Double free in coders/tga.c:221

Bug #1490362 reported by Moshe Kaplan
This bug affects 1 person
Affects Status Importance Assigned to Milestone
imagemagick (Ubuntu)
Fix Released

Bug Description

On Ubuntu 14.04, x64 and Imagemagick version 7.0+ (commit 087a059e56eec2efedefdceb6b52a093e4589dde )

gdb$ r double_free.tga /dev/null
Starting program: /home/moshe/Downloads/ImageMagick-master/utilities/magick double_free.tga /dev/null
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/".
Traceback (most recent call last):
  File "/usr/share/gdb/auto-load/usr/lib/x86_64-linux-gnu/", line 63, in <module>
    from libstdcxx.v6.printers import register_libstdcxx_printers
ImportError: No module named 'libstdcxx'
*** Error in `/home/moshe/Downloads/ImageMagick-master/utilities/magick': double free or corruption (!prev): 0x0000000001780ec0 ***

Program received signal SIGABRT, Aborted.
  RAX: 0x0000000000000000 RBX: 0x0000000000000084 RCX: 0xFFFFFFFFFFFFFFFF RDX: 0x0000000000000006 o d I t s z a P c
  RSI: 0x0000000000007524 RDI: 0x0000000000007524 RBP: 0x00007FFFFFFF6560 RSP: 0x00007FFFFFFF61C8 RIP: 0x00007FFFF375CCC9
  R8 : 0x3063653038373130 R9 : 0x6F6974707572726F R10: 0x0000000000000008 R11: 0x0000000000000206 R12: 0x00007FFFFFFF6370
  R13: 0x0000000000000007 R14: 0x0000000000000084 R15: 0x0000000000000007
  CS: 0033 DS: 0000 ES: 0000 FS: 0000 GS: 0000 SS: 002B
=> 0x7ffff375ccc9 <__GI_raise+57>: cmp rax,0xfffffffffffff000
   0x7ffff375cccf <__GI_raise+63>: ja 0x7ffff375ccea <__GI_raise+90>
   0x7ffff375ccd1 <__GI_raise+65>: repz ret
   0x7ffff375ccd3 <__GI_raise+67>: nop DWORD PTR [rax+rax*1+0x0]
   0x7ffff375ccd8 <__GI_raise+72>: test eax,eax
   0x7ffff375ccda <__GI_raise+74>: jg 0x7ffff375ccb9 <__GI_raise+41>
   0x7ffff375ccdc <__GI_raise+76>: mov ecx,eax
   0x7ffff375ccde <__GI_raise+78>: neg ecx
0x00007ffff375ccc9 in __GI_raise (sig=sig@entry=0x6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
gdb$ bt
#0 0x00007ffff375ccc9 in __GI_raise (sig=sig@entry=0x6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff37600d8 in __GI_abort () at abort.c:89
#2 0x00007ffff3799394 in __libc_message (do_abort=do_abort@entry=0x1, fmt=fmt@entry=0x7ffff38a7b28 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007ffff37a566e in malloc_printerr (ptr=<optimized out>, str=0x7ffff38a7c10 "double free or corruption (!prev)", action=0x1) at malloc.c:4996
#4 _int_free (av=<optimized out>, p=<optimized out>, have_lock=0x0) at malloc.c:3840
#5 0x000000000048db72 in RelinquishMagickMemory (memory=<optimized out>) at MagickCore/memory.c:967
#6 0x00000000004456c9 in DestroyImage (image=image@entry=0x1793ff0) at MagickCore/image.c:1200
#7 0x000000000045f6e4 in DeleteImageFromList (images=<synthetic pointer>) at MagickCore/list.c:298
#8 DestroyImageList (images=0x0, images@entry=0x1793ff0) at MagickCore/list.c:451
#9 0x0000000000991b20 in ReadTGAImage (image_info=<optimized out>, exception=0x1763f90) at coders/tga.c:221
#10 0x0000000000c20414 in ReadImage (image_info=image_info@entry=0x1768350, exception=exception@entry=0x1763f90) at MagickCore/constitute.c:547
#11 0x0000000000c23a6b in ReadImages (image_info=0x1764110, filename=0x175f1f0 "/home/moshe/Desktop/imagemagick_crashes/examine_more/sf_540cee04253030f363f7902b6edc732d-lpszam-0x00000000-minimized.tga", exception=0x1763f90) at MagickCore/constitute.c:846
#12 0x0000000001302829 in CLINoImageOperator (cli_wand=cli_wand@entry=0x1761320, option=option@entry=0x138d002 "-read", arg1n=arg1n@entry=0x7fffffffe12f "/home/moshe/Desktop/imagemagick_crashes/examine_more/sf_540cee04253030f363f7902b6edc732d-lpszam-0x00000000-minimized.tga", arg2n=arg2n@entry=0x0) at MagickWand/operation.c:4654
#13 0x0000000001305cb1 in CLIOption (cli_wand=cli_wand@entry=0x1761320, option=option@entry=0x138d002 "-read") at MagickWand/operation.c:5148
#14 0x000000000110d833 in ProcessCommandOptions (cli_wand=cli_wand@entry=0x1761320, argc=argc@entry=0x3, argv=argv@entry=0x7fffffffdd68, index=index@entry=0x1) at MagickWand/magick-cli.c:421
#15 0x000000000110f64f in MagickImageCommand (image_info=image_info@entry=0x1764110, argc=argc@entry=0x3, argv=argv@entry=0x7fffffffdd68, metadata=metadata@entry=0x0, exception=exception@entry=0x1763f90) at MagickWand/magick-cli.c:786
#16 0x0000000001164ade in MagickCommandGenesis (image_info=image_info@entry=0x1764110, command=0x110e300 <MagickImageCommand>, argc=argc@entry=0x3, argv=argv@entry=0x7fffffffdd68, metadata=metadata@entry=0x0, exception=exception@entry=0x1763f90) at MagickWand/mogrify.c:172
#17 0x000000000041238f in MagickMain (argv=0x7fffffffdd68, argc=0x3) at utilities/magick.c:74
#18 main (argc=0x3, argv=0x7fffffffdd68) at utilities/magick.c:85

Revision history for this message
Moshe Kaplan (moshekaplan) wrote :
information type: Private Security → Public Security
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks; has this been reported upstream yet? has this been assigned a CVE yet?


Revision history for this message
Moshe Kaplan (moshekaplan) wrote :

This has been reported, but was not responded to.

AFAIK, this has not had a CVE assigned yet.

Revision history for this message
Moshe Kaplan (moshekaplan) wrote :
Changed in imagemagick (Ubuntu):
status: New → Confirmed
Revision history for this message
Raphaël Hertzog (hertzog) wrote :

FYI the problem can only be triggered with recent versions of ImageMagick. I reproduced it with (in Debian experimental right now) but not with (in Debian Unstable right now) and any older version.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package imagemagick - 8:

imagemagick (8: zesty; urgency=medium

  * debian/patches/0020-Revert-GradientImage-change.patch: Revert patch
    per Thanks
    to Cristy <email address hidden>. Closes LP: #1645406.

 -- Nishanth Aravamudan <email address hidden> Tue, 06 Dec 2016 17:26:36 +0100

Changed in imagemagick (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.