*** This bug is a security vulnerability *** Public security bug reported:
On Ubuntu 14.04, x64 and Imagemagick version 7.0+ (commit 087a059e56eec2efedefdceb6b52a093e4589dde ) https://github.com/ImageMagick/ImageMagick/commit/087a059e56eec2efedefdceb6b52a093e4589dde gdb$ r double_free.tga /dev/null Starting program: /home/moshe/Downloads/ImageMagick-master/utilities/magick double_free.tga /dev/null [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Traceback (most recent call last): File "/usr/share/gdb/auto-load/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19-gdb.py", line 63, in <module> from libstdcxx.v6.printers import register_libstdcxx_printers ImportError: No module named 'libstdcxx' *** Error in `/home/moshe/Downloads/ImageMagick-master/utilities/magick': double free or corruption (!prev): 0x0000000001780ec0 *** Program received signal SIGABRT, Aborted. -----------------------------------------------------------------------------------------------------------------------[regs] RAX: 0x0000000000000000 RBX: 0x0000000000000084 RCX: 0xFFFFFFFFFFFFFFFF RDX: 0x0000000000000006 o d I t s z a P c RSI: 0x0000000000007524 RDI: 0x0000000000007524 RBP: 0x00007FFFFFFF6560 RSP: 0x00007FFFFFFF61C8 RIP: 0x00007FFFF375CCC9 R8 : 0x3063653038373130 R9 : 0x6F6974707572726F R10: 0x0000000000000008 R11: 0x0000000000000206 R12: 0x00007FFFFFFF6370 R13: 0x0000000000000007 R14: 0x0000000000000084 R15: 0x0000000000000007 CS: 0033 DS: 0000 ES: 0000 FS: 0000 GS: 0000 SS: 002B -----------------------------------------------------------------------------------------------------------------------[code] => 0x7ffff375ccc9 <__GI_raise+57>: cmp rax,0xfffffffffffff000 0x7ffff375cccf <__GI_raise+63>: ja 0x7ffff375ccea <__GI_raise+90> 0x7ffff375ccd1 <__GI_raise+65>: repz ret 0x7ffff375ccd3 <__GI_raise+67>: nop DWORD PTR [rax+rax*1+0x0] 0x7ffff375ccd8 <__GI_raise+72>: test eax,eax 0x7ffff375ccda <__GI_raise+74>: jg 0x7ffff375ccb9 <__GI_raise+41> 0x7ffff375ccdc <__GI_raise+76>: mov ecx,eax 0x7ffff375ccde <__GI_raise+78>: neg ecx ----------------------------------------------------------------------------------------------------------------------------- 0x00007ffff375ccc9 in __GI_raise (sig=sig@entry=0x6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. gdb$ bt #0 0x00007ffff375ccc9 in __GI_raise (sig=sig@entry=0x6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x00007ffff37600d8 in __GI_abort () at abort.c:89 #2 0x00007ffff3799394 in __libc_message (do_abort=do_abort@entry=0x1, fmt=fmt@entry=0x7ffff38a7b28 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175 #3 0x00007ffff37a566e in malloc_printerr (ptr=<optimized out>, str=0x7ffff38a7c10 "double free or corruption (!prev)", action=0x1) at malloc.c:4996 #4 _int_free (av=<optimized out>, p=<optimized out>, have_lock=0x0) at malloc.c:3840 #5 0x000000000048db72 in RelinquishMagickMemory (memory=<optimized out>) at MagickCore/memory.c:967 #6 0x00000000004456c9 in DestroyImage (image=image@entry=0x1793ff0) at MagickCore/image.c:1200 #7 0x000000000045f6e4 in DeleteImageFromList (images=<synthetic pointer>) at MagickCore/list.c:298 #8 DestroyImageList (images=0x0, images@entry=0x1793ff0) at MagickCore/list.c:451 #9 0x0000000000991b20 in ReadTGAImage (image_info=<optimized out>, exception=0x1763f90) at coders/tga.c:221 #10 0x0000000000c20414 in ReadImage (image_info=image_info@entry=0x1768350, exception=exception@entry=0x1763f90) at MagickCore/constitute.c:547 #11 0x0000000000c23a6b in ReadImages (image_info=0x1764110, filename=0x175f1f0 "/home/moshe/Desktop/imagemagick_crashes/examine_more/sf_540cee04253030f363f7902b6edc732d-lpszam-0x00000000-minimized.tga", exception=0x1763f90) at MagickCore/constitute.c:846 #12 0x0000000001302829 in CLINoImageOperator (cli_wand=cli_wand@entry=0x1761320, option=option@entry=0x138d002 "-read", arg1n=arg1n@entry=0x7fffffffe12f "/home/moshe/Desktop/imagemagick_crashes/examine_more/sf_540cee04253030f363f7902b6edc732d-lpszam-0x00000000-minimized.tga", arg2n=arg2n@entry=0x0) at MagickWand/operation.c:4654 #13 0x0000000001305cb1 in CLIOption (cli_wand=cli_wand@entry=0x1761320, option=option@entry=0x138d002 "-read") at MagickWand/operation.c:5148 #14 0x000000000110d833 in ProcessCommandOptions (cli_wand=cli_wand@entry=0x1761320, argc=argc@entry=0x3, argv=argv@entry=0x7fffffffdd68, index=index@entry=0x1) at MagickWand/magick-cli.c:421 #15 0x000000000110f64f in MagickImageCommand (image_info=image_info@entry=0x1764110, argc=argc@entry=0x3, argv=argv@entry=0x7fffffffdd68, metadata=metadata@entry=0x0, exception=exception@entry=0x1763f90) at MagickWand/magick-cli.c:786 #16 0x0000000001164ade in MagickCommandGenesis (image_info=image_info@entry=0x1764110, command=0x110e300 <MagickImageCommand>, argc=argc@entry=0x3, argv=argv@entry=0x7fffffffdd68, metadata=metadata@entry=0x0, exception=exception@entry=0x1763f90) at MagickWand/mogrify.c:172 #17 0x000000000041238f in MagickMain (argv=0x7fffffffdd68, argc=0x3) at utilities/magick.c:74 #18 main (argc=0x3, argv=0x7fffffffdd68) at utilities/magick.c:85 ** Affects: imagemagick (Ubuntu) Importance: Undecided Status: New ** Attachment added: "trigger file" https://bugs.launchpad.net/bugs/1490362/+attachment/4454741/+files/double_free.tga ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1490362 Title: Double free in coders/tga.c:221 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1490362/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
