Negative size parameter in RemoveResolutionFromResourceBlock()

Post any defects you find in the released or beta versions of the ImageMagick software here. Include the ImageMagick version, OS, and any command-line required to reproduce the problem. Got a patch for a bug? Post it here.
Post Reply
fumfel
Posts: 12
Joined: 2016-09-20T06:30:11-07:00
Authentication code: 1151

Negative size parameter in RemoveResolutionFromResourceBlock()

Post by fumfel » 2017-11-15T05:40:51-07:00

After some fuzz testing I found a crashing test case.

Git HEAD: a2d7a71ee37dca68f32bd2ed4e9c7299a6d78a77

OS & Compiler: Ubuntu 16.04 x64 + Clang 4.0

Faulting input: https://frankowicz.me/storage/crashes/i ... ourceBlock

Command:

Code: Select all

convert im_negative_size_RemoveResolutionFromResourceBlock /dev/null
ASAN log:

Code: Select all

==26368==ERROR: AddressSanitizer: negative-size-param: (size=-1316)
    #0 0x4aab17 in __asan_memcpy /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:453:3
    #1 0x7fa56aa214b3 in CopyMagickMemory XYZ/ImageMagick/MagickCore/memory.c:737:23
    #2 0x7fa56b06686c in RemoveResolutionFromResourceBlock XYZ/ImageMagick/coders/psd.c:3001:16
    #3 0x7fa56b06686c in WritePSDImage XYZ/ImageMagick/coders/psd.c:3471
    #4 0x7fa56a79bd66 in WriteImage XYZ/ImageMagick/MagickCore/constitute.c:1114:14
    #5 0x7fa56a79d2e9 in WriteImages XYZ/ImageMagick/MagickCore/constitute.c:1333:13
    #6 0x7fa569dad656 in ConvertImageCommand XYZ/ImageMagick/MagickWand/convert.c:3280:11
    #7 0x7fa569f5eda5 in MagickCommandGenesis XYZ/ImageMagick/MagickWand/mogrify.c:183:14
    #8 0x4ee3e9 in MagickMain XYZ/ImageMagick/utilities/magick.c:149:10
    #9 0x4ee3e9 in main XYZ/ImageMagick/utilities/magick.c:180
    #10 0x7fa5657bc82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x41a338 in _start (/usr/local/bin/magick+0x41a338)

0x62c0000174d2 is located 29394 bytes inside of 32174-byte region [0x62c000010200,0x62c000017fae)
allocated by thread T0 here:
    #0 0x4c103c in __interceptor_malloc /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66:3
    #1 0x7fa56aa1fdc4 in AcquireMagickMemory XYZ/ImageMagick/MagickCore/memory.c:464:10
    #2 0x7fa56aa1fdc4 in AcquireQuantumMemory XYZ/ImageMagick/MagickCore/memory.c:537
    #3 0x7fa56a79bd66 in WriteImage XYZ/ImageMagick/MagickCore/constitute.c:1114:14
    #4 0x7fa56a79d2e9 in WriteImages XYZ/ImageMagick/MagickCore/constitute.c:1333:13
    #5 0x7fa569dad656 in ConvertImageCommand XYZ/ImageMagick/MagickWand/convert.c:3280:11
    #6 0x7fa569f5eda5 in MagickCommandGenesis XYZ/ImageMagick/MagickWand/mogrify.c:183:14
    #7 0x4ee3e9 in MagickMain XYZ/ImageMagick/utilities/magick.c:149:10
    #8 0x4ee3e9 in main XYZ/ImageMagick/utilities/magick.c:180
    #9 0x7fa5657bc82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: negative-size-param /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:453:3 in __asan_memcpy
==26368==ABORTING
Regards,
Kamil Frankowicz

Post Reply