Segfault on bad favicon #51

Open
bf4 opened this Issue Jul 24, 2014 · 0 comments

Comments

Projects
None yet
1 participant
@bf4
Member

bf4 commented Jul 24, 2014

Issue by psanford
Wednesday Aug 07, 2013 at 18:16 GMT
Originally opened as #83


Using RMagic 2.13.2, I'm trying to read an untrusted favicon. The following test script results in a segfault:

require 'base64'
require 'RMagick'
require 'net/http'

broken = Net::HTTP.get('s3.amazonaws.com', '/public.petersdanceparty.com/broken-favicon.ico')

images = Magick::Image.read_inline(Base64.encode64(broken)) {|i| i.format = 'ico' }
puts images.length

The segfault is:

*** glibc detected *** ruby: double free or corruption (!prev): 0x0000000003977140 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x7eb96)[0x7fe526b76b96]
/usr/lib/libMagickCore.so.4(RelinquishMagickMemory+0xf)[0x7fe5233e7b1f]
/home/psanford/.rvm/gems/ruby-2.0.0-p195@storenet/gems/rmagick-2.13.2/lib/RMagick2.so(magick_free+0x18)[0x7fe5237af706]
/home/psanford/.rvm/gems/ruby-2.0.0-p195@storenet/gems/rmagick-2.13.2/lib/RMagick2.so(Image_read_inline+0x10c)[0x7fe5237a8445]

However, if you read the file via Magick::Image.read() it does not segfault:

require 'base64'
require 'RMagick'
require 'net/http'

broken = Net::HTTP.get('s3.amazonaws.com', '/public.petersdanceparty.com/broken-favicon.ico')

File.open('/tmp/broken-favicon.ico', 'wb') {|f| f.print(broken)}

images = Magick::Image.read('/tmp/broken-favicon.ico')
puts images.length

I tracked the problem down to these two lines: https://github.com/rmagick/rmagick/blob/master/ext/RMagick/rmimage.c#L10775-10776

With the given favicon, BlobToImage is freeing the *blob memory and then magick_free() attempts to free the same memory location.

This happens on both Ubuntu 12.04 and OS X.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment