There is a stack buffer overflow in function SVGStartElement of coders/svg.c whick can be reproduced as below.
=================================================================
==79799==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff1d979a9f at pc 0x0000007ddbb7 bp 0x7fff1d977dd0 sp 0x7fff1d977dc0
WRITE of size 1 at 0x7fff1d979a9f thread T0
#0 0x7ddbb6 in SVGStartElement coders/svg.c:1752
#1 0x7ff43128b2e0 in xmlParseStartTag (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x472e0)
#2 0x7ff43129a578 (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x56578)
#3 0x7ff43129b77a in xmlParseChunk (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x5777a)
#4 0x7ea241 in ReadSVGImage coders/svg.c:3912
#5 0x47766b in ReadImage magick/constitute.c:1607
#6 0x4214e9 in ConvertImageCommand magick/command.c:4362
#7 0x436a5e in MagickCommand magick/command.c:8886
#8 0x45f205 in GMCommandSingle magick/command.c:17416
#9 0x45f451 in GMCommand magick/command.c:17469
#10 0x40cbc5 in main utilities/gm.c:61
#11 0x7ff43053882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#12 0x40cad8 in _start (/home/graphicsmagick-code/utilities/gm+0x40cad8)
Address 0x7fff1d979a9f is located in stack of thread T0 at offset 7039 in frame
#0 0x7da161 in SVGStartElement coders/svg.c:1062
This frame has 13 object(s):
[32, 40) 'color'
[96, 104) 'p'
[160, 168) 'units'
[224, 232) 'number_tokens'
[288, 296) 'stroke_miterlimit'
[352, 384) 'page'
[416, 464) 'affine'
[512, 560) 'current'
[608, 656) 'transform'
[704, 2757) 'id'
[2816, 4869) 'token'
[4928, 6981) 'svg_element_background_color'
[7040, 9093) 'nvalue' <== Memory access at offset 7039 underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow coders/svg.c:1752 SVGStartElement
Shadow bytes around the buggy address:
0x100063b27300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100063b27310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100063b27320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100063b27330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100063b27340: 00 00 00 00 00 00 00 00 00 00 00 00 05 f4 f4 f4
=>0x100063b27350: f2 f2 f2[f2]00 00 00 00 00 00 00 00 00 00 00 00
0x100063b27360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100063b27370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100063b27380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100063b27390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100063b273a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==79799==ABORTING
System Configuration:
Distributor ID: Ubuntu Description: Ubuntu 16.04.2 LTS Release: 16.04 Codename: xenial
GraphicsMagick version:
GraphicsMagick 1.4 snapshot-20190322 Q8 http://www.GraphicsMagick.org/ Copyright (C) 2002-2019 GraphicsMagick Group. Additional copyrights and licenses apply to this software. See http://www.GraphicsMagick.org/www/Copyright.html for details. Feature Support: Native Thread Safe yes Large Files (> 32 bit) yes Large Memory (> 32 bit) yes BZIP yes DPS no FlashPix no FreeType yes Ghostscript (Library) no JBIG yes JPEG-2000 yes JPEG yes Little CMS yes Loadable Modules no Solaris mtmalloc no OpenMP yes (201307) PNG yes TIFF yes TRIO no Solaris umem no WebP yes WMF yes X11 yes XML yes ZLIB yes Host type: x86_64-pc-linux-gnu Configured using the command: ./configure 'CFLAGS=-g -fsanitize=address' '--enable-shared=no' Final Build Parameters: CC = gcc CFLAGS = -fopenmp -g -fsanitize=address -Wall -pthread CPPFLAGS = -I/usr/include/freetype2 -I/usr/include/libxml2 CXX = g++ CXXFLAGS = -pthread LDFLAGS = LIBS = -ljbig -lwebp -lwebpmux -llcms2 -ltiff -lfreetype -ljasper -ljpeg -lpng12 -lwmflite -lXext -lSM -lICE -lX11 -llzma -lbz2 -lxml2 -lz -lm -lpthread
(gdb) p value $7 = 0x6020000009f0 "'" (gdb) l 1746 this. 1747 */ 1748 if ((value[0] == '\'') && (value[strlen(value)-1] == '\'')) 1749 { 1750 char nvalue[MaxTextExtent]; 1751 (void) strlcpy(nvalue,value+1,sizeof(nvalue)); 1752 nvalue[strlen(nvalue)-1]='\0'; 1753 MVGPrintf(svg_info->file,"font-family '%s'\n",nvalue); 1754 } 1755 else (gdb)strlen(nvalue) is zero
This bug is fixed by Mercurial changeset 15952:b6fb77d7d54d. Thank you for the report.