Menu
▾
▴
1 Attachments
#469 Use after free in ReadJNGImage
GraphicsMagick 1.4 snapshot-20170917 Q8
gm convert -negate -clip graphics_out/crashes/id\:000008\,sig\:06\,src\:000005\,op\:flip1\,pos\:12 /dev/null
=================================================================
==5467==ERROR: AddressSanitizer: heap-use-after-free on address 0xb3301af4 at pc 0x81d2191 bp 0xbf850728 sp 0xbf85071c
READ of size 4 at 0xb3301af4 thread T0
#0 0x81d2190 in DestroyImageList magick/list.c:232
#1 0x83df15e in ReadJNGImage coders/png.c:3842
#2 0x81083cb in ReadImage magick/constitute.c:1607
#3 0x80b55d6 in ConvertImageCommand magick/command.c:4348
#4 0x80703f8 in MagickCommand magick/command.c:8869
#5 0x80721d6 in GMCommandSingle magick/command.c:17396
#6 0x80d4f9c in GMCommand magick/command.c:17449
#7 0x80555ea in main utilities/gm.c:61
#8 0xb6e71af2 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19af2)
#9 0x80589bf (/usr/local/bin/gm+0x80589bf)
0xb3301af4 is located 6644 bytes inside of 6648-byte region [0xb3300100,0xb3301af8)
freed by thread T0 here:
#0 0xb72e464e in __interceptor_free (/usr/lib/i386-linux-gnu/libasan.so.1+0x4e64e)
#1 0x83df0b9 in ReadJNGImage coders/png.c:3837
#2 0x81083cb in ReadImage magick/constitute.c:1607
#3 0x80b55d6 in ConvertImageCommand magick/command.c:4348
#4 0x80703f8 in MagickCommand magick/command.c:8869
#5 0x80721d6 in GMCommandSingle magick/command.c:17396
#6 0x80d4f9c in GMCommand magick/command.c:17449
#7 0x80555ea in main utilities/gm.c:61
#8 0xb6e71af2 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19af2)
previously allocated by thread T0 here:
#0 0xb72e488a in __interceptor_malloc (/usr/lib/i386-linux-gnu/libasan.so.1+0x4e88a)
#1 0x81b0a5f in AllocateImage magick/image.c:336
#2 0x83debb3 in ReadJNGImage coders/png.c:3766
#3 0x81083cb in ReadImage magick/constitute.c:1607
#4 0x80b55d6 in ConvertImageCommand magick/command.c:4348
#5 0x80703f8 in MagickCommand magick/command.c:8869
#6 0x80721d6 in GMCommandSingle magick/command.c:17396
#7 0x80d4f9c in GMCommand magick/command.c:17449
#8 0x80555ea in main utilities/gm.c:61
#9 0xb6e71af2 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19af2)
SUMMARY: AddressSanitizer: heap-use-after-free magick/list.c:232 DestroyImageList
Shadow bytes around the buggy address:
0x36660300: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x36660310: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x36660320: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x36660330: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x36660340: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x36660350: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fa
0x36660360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36660370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36660380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36660390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x366603a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==5467==ABORTING
tested on Ubuntu x86, discovered by zhihua.yao@dbappsecurity.com.cn.
Confirmed that this test segfaults for me.
This problem is fixed by Mercurial changesets 15218:93bdb9b30076 and 15223:df946910910d. Thanks for the report!