagickCore/constitute.c:866:9
    #10 0x7f31abf87ad9 in CLINoImageOperator /root/dep_src/ImageMagick-master/MagickWand/operation.c:4760:22
    #11 0x7f31abf8a1fc in CLIOption /root/dep_src/ImageMagick-master/MagickWand/operation.c:5255:7
    #12 0x7f31abe84577 in ProcessCommandOptions /root/dep_src/ImageMagick-master/MagickWand/magick-cli.c:424:13

After I took a look at the code, I think it maybe caused by calling FT_Done_Glyph multiple times.

First when last_glyph.id != 0, it will enter the if condition

annotate.c:1762
    if (last_glyph.id != 0)
      FT_Done_Glyph(last_glyph.image);
      last_glyph=glyph;
      code=GetUTFCode(p+grapheme[i].cluster);
  }

Thus last_glyph is equal to glyph.

And then, in some cases, it will call FT_Done_Glyph(last_glyph.image) and FT_Done_Glyph(glyph.image) both. Since last_glyph = glyph, the last call will trigger this bug.

  if (last_glyph.id != 0)
    FT_Done_Glyph(last_glyph.image);
  /*
    Determine font metrics.
  */
  glyph.id=FT_Get_Char_Index(face,'_');
  glyph.origin=origin;
  ft_status=FT_Load_Glyph(face,glyph.id,flags);
  if (ft_status == 0)
  {
     ... 
      FT_Done_Glyph(glyph.image);
    }

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions