Ubuntu
imagemagick package

Null dereference in coders/png.c:5134

Bug #1492881 reported by Moshe Kaplan
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
imagemagick (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Program received signal SIGSEGV, Segmentation fault.
--------------------------------------------------------------------------[regs]
  EAX: 0x0000B0D0 EBX: 0x00000000 ECX: 0x0881A578 EDX: 0x0881A578 o d I t s z a p c
  ESI: 0x00000000 EDI: 0x0885FEF4 EBP: 0x0883E394 ESP: 0xBFFF3AF0 EIP: 0x082E8E71
  CS: 0073 DS: 007B ES: 007B FS: 0000 GS: 0033 SS: 007B
--------------------------------------------------------------------------[code]
=> 0x82e8e71 <ReadMNGImage+2801>: movzx eax,BYTE PTR [ebx]
   0x82e8e74 <ReadMNGImage+2804>: shl eax,0x18
   0x82e8e77 <ReadMNGImage+2807>: movzx ecx,BYTE PTR [ebx+0x1]
   0x82e8e7b <ReadMNGImage+2811>: shl ecx,0x10
   0x82e8e7e <ReadMNGImage+2814>: or ecx,eax
   0x82e8e80 <ReadMNGImage+2816>: movzx edx,BYTE PTR [ebx+0x2]
   0x82e8e84 <ReadMNGImage+2820>: shl edx,0x8
   0x82e8e87 <ReadMNGImage+2823>: or edx,ecx
--------------------------------------------------------------------------------
0x082e8e71 in ReadMNGImage (image_info=<optimized out>, exception=0x8847650) at ../ImageMagick_git/coders/png.c:5134
5134 mng_info->mng_width=(size_t) ((p[0] << 24) | (p[1] << 16) |

The variable "p" can be NULL.

Stack trace:

#0 0x082e8e71 in ReadMNGImage (image_info=<optimized out>, exception=0x8847650) at ../ImageMagick_git/coders/png.c:5134
#1 0x083a678d in ReadImage (image_info=<optimized out>, exception=0x88331d8) at ../ImageMagick_git/MagickCore/constitute.c:493
#2 0x083a85ef in ReadImages (image_info=<optimized out>, filename=<optimized out>, exception=<optimized out>) at ../ImageMagick_git/MagickCore/constitute.c:846
#3 0x086535a4 in CLINoImageOperator (cli_wand=0x0, option=<optimized out>, arg1n=<optimized out>, arg2n=0x0) at ../ImageMagick_git/MagickWand/operation.c:4656
#4 0x08655664 in CLIOption (cli_wand=0x8838bf0, option=0x868c8a1 "-read") at ../ImageMagick_git/MagickWand/operation.c:5150
#5 0x085a00bc in ProcessCommandOptions (cli_wand=<optimized out>, argc=<optimized out>, argv=<optimized out>, index=<optimized out>) at ../ImageMagick_git/MagickWand/magick-cli.c:474
#6 0x085a0ee5 in MagickImageCommand (image_info=<optimized out>, argc=0x3, argv=0xbffff104, metadata=<optimized out>, exception=<optimized out>) at ../ImageMagick_git/MagickWand/magick-cli.c:786
#7 0x085d0983 in MagickCommandGenesis (image_info=<optimized out>, command=<optimized out>, argc=<optimized out>, argv=<optimized out>, metadata=0x0, exception=0x88331d8) at ../ImageMagick_git/MagickWand/mogrify.c:172
#8 0x08052897 in MagickMain (argc=<optimized out>, argv=0xbffff104) at ../ImageMagick_git/utilities/magick.c:76
#9 main (argc=<optimized out>, argv=0xbffff104) at ../ImageMagick_git/utilities/magick.c:89

Revision history for this message
Moshe Kaplan (moshekaplan) wrote :
Revision history for this message
Moshe Kaplan (moshekaplan) wrote :

https://github.com/ImageMagick/ImageMagick/issues/25

summary: - Segfault in coders/png.c:5134
+ Null dereference in coders/png.c:5134
Revision history for this message
Moshe Kaplan (moshekaplan) wrote :

Fixed in https://github.com/ImageMagick/ImageMagick/commit/f8d9cb8ed035c1b7df0bb5c73c40038d431eb39f#diff-000099656c16f8e84f50d10a65055c3d

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package imagemagick - 8:6.8.9.9-7

---------------
imagemagick (8:6.8.9.9-7) unstable; urgency=low

  * Fix various minor security issues
    - Fix an integer overflow that can lead to a buffer overrun
      in the icon parsing code (LP: #1459747, closes: #806441)
    - Fix an integer overflow that can lead to a double free in
      pict parsing (LP: #1448803, closes: #806441).
    - Memory Leak while handle psd file (closes: #811308)
      http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=28791
    - IM 6.9.2 crash with some PNG (closes: #811308, LP: #1492881)
      http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=28466
    - Null pointer access in magick/constitute.c (closes: #811308)
      https://github.com/ImageMagick/ImageMagick/pull/34
    - PixelColor off by one on i386 (closes: #811308)
      https://github.com/ImageMagick/ImageMagick/issues/54
    - Fixed other memory leaks (closes: #811308)

 -- Vincent Fourmond <email address hidden> Sun, 17 Jan 2016 21:18:19 +0100

Changed in imagemagick (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.