Menu

#518 Null pointer in

v1.0_(example)
closed-fixed
None
5
2017-10-26
2017-10-19
hackyzh
No

GraphicsMagick 1.4 snapshot-20171014 Q8

hjy@ubuntu:~/Desktop$ gm convert -negate -clip null_pointer_ReadOneJNGImage /dev/null
ASAN:SIGSEGV
=================================================================
==24008==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc 0xb72f534c sp 0xbfa27524 bp 0xbfa27988 T0)
    #0 0xb72f534b (/usr/lib/i386-linux-gnu/libasan.so.1+0x5a34b)
    #1 0xb72c2a5e (/usr/lib/i386-linux-gnu/libasan.so.1+0x27a5e)
    #2 0x854633d in memcpy /usr/include/i386-linux-gnu/bits/string3.h:51
    #3 0x854633d in ReadOneJNGImage coders/png.c:3603
    #4 0x854bcb3 in ReadJNGImage coders/png.c:3845
    #5 0x8124299 in ReadImage magick/constitute.c:1607
    #6 0x80c8815 in ConvertImageCommand magick/command.c:4348
    #7 0x8072852 in MagickCommand magick/command.c:8872
    #8 0x80744c7 in GMCommandSingle magick/command.c:17393
    #9 0x80f0270 in GMCommand magick/command.c:17446
    #10 0x80579ea in main utilities/gm.c:61
    #11 0xb6d2faf2 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19af2)
    #12 0x805ae1b (/usr/local/bin/gm+0x805ae1b)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==24008==ABORTING

discovered by zhihua.yao@dbappsecurity.com.cn

1 Attachments

Discussion

  • Bob Friesenhahn

    Bob Friesenhahn - 2017-10-20
    • assigned_to: Glenn Randers-Pehrson
    • private: No --> Yes
     
  • Bob Friesenhahn

    Bob Friesenhahn - 2017-10-24

    I don't get the NULL pointer problem, but I do see that the JNG dimensions are claimed to be 59395x24577 and a 11678007320 byte temporary file is created and passed to the JPEG reader. What is profoundly interesting is that no serious errors are reported in my testing, even under low memory conditions.

     
  • Bob Friesenhahn

    Bob Friesenhahn - 2017-10-25
    • status: open --> closed-fixed
    • assigned_to: Glenn Randers-Pehrson --> Bob Friesenhahn
     
  • Bob Friesenhahn

    Bob Friesenhahn - 2017-10-25

    This issue (use of null pointer) is addressed by Mercurial changeset 15239:6fc54b6d2be8. It is verfied that pixel limits are enforced and reported properly. It seems that there should still be some rationalization of image dimensions based on file size.

     
  • hackyzh

    hackyzh - 2017-10-26

    Please change the private to No,I will assgin cve for this bug.

     

    Last edit: hackyzh 2017-10-26
  • Bob Friesenhahn

    Bob Friesenhahn - 2017-10-26

    I changed private to Yes 5 days ago. Do you mean that you want it to remain private, or it should become public so it can be referenced?

     
  • hackyzh

    hackyzh - 2017-10-26

    I'm sorry I have made a mistake.I mean it should become public , then it can be referenced

     

    Last edit: hackyzh 2017-10-26
  • Bob Friesenhahn

    Bob Friesenhahn - 2017-10-26
    • private: Yes --> No
     
  • Bob Friesenhahn

    Bob Friesenhahn - 2017-10-26

    Issue is made public now so it can be referenced. There is a follow-on changeset 15240:da135eaedc3b which adds more checks for null pointer. Effort is under way to try to accurately detect and reject impossibly small files given the image dimensions.

     

Log in to post a comment.