Double free in coders/tga.c:221
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
imagemagick (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
On Ubuntu 14.04, x64 and Imagemagick version 7.0+ (commit 087a059e56eec2e
gdb$ r double_free.tga /dev/null
Starting program: /home/moshe/
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_
Traceback (most recent call last):
File "/usr/share/
from libstdcxx.
ImportError: No module named 'libstdcxx'
*** Error in `/home/
Program received signal SIGABRT, Aborted.
-------
RAX: 0x0000000000000000 RBX: 0x0000000000000084 RCX: 0xFFFFFFFFFFFFFFFF RDX: 0x0000000000000006 o d I t s z a P c
RSI: 0x0000000000007524 RDI: 0x0000000000007524 RBP: 0x00007FFFFFFF6560 RSP: 0x00007FFFFFFF61C8 RIP: 0x00007FFFF375CCC9
R8 : 0x3063653038373130 R9 : 0x6F6974707572726F R10: 0x0000000000000008 R11: 0x0000000000000206 R12: 0x00007FFFFFFF6370
R13: 0x0000000000000007 R14: 0x0000000000000084 R15: 0x0000000000000007
CS: 0033 DS: 0000 ES: 0000 FS: 0000 GS: 0000 SS: 002B
-------
=> 0x7ffff375ccc9 <__GI_raise+57>: cmp rax,0xfffffffff
0x7ffff375cccf <__GI_raise+63>: ja 0x7ffff375ccea <__GI_raise+90>
0x7ffff375ccd1 <__GI_raise+65>: repz ret
0x7ffff375ccd3 <__GI_raise+67>: nop DWORD PTR [rax+rax*1+0x0]
0x7ffff375ccd8 <__GI_raise+72>: test eax,eax
0x7ffff375ccda <__GI_raise+74>: jg 0x7ffff375ccb9 <__GI_raise+41>
0x7ffff375ccdc <__GI_raise+76>: mov ecx,eax
0x7ffff375ccde <__GI_raise+78>: neg ecx
-------
0x00007ffff375ccc9 in __GI_raise (sig=sig@entry=0x6) at ../nptl/
56 ../nptl/
gdb$ bt
#0 0x00007ffff375ccc9 in __GI_raise (sig=sig@entry=0x6) at ../nptl/
#1 0x00007ffff37600d8 in __GI_abort () at abort.c:89
#2 0x00007ffff3799394 in __libc_message (do_abort=
#3 0x00007ffff37a566e in malloc_printerr (ptr=<optimized out>, str=0x7ffff38a7c10 "double free or corruption (!prev)", action=0x1) at malloc.c:4996
#4 _int_free (av=<optimized out>, p=<optimized out>, have_lock=0x0) at malloc.c:3840
#5 0x000000000048db72 in RelinquishMagic
#6 0x00000000004456c9 in DestroyImage (image=
#7 0x000000000045f6e4 in DeleteImageFromList (images=<synthetic pointer>) at MagickCore/
#8 DestroyImageList (images=0x0, images@
#9 0x0000000000991b20 in ReadTGAImage (image_
#10 0x0000000000c20414 in ReadImage (image_
#11 0x0000000000c23a6b in ReadImages (image_
#12 0x0000000001302829 in CLINoImageOperator (cli_wand=
#13 0x0000000001305cb1 in CLIOption (cli_wand=
#14 0x000000000110d833 in ProcessCommandO
#15 0x000000000110f64f in MagickImageCommand (image_
#16 0x0000000001164ade in MagickCommandGe
#17 0x000000000041238f in MagickMain (argv=0x7ffffff
#18 main (argc=0x3, argv=0x7fffffff
Changed in imagemagick (Ubuntu): | |
status: | New → Confirmed |
Thanks; has this been reported upstream yet? has this been assigned a CVE yet?
Thanks