Heap Allocation errors, uninitialized integers used to allocate memory as well as conditional jumps depending on uninitialized values, while feeding a malformed WPG File
#851
Closed
kirit1193 opened this issue
Nov 4, 2017
· 2 comments
There seems to be a number of heap Allocation errors, uninitialized integers used to allocate memory as well as conditional jumps depending on uninitialized values, while running a verbose identify on a malformed image file. All of these conditions can be triggered by using a single WPG file.
Steps to Reproduce
This occurs while running ./magick identify -verbose %file% on a malformed WPG file.
The Memcheck output is huge, I'm sharing it as a txt file attached with the report. memcheck.txt
However some of the relevant parts are:
==21704== Conditional jump or move depends on uninitialised value(s)
==21704== at 0x62D18D: IsPixelMonochrome (pixel-accessor.h:553)
==21704== by 0x62D18D: IdentifyImageMonochrome (attribute.c:759)
==21704== by 0x62D4C5: IdentifyImageType (attribute.c:820)
==21704== by 0x731F3A: IdentifyImage (identify.c:688)
==21704== by 0x8D8926: IdentifyImageCommand (identify.c:336)
==21704== by 0x8EABC9: MagickCommandGenesis (mogrify.c:183)
==21704== by 0x4044AB: MagickMain (magick.c:149)
==21704== by 0x4044AB: main (magick.c:180)
==21704== Uninitialised value was created by a heap allocation
==21704== at 0x4C31E76: memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21704== by 0x4C31F91: posix_memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21704== by 0x42AAB7: AcquireAlignedMemory (memory.c:262)
==21704== by 0x647C71: OpenPixelCache (cache.c:3535)
==21704== by 0x64ADDF: GetImagePixelCache (cache.c:1660)
==21704== by 0x64DA00: SyncImagePixelCache (cache.c:5243)
==21704== by 0x40AA99: SetImageStorageClass (image.c:2520)
==21704== by 0x65C619: AcquireImageColormap (colormap.c:144)
==21704== by 0x600315: ReadWPGImage (wpg.c:1056)
==21704== by 0x67B6E8: ReadImage (constitute.c:497)
==21704== by 0x67D341: ReadImages (constitute.c:866)
==21704== by 0x8D8553: IdentifyImageCommand (identify.c:321)
==21704== Use of uninitialised value of size 8
==21704== at 0x4921F9: StringInfoToHexString (string.c:1987)
==21704== by 0x47CD3D: SignatureImage (signature.c:553)
==21704== by 0x731F82: IdentifyImage (identify.c:694)
==21704== by 0x8D8926: IdentifyImageCommand (identify.c:336)
==21704== by 0x8EABC9: MagickCommandGenesis (mogrify.c:183)
==21704== by 0x4044AB: MagickMain (magick.c:149)
==21704== by 0x4044AB: main (magick.c:180)
==21704== Uninitialised value was created by a heap allocation
==21704== at 0x4C31E76: memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21704== by 0x4C31F91: posix_memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21704== by 0x42AAB7: AcquireAlignedMemory (memory.c:262)
==21704== by 0x647C71: OpenPixelCache (cache.c:3535)
==21704== by 0x64ADDF: GetImagePixelCache (cache.c:1660)
==21704== by 0x64DA00: SyncImagePixelCache (cache.c:5243)
==21704== by 0x40E746: SetImageExtent (image.c:2561)
==21704== by 0x60074F: ReadWPGImage (wpg.c:1108)
==21704== by 0x67B6E8: ReadImage (constitute.c:497)
==21704== by 0x67D341: ReadImages (constitute.c:866)
==21704== by 0x8D8553: IdentifyImageCommand (identify.c:321)
==21704== by 0x8EABC9: MagickCommandGenesis (mogrify.c:183)
==21704== Conditional jump or move depends on uninitialised value(s)
==21704== at 0x486090: ScaleAnyToQuantum (quantum-private.h:274)
==21704== by 0x486090: GetImageStatistics (statistic.c:2033)
==21704== by 0x732DDF: IdentifyImage (identify.c:759)
==21704== by 0x8D8926: IdentifyImageCommand (identify.c:336)
==21704== by 0x8EABC9: MagickCommandGenesis (mogrify.c:183)
==21704== by 0x4044AB: MagickMain (magick.c:149)
==21704== by 0x4044AB: main (magick.c:180)
==21704== Uninitialised value was created by a heap allocation
==21704== at 0x4C31E76: memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21704== by 0x4C31F91: posix_memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21704== by 0x42AAB7: AcquireAlignedMemory (memory.c:262)
==21704== by 0x647C71: OpenPixelCache (cache.c:3535)
==21704== by 0x64ADDF: GetImagePixelCache (cache.c:1660)
==21704== by 0x64DA00: SyncImagePixelCache (cache.c:5243)
==21704== by 0x40AA99: SetImageStorageClass (image.c:2520)
==21704== by 0x65C619: AcquireImageColormap (colormap.c:144)
==21704== by 0x600315: ReadWPGImage (wpg.c:1056)
==21704== by 0x67B6E8: ReadImage (constitute.c:497)
==21704== by 0x67D341: ReadImages (constitute.c:866)
==21704== by 0x8D8553: IdentifyImageCommand (identify.c:321)
Description
There seems to be a number of heap Allocation errors, uninitialized integers used to allocate memory as well as conditional jumps depending on uninitialized values, while running a verbose identify on a malformed image file. All of these conditions can be triggered by using a single WPG file.
Steps to Reproduce
This occurs while running ./magick identify -verbose %file% on a malformed WPG file.
test-wpg.zip
The hexdump of the input file is:
The Memcheck output is huge, I'm sharing it as a txt file attached with the report.
memcheck.txt
However some of the relevant parts are:
System Configuration
Version: ImageMagick 7.0.7-9 Q16 x86_64 2017-10-30 http://www.imagemagick.org
Copyright: © 1999-2017 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC
Delegates (built-in):
OS: Ubuntu 17.10
Compiler: clang version 4.0.1-6 (tags/RELEASE_401/final) / gcc version 7.2.0 (Ubuntu 7.2.0-8ubuntu3)
Target: x86_64-pc-linux-gnu
The text was updated successfully, but these errors were encountered: