GraphicsMagick 1.4 snapshot-20171014 Q8
hjy@ubuntu:~/Desktop$ gm convert -negate -clip null_pointer_ReadOneJNGImage /dev/null
ASAN:SIGSEGV
=================================================================
==24008==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc 0xb72f534c sp 0xbfa27524 bp 0xbfa27988 T0)
#0 0xb72f534b (/usr/lib/i386-linux-gnu/libasan.so.1+0x5a34b)
#1 0xb72c2a5e (/usr/lib/i386-linux-gnu/libasan.so.1+0x27a5e)
#2 0x854633d in memcpy /usr/include/i386-linux-gnu/bits/string3.h:51
#3 0x854633d in ReadOneJNGImage coders/png.c:3603
#4 0x854bcb3 in ReadJNGImage coders/png.c:3845
#5 0x8124299 in ReadImage magick/constitute.c:1607
#6 0x80c8815 in ConvertImageCommand magick/command.c:4348
#7 0x8072852 in MagickCommand magick/command.c:8872
#8 0x80744c7 in GMCommandSingle magick/command.c:17393
#9 0x80f0270 in GMCommand magick/command.c:17446
#10 0x80579ea in main utilities/gm.c:61
#11 0xb6d2faf2 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19af2)
#12 0x805ae1b (/usr/local/bin/gm+0x805ae1b)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==24008==ABORTING
discovered by zhihua.yao@dbappsecurity.com.cn
I don't get the NULL pointer problem, but I do see that the JNG dimensions are claimed to be 59395x24577 and a 11678007320 byte temporary file is created and passed to the JPEG reader. What is profoundly interesting is that no serious errors are reported in my testing, even under low memory conditions.
This issue (use of null pointer) is addressed by Mercurial changeset 15239:6fc54b6d2be8. It is verfied that pixel limits are enforced and reported properly. It seems that there should still be some rationalization of image dimensions based on file size.
Please change the private to No,I will assgin cve for this bug.
Last edit: hackyzh 2017-10-26
I changed private to Yes 5 days ago. Do you mean that you want it to remain private, or it should become public so it can be referenced?
I'm sorry I have made a mistake.I mean it should become public , then it can be referenced
Last edit: hackyzh 2017-10-26
Issue is made public now so it can be referenced. There is a follow-on changeset 15240:da135eaedc3b which adds more checks for null pointer. Effort is under way to try to accurately detect and reject impossibly small files given the image dimensions.