SEGV in MagickCore/memory.c:974

Bug #1542125 reported by Moshe Kaplan
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ImageMagick
Fix Released
Unknown
imagemagick (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

This bug was found while fuzzing ImageMagick with afl-fuzz

Tested on ImageMagick git commit %s

Command: magick id:000004,sig:06,src:000000,op:int32,pos:16,val:-1 /dev/null

ASAN:SIGSEGV
=================================================================
==18636==ERROR: AddressSanitizer: SEGV on unknown address 0x00ecfeef (pc 0x080839f2 sp 0xbfd20580 bp 0xbfd20610 T0)
    #0 0x80839f1 in __asan::Deallocate(void*, __sanitizer::StackTrace*, __asan::AllocType) (/usr/local/bin/magick+0x80839f1)
    #1 0x80839a3 in __asan::asan_free(void*, __sanitizer::StackTrace*, __asan::AllocType) (/usr/local/bin/magick+0x80839a3)
    #2 0x80c6a61 in __interceptor_free (/usr/local/bin/magick+0x80c6a61)
    #3 0x818d2e8 in RelinquishMagickMemory /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickCore/memory.c:974
    #4 0x82c0fc6 in DestroySplayTree /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickCore/splay-tree.c:695
    #5 0x819ce1f in DestroyImageOptions /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickCore/option.c:1954
    #6 0x8105132 in DestroyImageInfo /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickCore/image.c:1277
    #7 0x80ffe67 in DestroyImage /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickCore/image.c:1213
    #8 0x813321c in DeleteImageFromList /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickCore/list.c:298
    #9 0x813321c in DestroyImageList /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickCore/list.c:451
    #10 0x87f79b3 in ReadSUNImage /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/coders/sun.c:300
    #11 0x8a8ad6a in ReadImage /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickCore/constitute.c:494
    #12 0x8a92bdf in ReadImages /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickCore/constitute.c:844
    #13 0x9375c09 in CLINoImageOperator /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickWand/operation.c:4685
    #14 0x937e0f1 in CLIOption /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickWand/operation.c:5179
    #15 0x910ae9d in ProcessCommandOptions /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickWand/magick-cli.c:474
    #16 0x910e215 in MagickImageCommand /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickWand/magick-cli.c:786
    #17 0x91126f9 in MagickCommandGenesis /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/MagickWand/mogrify.c:172
    #18 0x80de16d in MagickMain /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/utilities/magick.c:74
    #19 0x80de16d in main /home/user/Desktop/imagemagick_fuzz_results/ImageMagick/utilities/magick.c:85
    #20 0xb7475a82 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #21 0x80ddf94 in _start (/usr/local/bin/magick+0x80ddf94)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 __asan::Deallocate(void*, __sanitizer::StackTrace*, __asan::AllocType)
==18636==ABORTING

Revision history for this message
Moshe Kaplan (moshekaplan) wrote :

input file to trigger crash

Revision history for this message
Moshe Kaplan (moshekaplan) wrote :
Changed in imagemagick (Ubuntu):
status: New → Confirmed
Changed in imagemagick (Ubuntu):
status: Confirmed → Fix Released
Changed in imagemagick:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.