http://bugzilla.suse.com/show_bug.cgi?id=1159852
http://bugzilla.suse.com/show_bug.cgi?id=1159852#c4
--- Comment #4 from Petr Gajdos ---
BEFORE
With ASAN:
15,12/ImageMagick
$ convert heap-use-after-free_ThrowLoggedException out.ps2
convert: Corrupt JPEG data: 2 extraneous bytes before marker 0xc9
`heap-use-after-free_ThrowLoggedException' @
warning/jpeg.c/JPEGWarningHandler/365.
convert: Corrupt JPEG data: 2 extraneous bytes before marker 0xdb
`heap-use-after-free_ThrowLoggedException' @
warning/jpeg.c/JPEGWarningHandler/365.
convert: Corrupt JPEG data: 2 extraneous bytes before marker 0xda
`heap-use-after-free_ThrowLoggedException' @
warning/jpeg.c/JPEGWarningHandler/365.
convert: Invalid SOS parameters for sequential JPEG
`heap-use-after-free_ThrowLoggedException' @
warning/jpeg.c/JPEGWarningHandler/365.
convert: Sampling factors too large for interleaved scan
`/tmp/magick-11029VnIxnapIXYi8' @ error/jpeg.c/JPEGErrorHandler/332.
$
$ convert heap-buffer-overflow-READ-0x08417e7a.webp out.pct
$
15.1,15.0/GraphicsMagick
$ gm convert heap-use-after-free_ThrowLoggedException out.ps2
gm convert: Invalid SOS parameters for sequential JPEG
(heap-use-after-free_ThrowLoggedException).
$
$ gm convert heap-buffer-overflow-READ-0x08417e7a.webp out.pct
=================================================================
==11256==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6310000287ff at pc 0x7f7e515eefe5 bp 0x7ffd2d070660 sp 0x7ffd2d070658
READ of size 1 at 0x6310000287ff thread T0
#0 0x7f7e515eefe4
(/usr/lib64/GraphicsMagick-1.3.29/modules-Q16/coders/pict.so+0x8fe4)
#1 0x7f7e515effff
(/usr/lib64/GraphicsMagick-1.3.29/modules-Q16/coders/pict.so+0x9fff)
#2 0x7f7e56ed5f21 in WriteImage
(/usr/lib64/libGraphicsMagick-Q16.so.3+0x197f21)
#3 0x7f7e56ed6a49 in WriteImages
(/usr/lib64/libGraphicsMagick-Q16.so.3+0x198a49)
#4 0x7f7e56e92e12 in ConvertImageCommand
(/usr/lib64/libGraphicsMagick-Q16.so.3+0x154e12)
#5 0x7f7e56e6e8e7 in MagickCommand
(/usr/lib64/libGraphicsMagick-Q16.so.3+0x1308e7)
#6 0x7f7e56e709e4 (/usr/lib64/libGraphicsMagick-Q16.so.3+0x1329e4)
#7 0x7f7e56eaf421 in GMCommand
(/usr/lib64/libGraphicsMagick-Q16.so.3+0x171421)
#8 0x7f7e56786f89 in __libc_start_main (/lib64/libc.so.6+0x20f89)
#9 0x55a8445f5739 (/usr/bin/gm+0x739)
0x6310000287ff is located 1 bytes to the left of 65536-byte region
[0x631000028800,0x631000038800)
allocated by thread T0 here:
#0 0x7f7e57543500 in malloc (/usr/lib64/libasan.so.4+0xdc500)
#1 0x7f7e515ef83f
(/usr/lib64/GraphicsMagick-1.3.29/modules-Q16/coders/pict.so+0x983f)
#2 0x7f7e515f989f
(/usr/lib64/GraphicsMagick-1.3.29/modules-Q16/coders/pict.so+0x1389f)
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/usr/lib64/GraphicsMagick-1.3.29/modules-Q16/coders/pict.so+0x8fe4)
Shadow bytes around the buggy address:
0x0c627fffd0a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627fffd0b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627fffd0c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627fffd0d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627fffd0e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c627fffd0f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x0c627fffd100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627fffd110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627fffd120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627fffd130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627fffd140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==11256==ABORTING
$
Without ASAN:
15,12/ImageMagick
$ valgrind -q convert heap-use-after-free_ThrowLoggedException out.ps2
convert: Corrupt JPEG data: 2 extraneous bytes before marker 0xc9
`heap-use-after-free_ThrowLoggedException' @
warning/jpeg.c/JPEGWarningHandler/365.
convert: Corrupt JPEG data: 2 extraneous bytes before marker 0xdb
`heap-use-after-free_ThrowLoggedException' @
warning/jpeg.c/JPEGWarningHandler/365.
convert: Corrupt JPEG data: 2 extraneous bytes before marker 0xda
`heap-use-after-free_ThrowLoggedException' @
warning/jpeg.c/JPEGWarningHandler/365.
convert: Invalid SOS parameters for sequential JPEG
`heap-use-after-free_ThrowLoggedException' @
warning/jpeg.c/JPEGWarningHandler/365.
convert: Sampling factors too large for interleaved scan
`/tmp/magick-27264sXTGTwMfFbQg' @ error/jpeg.c/JPEGErrorHandler/332.
$
$ valgrind -q convert heap-buffer-overflow-READ-0x08417e7a.webp out.pct
$
11/ImageMagick
$ valgrind -q convert heap-use-after-free_ThrowLoggedException out.ps2
convert: Sorry, there are legal restrictions on arithmetic coding
`heap-use-after-free_ThrowLoggedException'.
convert: missing an image filename `out.ps2'.
$
$ valgrind -q convert heap-buffer-overflow-READ-0x08417e7a.webp out.pct
sh: mplayer: command not found
convert: Delegate failed `"mplayer" "%i" -really-quiet -ao null -vo png:z=3'.
convert: missing an image filename `out.pct'.
$
15.1,15.0/GraphicsMagick
$ valgrind -q gm convert heap-use-after-free_ThrowLoggedException out.ps2
gm convert: Invalid SOS parameters for sequential JPEG
(heap-use-after-free_ThrowLoggedException).
$
$ valgrind -q gm convert heap-buffer-overflow-READ-0x08417e7a.webp out.pct
==27639== Invalid read of size 1
==27639== at 0x7A5E285: EncodeImage (pict.c:731)
==27639== by 0x7A5EEA1: WritePICTImage (pict.c:2071)
==27639== by 0x4EC7B5A: WriteImage (constitute.c:2230)
==27639== by 0x4EC8208: WriteImages (constitute.c:2388)
==27639== by 0x4EA74FB: ConvertImageCommand (command.c:6087)
==27639== by 0x4E976BB: MagickCommand (command.c:8872)
==27639== by 0x4E987C5: GMCommandSingle (command.c:17393)
==27639== by 0x4EB93CD: GMCommand (command.c:17446)
==27639== by 0x5451F89: (below main) (in /lib64/libc-2.26.so)
==27639== Address 0x76a4b6f is 1 bytes before a block of size 65,536 alloc'd
==27639== at 0x4C2E2DF: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==27639== by 0x7A5E970: WritePICTImage (pict.c:1790)
==27639== by 0x4EC7B5A: WriteImage (constitute.c:2230)
==27639== by 0x4EC8208: WriteImages (constitute.c:2388)
==27639== by 0x4EA74FB: ConvertImageCommand (command.c:6087)
==27639== by 0x4E976BB: MagickCommand (command.c:8872)
==27639== by 0x4E987C5: GMCommandSingle (command.c:17393)
==27639== by 0x4EB93CD: GMCommand (command.c:17446)
==27639== by 0x5451F89: (below main) (in /lib64/libc-2.26.so)
==27639==
$
[see comment 1, corresponds to ASAN report]
PATCH
comment 0; do not consider ImageMagick affected
AFTER
15.1,15.2/GraphicsMagick
$ valgrind -q gm convert heap-use-after-free_ThrowLoggedException out.ps2
gm convert: Invalid SOS parameters for sequential JPEG
(heap-use-after-free_ThrowLoggedException).
$
$ valgrind -q gm convert heap-buffer-overflow-READ-0x08417e7a.webp out.pct
==21658== Invalid read of size 1
==21658== at 0x7A5E285: EncodeImage (pict.c:731)
==21658== by 0x7A5EEA1: WritePICTImage (pict.c:2071)
==21658== by 0x4EC7B5A: WriteImage (constitute.c:2230)
==21658== by 0x4EC8208: WriteImages (constitute.c:2388)
==21658== by 0x4EA74FB: ConvertImageCommand (command.c:6087)
==21658== by 0x4E976BB: MagickCommand (command.c:8872)
==21658== by 0x4E987C5: GMCommandSingle (command.c:17393)
==21658== by 0x4EB93CD: GMCommand (command.c:17446)
==21658== by 0x5451F89: (below main) (in /lib64/libc-2.26.so)
==21658== Address 0x76a4b6f is 1 bytes before a block of size 65,536 alloc'd
==21658== at 0x4C2E2DF: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==21658== by 0x7A5E970: WritePICTImage (pict.c:1790)
==21658== by 0x4EC7B5A: WriteImage (constitute.c:2230)
==21658== by 0x4EC8208: WriteImages (constitute.c:2388)
==21658== by 0x4EA74FB: ConvertImageCommand (command.c:6087)
==21658== by 0x4E976BB: MagickCommand (command.c:8872)
==21658== by 0x4E987C5: GMCommandSingle (command.c:17393)
==21658== by 0x4EB93CD: GMCommand (command.c:17446)
==21658== by 0x5451F89: (below main) (in /lib64/libc-2.26.so)
==21658==
$
[no changes]
It is likely that the testcase from comment 1 is exhibiting another bug.
--
You are receiving this mail because:
You are on the CC list for the bug.