Double free in coders/pict.c:2000

Bug #1448803 reported by Moshe Kaplan on 2015-04-26
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
imagemagick (Ubuntu)
Undecided
Unassigned

Bug Description

Running: convert pict_double_free.pict /dev/null

Program received signal SIGABRT, Aborted.

Stack Trace:
--------------------------------------------------------------------------------
0xb7fdbbe0 in __kernel_vsyscall ()
gdb$ bt
#0 0xffffffff in __kernel_vsyscall ()
#1 0xffffffff in __GI_raise (sig=0x6) at ../sysdeps/unix/sysv/linux/raise.c:55
#2 0xffffffff in __GI_abort () at abort.c:89
#3 0xffffffff in __libc_message (do_abort=0x1, fmt=0xb78bc444 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#4 0xffffffff in malloc_printerr (action=<optimized out>, str=0xb78bc4fc "double free or corruption (out)", ptr=0x8092f20) at malloc.c:4965
#5 0xffffffff in _int_free (av=0xb790f840 <main_arena>, p=<optimized out>, have_lock=0x0) at malloc.c:3834
#6 0xffffffff in RelinquishMagickMemory (memory=0x8092f20) at magick/memory.c:956
#7 0xffffffff in WritePICTImage (image_info=0x807fc28, image=0x807fc28) at coders/pict.c:2000
#8 0xffffffff in WriteImage (image_info=0x1, image=0x807fc28) at magick/constitute.c:1184
#9 0xffffffff in WriteImages (image_info=0x0, images=0x807fc28, filename=0x0, exception=0x80538d8) at magick/constitute.c:1327
#10 0xffffffff in ConvertImageCommand (image_info=0x8082df0, argc=0x3, argv=0x8054ce8, metadata=0x0, exception=0x80538d8) at wand/convert.c:3215
#11 0xffffffff in MagickCommandGenesis (image_info=0x8056248, command=0x8048620 <ConvertImageCommand@plt>, argc=0x3, argv=0xbffff024, metadata=0x0, exception=0x80538d8) at wand/mogrify.c:168
#12 0x080486ec in main (argv=0xbffff024, argc=<optimized out>) at utilities/convert.c:81
#13 0x080486ec in main (argc=0x3, argv=0xbffff024) at utilities/convert.c:92
gdb$

Moshe Kaplan (moshekaplan) wrote :
description: updated
Marc Deslauriers (mdeslaur) wrote :

Thanks for reporting this issue. Could you please report it to the ImageMagick project by filling out the form here?:

http://www.imagemagick.org/script/contact.php

Thanks.

Moshe Kaplan (moshekaplan) wrote :

I did, a copy of the message is included below. I also verified that the bug is present in the newest release of Imagemagick, ImageMagick-6.9.1-3.

Double free in coders/pict.c:2042
Command: convert pict_double_free.pict /dev/null

Version: ImageMagick-6.9.1-3

Sample file available here: http://moshekaplan.com/files/pict_double_free.pict

Launchpad bug report available here: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1448803

gdb output:
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
*** Error in `/home/user/Desktop/ImageMagick-6.9.1-3/utilities/.libs/lt-convert': double free or corruption (out): 0x08096dc0 ***
[New Thread 0xb42eeb40 (LWP 20831)]

Program received signal SIGABRT, Aborted.

Stack Trace:
--------------------------------------------------------------------------------
gdb$ bt
#0 0xffffffff in __kernel_vsyscall ()
#1 0xffffffff in __GI_raise (sig=0x6) at ../sysdeps/unix/sysv/linux/raise.c:55
#2 0xffffffff in __GI_abort () at abort.c:89
#3 0xffffffff in __libc_message (do_abort=0x1, fmt=0xb789d444 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#4 0xffffffff in malloc_printerr (action=<optimized out>, str=0xb789d4fc "double free or corruption (out)", ptr=0x8096dc0) at malloc.c:4965
#5 0xffffffff in _int_free (av=0xb78f0840 <main_arena>, p=<optimized out>, have_lock=0x0) at malloc.c:3834
#6 0xffffffff in RelinquishMagickMemory (memory=0x8096dc0) at magick/memory.c:956
#7 0xffffffff in WritePICTImage (image_info=0x8083f08, image=0x8083f08) at coders/pict.c:2042
#8 0xffffffff in WriteImage (image_info=0x1, image=0x8083f08) at magick/constitute.c:1184
#9 0xffffffff in WriteImages (image_info=0x0, images=0x8083f08, filename=0x0, exception=0x80535d8) at magick/constitute.c:1325
#10 0xffffffff in ConvertImageCommand (image_info=0x80870d0, argc=0x3, argv=0x8054d28, metadata=0x0, exception=0x80535d8) at wand/convert.c:3217
#11 0xffffffff in MagickCommandGenesis (image_info=0x8055488, command=0x8048620 <ConvertImageCommand@plt>, argc=0x3, argv=0xbffff054, metadata=0x0, exception=0x80535d8) at wand/mogrify.c:168
#12 0x080486ec in main (argv=0xbffff054, argc=<optimized out>) at utilities/convert.c:81
#13 0x080486ec in main (argc=0x3, argv=0xbffff054) at utilities/convert.c:92

Changed in imagemagick (Ubuntu):
status: New → Confirmed
Moshe Kaplan (moshekaplan) wrote :

Would it be possible to have a CVE number assigned for this vulnerability?

information type: Private Security → Public Security
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package imagemagick - 8:6.8.9.9-7

---------------
imagemagick (8:6.8.9.9-7) unstable; urgency=low

  * Fix various minor security issues
    - Fix an integer overflow that can lead to a buffer overrun
      in the icon parsing code (LP: #1459747, closes: #806441)
    - Fix an integer overflow that can lead to a double free in
      pict parsing (LP: #1448803, closes: #806441).
    - Memory Leak while handle psd file (closes: #811308)
      http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=28791
    - IM 6.9.2 crash with some PNG (closes: #811308, LP: #1492881)
      http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=28466
    - Null pointer access in magick/constitute.c (closes: #811308)
      https://github.com/ImageMagick/ImageMagick/pull/34
    - PixelColor off by one on i386 (closes: #811308)
      https://github.com/ImageMagick/ImageMagick/issues/54
    - Fixed other memory leaks (closes: #811308)

 -- Vincent Fourmond <email address hidden> Sun, 17 Jan 2016 21:18:19 +0100

Changed in imagemagick (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers