convert - IM 6.9.0-1 - SIGABRT - c94a5528 - coders/rle.c:450

[JodieC]

Source file - https://www.dropbox.com/s/vc59xtvij9tx41q/c94a5528?dl=0

To reproduce:

Code: Select all

convert c94a5528 png:/dev/null

BT:

Code: Select all

"New LWP 18198]
[Thread debugging using libthread_db enabled]
Using host libthread_db library ""/lib/x86_64-linux-gnu/libthread_db.so.1"".
Core was generated by `/home/jodicun/opt/ImageMagick-6.9.0-1/utilities/.libs/lt-convert ./fuzzer141870'.
Program terminated with signal SIGABRT, Aborted.
#0  0x00007ffff6f8dbb9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56      ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff6f8dbb9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff6f90fc8 in __GI_abort () at abort.c:89
#2  0x00007ffff79614f1 in MagickSignalHandler (signal_number=6) at magick/magick.c:1171
#3  <signal handler called>
#4  0x00007ffff6f8dbb9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#5  0x00007ffff6f90fc8 in __GI_abort () at abort.c:89
#6  0x00007ffff79614f1 in MagickSignalHandler (signal_number=11) at magick/magick.c:1171
#7  <signal handler called>
#8  0x00007ffff7a7bc39 in ReadRLEImage (image_info=0x60e050, exception=0x604990) at coders/rle.c:450
#9  0x00007ffff78d3cd8 in ReadImage (image_info=image_info@entry=0x608ea0, exception=exception@entry=0x604990) at magick/constitute.c:547
#10 0x00007ffff78d4d73 in ReadImages (image_info=image_info@entry=0x608ea0, exception=exception@entry=0x604990) at magick/constitute.c:853
#11 0x00007ffff7571168 in ConvertImageCommand (image_info=0x608ea0, argc=3, argv=0x604010, metadata=0x0, exception=0x604990) at wand/convert.c:622
#12 0x00007ffff75c2fd8 in MagickCommandGenesis (image_info=image_info@entry=0x604b10, command=0x400830 <ConvertImageCommand@plt>, argc=argc@entry=3, 
    argv=argv@entry=0x7fffffffe098, metadata=metadata@entry=0x0, exception=exception@entry=0x604990) at wand/mogrify.c:168
#13 0x0000000000400907 in ConvertMain (argv=0x7fffffffe098, argc=3) at utilities/convert.c:81
#14 main (argc=3, argv=0x7fffffffe098) at utilities/convert.c:92
"

System Details:
AMD64
Distributor ID: Ubuntu
Description: Ubuntu 14.04.1 LTS
Release: 14.04
Codename: trusty

Software: ImageMagick 6.9.0-1 Beta compiled from source 20141217

Found with American Fuzzy Lop ( http://lcamtuf.coredump.cx/afl/ )

[magick]

We can reproduce the problem you posted and have a patch in ImageMagick 6.9.0-1 Beta, available by sometime tomorrow. Thanks.

[JodieC]

I tested against an SVN checkout of IM6

lt-convert hangs forever. BT:

Code: Select all

(gdb) bt
#0  0x00007ffff6fa5c49 in ___printf_fp (fp=fp@entry=0x7fffffff3150, info=info@entry=0x7fffffff2cc0, args=args@entry=0x7fffffff2c90) at printf_fp.c:580
#1  0x00007ffff6fa4683 in _IO_vfprintf_internal (s=s@entry=0x7fffffff3150, format=<optimized out>, format@entry=0x7ffff7ab3a76 "%s @ %s/%s/%s/%.20g", 
    ap=ap@entry=0x7fffffff32f8) at vfprintf.c:1660
#2  0x00007ffff705fcb5 in ___vsnprintf_chk (
    s=s@entry=0x7fffffff33f0 "invalid colormap index `c94a5528' @ error/colormap-private.h/ConstrainColormapIndex/34", maxlen=<optimized out>, 
    maxlen@entry=4096, flags=flags@entry=1, slen=slen@entry=18446744073709551615, format=format@entry=0x7ffff7ab3a76 "%s @ %s/%s/%s/%.20g", 
    args=args@entry=0x7fffffff32f8) at vsnprintf_chk.c:63
#3  0x00007ffff795bdc6 in vsnprintf (__ap=0x7fffffff32f8, __fmt=0x7ffff7ab3a76 "%s @ %s/%s/%s/%.20g", __n=4096, 
    __s=0x7fffffff33f0 "invalid colormap index `c94a5528' @ error/colormap-private.h/ConstrainColormapIndex/34")
    at /usr/include/x86_64-linux-gnu/bits/stdio2.h:77
#4  FormatLocaleStringList (string=0x7fffffff33f0 "invalid colormap index `c94a5528' @ error/colormap-private.h/ConstrainColormapIndex/34", 
    length=4096, format=0x7ffff7ab3a76 "%s @ %s/%s/%s/%.20g", operands=operands@entry=0x7fffffff32f8) at magick/locale.c:460
#5  0x00007ffff795bea2 in FormatLocaleString (
    string=string@entry=0x7fffffff33f0 "invalid colormap index `c94a5528' @ error/colormap-private.h/ConstrainColormapIndex/34", 
    length=length@entry=4096, format=format@entry=0x7ffff7ab3a76 "%s @ %s/%s/%s/%.20g") at magick/locale.c:485
#6  0x00007ffff792525d in ThrowMagickExceptionList (exception=0x644478, module=0x7ffff7aaf6fb "./magick/colormap-private.h", 
    function=0x7ffff7b08030 <__func__.10809> "ConstrainColormapIndex", line=<optimized out>, severity=CorruptImageError, tag=<optimized out>, 
    format=format@entry=0x7ffff7ab0916 "`%s'", operands=operands@entry=0x7fffffff6458) at magick/exception.c:1041
#7  0x00007ffff7924ca7 in ThrowMagickException (exception=exception@entry=0x644478, module=module@entry=0x7ffff7aaf6fb "./magick/colormap-private.h", 
    function=function@entry=0x7ffff7b08030 <__func__.10809> "ConstrainColormapIndex", line=line@entry=34, severity=severity@entry=CorruptImageError, 
---Type <return> to continue, or q <return> to quit---
    tag=tag@entry=0x7ffff7aaf6e6 "InvalidColormapIndex", format=format@entry=0x7ffff7ab0916 "`%s'") at magick/exception.c:1058
#8  0x00007ffff7a7adac in ConstrainColormapIndex (index=<optimized out>, image=0x641200) at ./magick/colormap-private.h:34
#9  ReadRLEImage (image_info=0x60e050, exception=0x604990) at coders/rle.c:454
#10 0x00007ffff78d2cd8 in ReadImage (image_info=image_info@entry=0x608ea0, exception=exception@entry=0x604990) at magick/constitute.c:547
#11 0x00007ffff78d3d73 in ReadImages (image_info=image_info@entry=0x608ea0, exception=exception@entry=0x604990) at magick/constitute.c:853
#12 0x00007ffff7570168 in ConvertImageCommand (image_info=0x608ea0, argc=3, argv=0x603490, metadata=0x0, exception=0x604990) at wand/convert.c:622
#13 0x00007ffff75c1fd8 in MagickCommandGenesis (image_info=image_info@entry=0x604b10, command=0x400830 <ConvertImageCommand@plt>, argc=argc@entry=3, 
    argv=argv@entry=0x7fffffffe3a8, metadata=metadata@entry=0x0, exception=exception@entry=0x604990) at wand/mogrify.c:168
#14 0x0000000000400907 in ConvertMain (argv=0x7fffffffe3a8, argc=3) at utilities/convert.c:81
#15 main (argc=3, argv=0x7fffffffe3a8) at utilities/convert.c:92

convert crashes with a SEGV, BT:

Code: Select all

(gdb) bt
#0  0x00007ffff79bcf1c in ReadRLEImage (image_info=0x60e050, exception=0x604990) at coders/rle.c:450
#1  0x00007ffff6eba0ea in ReadImage (image_info=image_info@entry=0x608ea0, exception=exception@entry=0x604990) at magick/constitute.c:547
#2  0x00007ffff6ebda7b in ReadImages (image_info=0x608ea0, exception=0x604990) at magick/constitute.c:853
#3  0x00007ffff66d78d2 in ConvertImageCommand (image_info=0x608ea0, argc=3, argv=0x603490, metadata=0x0, exception=0x604990) at wand/convert.c:622
#4  0x00007ffff68cebbe in MagickCommandGenesis (image_info=0x604b10, command=0x4007c0 <ConvertImageCommand@plt>, argc=3, argv=0x7fffffffe3a8, 
    metadata=<optimized out>, exception=0x604990) at wand/mogrify.c:168
#5  0x0000000000400887 in ConvertMain (argv=0x7fffffffe3a8, argc=3) at utilities/convert.c:81
#6  main (argc=3, argv=0x7fffffffe3a8) at utilities/convert.c:92

[dlemstra]

I am getting the following output with the latest patches:

Code: Select all

D:\Images\Fuzz>convert c94a5528 null:
convert.exe: Unexpected end-of-file `c94a5528': No such file or directory @ error/rle.c/ReadRLEImage/610.
convert.exe: Invalid colormap index `c94a5528' @ error/colormap-private.h/ConstrainColormapIndex/34.

[magick]

Unfortunately, we cannot reproduce the problem. Under Fedora, we get

• convert c94a5528 png:/dev/null
  convert: unexpected end-of-file `c94a5528': No such file or directory @ error/rle.c/ReadRLEImage/610.
  convert: invalid colormap index `c94a5528' @ error/colormap-private.h/ConstrainColormapIndex/34.

[JodieC]

Updated from SVN and I still get the issue

.libs/convert BT:

Code: Select all

Starting program: /home/jodicun/opt/ImageMagick-2014-12-19/utilities/.libs/convert /home/jodicun/opt/bugs/imagemagick/c94a5528 png:/dev/null
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
^C
Program received signal SIGINT, Interrupt.
0x00007ffff6fd31c9 in __GI__IO_default_xsputn (f=0x7fffffff32d0, data=<optimized out>, n=68) at genops.c:463
463	genops.c: No such file or directory.
(gdb) bt
#0  0x00007ffff6fd31c9 in __GI__IO_default_xsputn (f=0x7fffffff32d0, data=<optimized out>, n=68) at genops.c:463
#1  0x00007ffff6fa28b5 in _IO_vfprintf_internal (s=s@entry=0x7fffffff32d0, format=<optimized out>, format@entry=0x7ffff7ab4676 "%s @ %s/%s/%s/%.20g", 
    ap=ap@entry=0x7fffffff3478) at vfprintf.c:1661
#2  0x00007ffff7060cb5 in ___vsnprintf_chk (
    s=s@entry=0x7fffffff3570 "invalid colormap index `/home/jodicun/opt/bugs/imagemagick/c94a5528' @ error/colormap-private.h/ConstrainColormapIndex/34", maxlen=<optimized out>, maxlen@entry=4096, flags=flags@entry=1, slen=slen@entry=18446744073709551615, 
    format=format@entry=0x7ffff7ab4676 "%s @ %s/%s/%s/%.20g", args=args@entry=0x7fffffff3478) at vsnprintf_chk.c:63
#3  0x00007ffff795cdc6 in vsnprintf (__ap=0x7fffffff3478, __fmt=0x7ffff7ab4676 "%s @ %s/%s/%s/%.20g", __n=4096, 
    __s=0x7fffffff3570 "invalid colormap index `/home/jodicun/opt/bugs/imagemagick/c94a5528' @ error/colormap-private.h/ConstrainColormapIndex/34")
    at /usr/include/x86_64-linux-gnu/bits/stdio2.h:77
#4  FormatLocaleStringList (
    string=0x7fffffff3570 "invalid colormap index `/home/jodicun/opt/bugs/imagemagick/c94a5528' @ error/colormap-private.h/ConstrainColormapIndex/34", length=4096, format=0x7ffff7ab4676 "%s @ %s/%s/%s/%.20g", operands=operands@entry=0x7fffffff3478) at magick/locale.c:460
#5  0x00007ffff795cea2 in FormatLocaleString (
    string=string@entry=0x7fffffff3570 "invalid colormap index `/home/jodicun/opt/bugs/imagemagick/c94a5528' @ error/colormap-private.h/ConstrainColormapIndex/34", length=length@entry=4096, format=format@entry=0x7ffff7ab4676 "%s @ %s/%s/%s/%.20g") at magick/locale.c:485
#6  0x00007ffff792625d in ThrowMagickExceptionList (exception=0x644048, module=0x7ffff7ab02fb "./magick/colormap-private.h", 
    function=0x7ffff7b08c30 <__func__.10809> "ConstrainColormapIndex", line=<optimized out>, severity=CorruptImageError, tag=<optimized out>, 
    format=format@entry=0x7ffff7ab1516 "`%s'", operands=operands@entry=0x7fffffff65d8) at magick/exception.c:1041
#7  0x00007ffff7925ca7 in ThrowMagickException (exception=exception@entry=0x644048, module=module@entry=0x7ffff7ab02fb "./magick/colormap-private.h", 
    function=function@entry=0x7ffff7b08c30 <__func__.10809> "ConstrainColormapIndex", line=line@entry=34, severity=severity@entry=CorruptImageError, 
    tag=tag@entry=0x7ffff7ab02e6 "InvalidColormapIndex", format=format@entry=0x7ffff7ab1516 "`%s'") at magick/exception.c:1058
#8  0x00007ffff7a7bdcc in ConstrainColormapIndex (index=<optimized out>, image=0x640dd0) at ./magick/colormap-private.h:34
#9  ReadRLEImage (image_info=0x60e050, exception=0x604990) at coders/rle.c:472
#10 0x00007ffff78d3cd8 in ReadImage (image_info=image_info@entry=0x608ea0, exception=exception@entry=0x604990) at magick/constitute.c:547
#11 0x00007ffff78d4d73 in ReadImages (image_info=image_info@entry=0x608ea0, exception=exception@entry=0x604990) at magick/constitute.c:853
#12 0x00007ffff7571168 in ConvertImageCommand (image_info=0x608ea0, argc=3, argv=0x603490, metadata=0x0, exception=0x604990) at wand/convert.c:622
#13 0x00007ffff75c2fd8 in MagickCommandGenesis (image_info=image_info@entry=0x604b10, command=0x4007c0 <ConvertImageCommand@plt>, argc=argc@entry=3, 
    argv=argv@entry=0x7fffffffe528, metadata=metadata@entry=0x0, exception=exception@entry=0x604990) at wand/mogrify.c:168
#14 0x0000000000400887 in ConvertMain (argv=0x7fffffffe528, argc=3) at utilities/convert.c:81
#15 main (argc=3, argv=0x7fffffffe528) at utilities/convert.c:92

lt-convert BT:

Code: Select all

Starting program: /home/jodicun/opt/ImageMagick-2014-12-19/utilities/.libs/lt-convert /home/jodicun/opt/bugs/imagemagick/c94a5528 png:/dev/null
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
^C
Program received signal SIGINT, Interrupt.
_IO_vfprintf_internal (s=s@entry=0x7fffffff22a0, format=<optimized out>, format@entry=0x7ffff7ab4639 "Exception/%s%s", ap=ap@entry=0x7fffffff2448)
    at vfprintf.c:1580
1580	vfprintf.c: No such file or directory.
(gdb) bt
#0  _IO_vfprintf_internal (s=s@entry=0x7fffffff22a0, format=<optimized out>, format@entry=0x7ffff7ab4639 "Exception/%s%s", ap=ap@entry=0x7fffffff2448)
    at vfprintf.c:1580
#1  0x00007ffff7060cb5 in ___vsnprintf_chk (s=s@entry=0x7fffffff2520 "Exception/Corrupt/Image/Error/InvalidColormapIndex", maxlen=<optimized out>, 
    maxlen@entry=4096, flags=flags@entry=1, slen=slen@entry=18446744073709551615, format=format@entry=0x7ffff7ab4639 "Exception/%s%s", 
    args=args@entry=0x7fffffff2448) at vsnprintf_chk.c:63
#2  0x00007ffff795cdc6 in vsnprintf (__ap=0x7fffffff2448, __fmt=0x7ffff7ab4639 "Exception/%s%s", __n=4096, 
    __s=0x7fffffff2520 "Exception/Corrupt/Image/Error/InvalidColormapIndex") at /usr/include/x86_64-linux-gnu/bits/stdio2.h:77
#3  FormatLocaleStringList (string=0x7fffffff2520 "Exception/Corrupt/Image/Error/InvalidColormapIndex", length=4096, 
    format=0x7ffff7ab4639 "Exception/%s%s", operands=operands@entry=0x7fffffff2448) at magick/locale.c:460
#4  0x00007ffff795cea2 in FormatLocaleString (string=string@entry=0x7fffffff2520 "Exception/Corrupt/Image/Error/InvalidColormapIndex", 
    length=length@entry=4096, format=format@entry=0x7ffff7ab4639 "Exception/%s%s") at magick/locale.c:485
#5  0x00007ffff7925679 in GetLocaleExceptionMessage (severity=severity@entry=CorruptImageError, tag=0x7ffff7ab02e6 "InvalidColormapIndex")
    at magick/exception.c:589
#6  0x00007ffff7926117 in ThrowMagickExceptionList (exception=0x644048, module=0x7ffff7ab02fb "./magick/colormap-private.h", 
    function=0x7ffff7b08c30 <__func__.10809> "ConstrainColormapIndex", line=34, severity=CorruptImageError, tag=<optimized out>, 
    format=format@entry=0x7ffff7ab1516 "`%s'", operands=operands@entry=0x7fffffff65d8) at magick/exception.c:1021
#7  0x00007ffff7925ca7 in ThrowMagickException (exception=exception@entry=0x644048, module=module@entry=0x7ffff7ab02fb "./magick/colormap-private.h", 
    function=function@entry=0x7ffff7b08c30 <__func__.10809> "ConstrainColormapIndex", line=line@entry=34, severity=severity@entry=CorruptImageError, 
    tag=tag@entry=0x7ffff7ab02e6 "InvalidColormapIndex", format=format@entry=0x7ffff7ab1516 "`%s'") at magick/exception.c:1058
#8  0x00007ffff7a7bdcc in ConstrainColormapIndex (index=<optimized out>, image=0x640dd0) at ./magick/colormap-private.h:34
#9  ReadRLEImage (image_info=0x60e050, exception=0x604990) at coders/rle.c:472
#10 0x00007ffff78d3cd8 in ReadImage (image_info=image_info@entry=0x608ea0, exception=exception@entry=0x604990) at magick/constitute.c:547
#11 0x00007ffff78d4d73 in ReadImages (image_info=image_info@entry=0x608ea0, exception=exception@entry=0x604990) at magick/constitute.c:853
#12 0x00007ffff7571168 in ConvertImageCommand (image_info=0x608ea0, argc=3, argv=0x603490, metadata=0x0, exception=0x604990) at wand/convert.c:622
#13 0x00007ffff75c2fd8 in MagickCommandGenesis (image_info=image_info@entry=0x604b10, command=0x400830 <ConvertImageCommand@plt>, argc=argc@entry=3, 
    argv=argv@entry=0x7fffffffe528, metadata=metadata@entry=0x0, exception=exception@entry=0x604990) at wand/mogrify.c:168
#14 0x0000000000400907 in ConvertMain (argv=0x7fffffffe528, argc=3) at utilities/convert.c:81
#15 main (argc=3, argv=0x7fffffffe528) at utilities/convert.c:92

[magick]

Notice the signal is thrown in a system call, not ImageMagick. ImageMagick is throwing an exception. Perhaps all the memory was consumed on your system and there was not enough for the system call to complete.

[JodieC]

They were both hanging over 15 seconds so I pressed Ctrl-C to stop them.

[dlemstra]

Can you update and try again?

[JodieC]

Looks good on the latest update.