Double free in coders/pict.c:2000

Bug #1448803 reported by Moshe Kaplan
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
imagemagick (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Running: convert pict_double_free.pict /dev/null

Program received signal SIGABRT, Aborted.

Stack Trace:
--------------------------------------------------------------------------------
0xb7fdbbe0 in __kernel_vsyscall ()
gdb$ bt
#0 0xffffffff in __kernel_vsyscall ()
#1 0xffffffff in __GI_raise (sig=0x6) at ../sysdeps/unix/sysv/linux/raise.c:55
#2 0xffffffff in __GI_abort () at abort.c:89
#3 0xffffffff in __libc_message (do_abort=0x1, fmt=0xb78bc444 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#4 0xffffffff in malloc_printerr (action=<optimized out>, str=0xb78bc4fc "double free or corruption (out)", ptr=0x8092f20) at malloc.c:4965
#5 0xffffffff in _int_free (av=0xb790f840 <main_arena>, p=<optimized out>, have_lock=0x0) at malloc.c:3834
#6 0xffffffff in RelinquishMagickMemory (memory=0x8092f20) at magick/memory.c:956
#7 0xffffffff in WritePICTImage (image_info=0x807fc28, image=0x807fc28) at coders/pict.c:2000
#8 0xffffffff in WriteImage (image_info=0x1, image=0x807fc28) at magick/constitute.c:1184
#9 0xffffffff in WriteImages (image_info=0x0, images=0x807fc28, filename=0x0, exception=0x80538d8) at magick/constitute.c:1327
#10 0xffffffff in ConvertImageCommand (image_info=0x8082df0, argc=0x3, argv=0x8054ce8, metadata=0x0, exception=0x80538d8) at wand/convert.c:3215
#11 0xffffffff in MagickCommandGenesis (image_info=0x8056248, command=0x8048620 <ConvertImageCommand@plt>, argc=0x3, argv=0xbffff024, metadata=0x0, exception=0x80538d8) at wand/mogrify.c:168
#12 0x080486ec in main (argv=0xbffff024, argc=<optimized out>) at utilities/convert.c:81
#13 0x080486ec in main (argc=0x3, argv=0xbffff024) at utilities/convert.c:92
gdb$

Revision history for this message
Moshe Kaplan (moshekaplan) wrote :
description: updated
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for reporting this issue. Could you please report it to the ImageMagick project by filling out the form here?:

http://www.imagemagick.org/script/contact.php

Thanks.

Revision history for this message
Moshe Kaplan (moshekaplan) wrote :

I did, a copy of the message is included below. I also verified that the bug is present in the newest release of Imagemagick, ImageMagick-6.9.1-3.

Double free in coders/pict.c:2042
Command: convert pict_double_free.pict /dev/null

Version: ImageMagick-6.9.1-3

Sample file available here: http://moshekaplan.com/files/pict_double_free.pict

Launchpad bug report available here: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1448803

gdb output:
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
*** Error in `/home/user/Desktop/ImageMagick-6.9.1-3/utilities/.libs/lt-convert': double free or corruption (out): 0x08096dc0 ***
[New Thread 0xb42eeb40 (LWP 20831)]

Program received signal SIGABRT, Aborted.

Stack Trace:
--------------------------------------------------------------------------------
gdb$ bt
#0 0xffffffff in __kernel_vsyscall ()
#1 0xffffffff in __GI_raise (sig=0x6) at ../sysdeps/unix/sysv/linux/raise.c:55
#2 0xffffffff in __GI_abort () at abort.c:89
#3 0xffffffff in __libc_message (do_abort=0x1, fmt=0xb789d444 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#4 0xffffffff in malloc_printerr (action=<optimized out>, str=0xb789d4fc "double free or corruption (out)", ptr=0x8096dc0) at malloc.c:4965
#5 0xffffffff in _int_free (av=0xb78f0840 <main_arena>, p=<optimized out>, have_lock=0x0) at malloc.c:3834
#6 0xffffffff in RelinquishMagickMemory (memory=0x8096dc0) at magick/memory.c:956
#7 0xffffffff in WritePICTImage (image_info=0x8083f08, image=0x8083f08) at coders/pict.c:2042
#8 0xffffffff in WriteImage (image_info=0x1, image=0x8083f08) at magick/constitute.c:1184
#9 0xffffffff in WriteImages (image_info=0x0, images=0x8083f08, filename=0x0, exception=0x80535d8) at magick/constitute.c:1325
#10 0xffffffff in ConvertImageCommand (image_info=0x80870d0, argc=0x3, argv=0x8054d28, metadata=0x0, exception=0x80535d8) at wand/convert.c:3217
#11 0xffffffff in MagickCommandGenesis (image_info=0x8055488, command=0x8048620 <ConvertImageCommand@plt>, argc=0x3, argv=0xbffff054, metadata=0x0, exception=0x80535d8) at wand/mogrify.c:168
#12 0x080486ec in main (argv=0xbffff054, argc=<optimized out>) at utilities/convert.c:81
#13 0x080486ec in main (argc=0x3, argv=0xbffff054) at utilities/convert.c:92

Changed in imagemagick (Ubuntu):
status: New → Confirmed
Revision history for this message
Moshe Kaplan (moshekaplan) wrote :

Would it be possible to have a CVE number assigned for this vulnerability?

information type: Private Security → Public Security
Revision history for this message
Seth Arnold (seth-arnold) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package imagemagick - 8:6.8.9.9-7

---------------
imagemagick (8:6.8.9.9-7) unstable; urgency=low

  * Fix various minor security issues
    - Fix an integer overflow that can lead to a buffer overrun
      in the icon parsing code (LP: #1459747, closes: #806441)
    - Fix an integer overflow that can lead to a double free in
      pict parsing (LP: #1448803, closes: #806441).
    - Memory Leak while handle psd file (closes: #811308)
      http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=28791
    - IM 6.9.2 crash with some PNG (closes: #811308, LP: #1492881)
      http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=28466
    - Null pointer access in magick/constitute.c (closes: #811308)
      https://github.com/ImageMagick/ImageMagick/pull/34
    - PixelColor off by one on i386 (closes: #811308)
      https://github.com/ImageMagick/ImageMagick/issues/54
    - Fixed other memory leaks (closes: #811308)

 -- Vincent Fourmond <email address hidden> Sun, 17 Jan 2016 21:18:19 +0100

Changed in imagemagick (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.