IM 7.0.2-7 Q16 x86_64 2016-08-04 - Use after free when using identify or convert

[myliniem]

Version

Code: Select all

mikko@mikko-Latitude-E6330:~$ identify --version
Version: ImageMagick 7.0.2-7 Q16 x86_64 2016-08-04 http://www.imagemagick.org
Copyright: Copyright (C) 1999-2016 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher HDRI 
Delegates (built-in): x 

Repro file:
https://www.dropbox.com/s/9ln4uutgcfhzg ... repro?dl=0

ASAN trace
https://www.dropbox.com/s/d4537qainck4j ... d.txt?dl=0

Reproduce:

Code: Select all

mikko@mikko-Latitude-E6330:~$ identify ImageMagick-heap-use-after-free-967-d5f-ded.repro
identify: MagickCore/blob.c:887: EOFBlob: Assertion `image->blob != (BlobInfo *) NULL' failed.
Aborted (core dumped)

BT

Code: Select all

(gdb) bt
#0  0x00007ffff6e4b418 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff6e4d01a in __GI_abort () at abort.c:89
#2  0x00007ffff6e43bd7 in __assert_fail_base (fmt=<optimized out>, 
    assertion=assertion@entry=0x7ffff7a282f0 "image->signature == MagickCoreSignature", file=file@entry=0x7ffff7a28b68 "MagickCore/blob.c", 
    line=line@entry=882, function=function@entry=0x7ffff7a29678 <__PRETTY_FUNCTION__.11395> "EOFBlob") at assert.c:92
#3  0x00007ffff6e43c82 in __GI___assert_fail (assertion=assertion@entry=0x7ffff7a282f0 "image->signature == MagickCoreSignature", 
    file=file@entry=0x7ffff7a28b68 "MagickCore/blob.c", line=line@entry=882, 
    function=function@entry=0x7ffff7a29678 <__PRETTY_FUNCTION__.11395> "EOFBlob") at assert.c:101
#4  0x00007ffff77a5a22 in EOFBlob (image=image@entry=0x665fd0) at MagickCore/blob.c:882
#5  0x00007ffff79bee88 in ReadPWPImage (image_info=0x639010, exception=0x626a50) at coders/pwp.c:252
#6  0x00007ffff77d05bd in ReadImage (image_info=image_info@entry=0x633890, exception=exception@entry=0x626a50) at MagickCore/constitute.c:554
#7  0x00007ffff78e5529 in ReadStream (image_info=image_info@entry=0x6305f0, stream=stream@entry=0x7ffff77cfe00 <PingStream>, 
    exception=exception@entry=0x626a50) at MagickCore/stream.c:1012
#8  0x00007ffff77d00d3 in PingImage (image_info=image_info@entry=0x62d180, exception=exception@entry=0x626a50) at MagickCore/constitute.c:226
#9  0x00007ffff77d034b in PingImages (image_info=image_info@entry=0x62d180, filename=<optimized out>, exception=exception@entry=0x626a50)
    at MagickCore/constitute.c:326
#10 0x00007ffff74766aa in IdentifyImageCommand (image_info=0x629f20, argc=2, argv=0x6251e0, metadata=0x7fffffffbbb8, exception=0x626a50)
    at MagickWand/identify.c:319
#11 0x00007ffff74a36f0 in MagickCommandGenesis (image_info=image_info@entry=0x626bd0, command=command@entry=0x400dd0 <IdentifyImageCommand@plt>, 
    argc=argc@entry=2, argv=argv@entry=0x7fffffffdec8, metadata=0x7fffffffcc18, exception=exception@entry=0x626a50) at MagickWand/mogrify.c:183
#12 0x00000000004011bc in MagickMain (argc=2, argv=0x7fffffffdec8) at utilities/magick.c:145
#13 0x00007ffff6e36830 in __libc_start_main (main=0x400f60 <main>, argc=2, argv=0x7fffffffdec8, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffdeb8) at ../csu/libc-start.c:291
#14 0x0000000000400f99 in _start ()
Add Comment Collapse

System:
AMD64
Ubuntu 16.04 LTS

Found with libFuzzer.
https://github.com/ouspg/libfuzzerfication

[magick]

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.