Segfault on bad favicon #51

bf4 opened this Issue Jul 24, 2014 · 0 comments


None yet
1 participant

bf4 commented Jul 24, 2014

Issue by psanford
Wednesday Aug 07, 2013 at 18:16 GMT
Originally opened as #83

Using RMagic 2.13.2, I'm trying to read an untrusted favicon. The following test script results in a segfault:

require 'base64'
require 'RMagick'
require 'net/http'

broken = Net::HTTP.get('', '/')

images = Magick::Image.read_inline(Base64.encode64(broken)) {|i| i.format = 'ico' }
puts images.length

The segfault is:

*** glibc detected *** ruby: double free or corruption (!prev): 0x0000000003977140 ***
======= Backtrace: =========

However, if you read the file via it does not segfault:

require 'base64'
require 'RMagick'
require 'net/http'

broken = Net::HTTP.get('', '/')'/tmp/broken-favicon.ico', 'wb') {|f| f.print(broken)}

images ='/tmp/broken-favicon.ico')
puts images.length

I tracked the problem down to these two lines:

With the given favicon, BlobToImage is freeing the *blob memory and then magick_free() attempts to free the same memory location.

This happens on both Ubuntu 12.04 and OS X.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment