New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap use after free in RenderFreetype #781
Comments
|
Unfortunately, we cannot reproduce the problem you reported. We're using ImageMagick 7.0.7-4 (ASN-enabled) and Freetype 2.7.1. When we run your command, we get: and if we remove that font, ASN does not return any memory leaks:
What version fo Freetype are you using? Regarding your conjecture about freeing the same glyph image. Possible of course but debugging does not reveal a problem. Notice we call FT_Get_Glyph() before we call FT_Done_Glyph(glyph.image). That should produce a difference image instance-- and debugging suggests it does. |
|
I tried freetype 2.7.1, this bug occurs as well. You need to compile freetype with ASAN, otherwise ASAN can't discover the bug. You said that it calls FT_Get_Glyph() before call FT_Done_Glyph(), I agree with you. But the case is when FT_Get_Glyph() is failed, it still calls FT_Done_Glyph(). Below is my debug info : The reason is when ft_status != 0, it still calls FT_Done_Glyph(). |
|
Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow. |
|
This was assigned CVE-2017-14989 |
|
@noirfate did you use afl to find this issue? |
Version : ImageMagick 7.0.7-4 Q16 x86_64 2017-09-22 http://www.imagemagick.org
In order to reproduce this bug, need to build ImageMagick and Freetype2 with ASAN.
Add a crafted font in ~/.config/ImageMagick/type.xml
The crafted font file : https://github.com/noirfate/test/blob/master/test1.ttf
After have added the crafted font, run :
magick -background lightblue -fill blue -font test -size 480x360 caption:hello world 1.gif
ASAN would report :
After I took a look at the code, I think it maybe caused by calling FT_Done_Glyph multiple times.
First when last_glyph.id != 0, it will enter the if condition
Thus last_glyph is equal to glyph.
And then, in some cases, it will call FT_Done_Glyph(last_glyph.image) and FT_Done_Glyph(glyph.image) both. Since last_glyph = glyph, the last call will trigger this bug.
The text was updated successfully, but these errors were encountered: