Menu

#652 SEGV in gm at coders/msl.c:883

v1.0_(example)
closed-fixed
Bob Friesenhahn
None
5
2021-11-03
2021-10-04
Irfan Ariq
No

Hello,

We are currently working on fuzz testing feature, and we found a SEGV on gm.

The stack traces are as follow:

==17182==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x556feabaef00 bp 0x7ffd93d9e120 sp 0x7ffd93d9bfe0 T0)
==17182==The signal is caused by a READ memory access.
==17182==Hint: address points to the zero page.
    #0 0x556feabaeeff in MSLStartElement coders/msl.c:883
    #1 0x7f471fbc6f3a in xmlParseStartTag (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x46f3a)
    #2 0x7f471fbd66cd  (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x566cd)
    #3 0x7f471fbd755d in xmlParseChunk (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x5755d)
    #4 0x556feabc8a05 in ProcessMSLScript coders/msl.c:4652
    #5 0x556feabc94fb in ReadMSLImage coders/msl.c:4716
    #6 0x556fea84a35a in ReadImage magick/constitute.c:1630
    #7 0x556fea7f0ad4 in ConjureImageCommand magick/command.c:6533
    #8 0x556fea7fc48a in MagickCommand magick/command.c:8907
    #9 0x556fea82aacd in GMCommandSingle magick/command.c:17445
    #10 0x556fea82add0 in GMCommand magick/command.c:17498
    #11 0x556fea7cf309 in main utilities/gm.c:61

The full stack trace is attached.

Step to reproduce

We configured gm using CFLAGS="-g -O0 -fsanitize=address" CXXFLAGS="-g -O0 -fsanitize=address" ./configure --prefix=$(pwd)/ and build it using make -j10, and run it with:

./gm conjure +dither -scale <attached file> -snaps -box tiff:tile-width=.gz -strokewidth -format -metric tiff:bits-per-sample=Dialog -interlace -sample tiff:bits-per-sample=Pixels -convolve -opaque +gamma -authenticate Blend geometry an textFont crop -fuzz MAGICK_TMPDIR tiff:group-three-options=threshold print Noise-Random -stegano as -transparent tiff:tile-width=Wide medianfilter Image -silent -density tiff:max-sample-value=+shade value -texture tiff:max-sample-value=pen9 Lanczos command error tiff:bits-per-sample=ALT -mode dpx:colorspace=rgb threshold Photo tiff:tile-geometry=%0No, -version factor -background shave reducenoise tiff:max-sample-value=amount xor -units jpeg:dct-method=/image group get browseCommand -limit tiff:tile-height=channeltype Displace MAGICK_DEBUG mogrify 2.3 -noop tiff:bits-per-sample=Perceptual, Effects tiff:tile-geometry=channeltype -contrast -map Miscellany tiff:max-sample-value=ps:imagemask blur y -charcoal -recolor dpx:bits-per-sample=+contrast Rotate borderWidth or -solarize tiff:tile-height=value -random-threshold ps:imagemask -define equalize -operator jpeg:dct-method=composite -deconstruct jpeg:dct-method=+page -frame pixmap -colors tiff:bits-per-sample=name ColorSeparationMatte all -create-directories Map tiff:tile-height=reducenoise -delay -motion-blur -stroke -set dpx:bits-per-sample=print Saturation -write sigma CopyBlack %o, -white-threshold -resample Ctl-q STABLE tiff:rows-per-strip=QuantumDepth Foreground Module dpx:bits-per-sample=Gray base-image gamma -watermark Display -tile debug Noise-Uniform tiff:alpha=associated Plus F4 import blend Draw shear bumpmap -quality tiff:tile-height=filltoborder colormapped tiff:tile-height=+endian tiff:max-sample-value=shared magnify -flatten Grayscale Description MAGICK_CODER_MODULE_PATH swirl Tint Quit -mask transparent tiff:tile-height=View top-to-bottom tiff:min-sample-value=Multiply tiff:rows-per-strip=1.2 Dialog -size Plane, MatteColor -magnify Noise-Multiplicative tiff:bits-per-sample=enhance font- tiff:group-three-options=F4 tiff:tile-geometry=no Composite None -despeckle Line dpx:bits-per-sample=shared -chop jpeg:dct-method=Grab Operators -text-font -output-directory ColorSeparation -descend -iconGeometry UNSTABLE -geometry Yellow background tiff:tile-geometry=% -repage /image -average tiff:samples-per-pixel=MAGICK_FILTER_MODULE_PATH -lat tiff:rows-per-strip=Transform -mattecolor SharedMemory trim writeFilename IDENTITY subtract jpeg:preserve-settings -virtual-pixel -filter Constant profile -unsharp tiff:tile-width=OMP_NUM_THREADS -enhance -verbose image resize -roll font1 -segment Edit +repage threshold tiff:min-sample-value=120,90 module -antialias exit Rec709YCbCr -append -title tiff:samples-per-pixel=Green +debug tiff:tile-geometry=Intensity jpeg:dct-method=y CopyOpacity -highlight-color tiff:max-sample-value=Command tiff:min-sample-value=x textFont diffusion PixelsPerInch flip Over -displace -process Options tiff:group-three-options=? flatten tiff:samples-per-pixel=Yellow Or Name Command tiff:min-sample-value=oilpaint HOME BorderWidth tiff:bits-per-sample=import Assign verbose -minify 1 -negate -matte tiff:samples-per-pixel=scale -morph Ctl+O -shear tiff:tile-width=Composite polygon Perceptual, -intent tiff:tile-height=Threshold -profile -rotate ALT -level tiff:rows-per-strip=CMYK tiff:tile -sampling-factor filltoborder backdrop +page Import -blue-primary F1 Convert -update printCommand tiff:group-three-options=concatenate despeckle -flop TIFF -extent FontList confirmExit Identify tiff:tile-width=compressed normalize Matte -wave -crop -log Noise-Laplacian Optimize Depth 120,90 Undo Cyan tiff:min-sample-value=Montage -median Blue GIF +render Mogrify MAGICK_LIMIT_PIXELS -label -screen float tiff:group-three-options=COLUMNS -swirl tiff:bits-per-sample=Ctl+O a Floyd/Steinberg tiff:max-sample-value=key Noise-Impulse LShift Log -shade -spread tiff:rows-per-strip=Relative, -debug Plane F/X tiff:rows-per-strip=color -region gunzip Noise-Poisson -comment matteColor jpeg:dct-method=Draw -set -green-primary

The input file is attached.

Environment
- OS: Ubuntu 18.04.5 LTS
- GCC version: gcc 7.5.0
- GraphicsMagick version: GraphicsMagick 1.3.36

Thank you.

1 Attachments
gm_attachment_1.zip

Discussion

  • Irfan Ariq

    Irfan Ariq - 2021-10-05

    Hi,

    I have tried to reproduce the bug in the latest version of gm in mercurial (16551:3d657485eadf) and the crash still exists.

    This is the output when I check the gm version that I use (checked using ./gm -version)

    GraphicsMagick 1.4 snapshot-20210918 Q8 http://www.GraphicsMagick.org/
Copyright (C) 2002-2020 GraphicsMagick Group.
Additional copyrights and licenses apply to this software.
See http://www.GraphicsMagick.org/www/Copyright.html for details.

Feature Support:
  Native Thread Safe         yes
  Large Files (> 32 bit)     yes
  Large Memory (> 32 bit)    yes
  BZIP                       yes
  DPS                        no
  FlashPix                   no
  FreeType                   yes
  Ghostscript (Library)      no
  JBIG                       yes
  JPEG-2000                  no
  JPEG                       yes
  Little CMS                 no
  Loadable Modules           no
  Solaris mtmalloc           no
  Google perftools tcmalloc  no
  OpenMP                     yes (201511 "4.5")
  PNG                        yes
  TIFF                       no
  TRIO                       no
  Solaris umem               no
  WebP                       no
  WMF                        no
  X11                        yes
  XML                        yes
  ZLIB                       yes

Host type: x86_64-pc-linux-gnu

Configured using the command:
  ./configure  '--prefix=$(pwd)/' 'CFLAGS=-g -O0 -fsanitize=address' 'CXXFLAGS=-g -O0 -fsanitize=address'

Final Build Parameters:
  CC       = gcc
  CFLAGS   = -fopenmp -g -O0 -fsanitize=address -Wall -pthread
  CPPFLAGS = -I/usr/include/freetype2 -I/usr/include/libxml2
  CXX      = g++
  CXXFLAGS = -g -O0 -fsanitize=address -pthread
  LDFLAGS  = 
  LIBS     = -ljbig -lfreetype -ljpeg -lpng16 -lXext -lX11 -llzma -lbz2 -lxml2 -lz -lm -lpthread

    Thank you.

     

  • Irfan Ariq

    Irfan Ariq - 2021-10-05

    This is the new stack trace from the latest version of gm.

    ASAN:DEADLYSIGNAL
=================================================================
==20969==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x55b32b8e2e6b bp 0x7ffd3e1a0a60 sp 0x7ffd3e19e920 T0)
==20969==The signal is caused by a READ memory access.
==20969==Hint: address points to the zero page.
    #0 0x55b32b8e2e6a in MSLStartElement coders/msl.c:922
    #1 0x7fc537c38f3a in xmlParseStartTag (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x46f3a)
    #2 0x7fc537c486cd  (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x566cd)
    #3 0x7fc537c4955d in xmlParseChunk (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x5755d)
    #4 0x55b32b903c7a in ProcessMSLScript coders/msl.c:4601
    #5 0x55b32b904e63 in ReadMSLImage coders/msl.c:4738
    #6 0x55b32b57c2e0 in ReadImage magick/constitute.c:1630
    #7 0x55b32b522b07 in ConjureImageCommand magick/command.c:6542
    #8 0x55b32b52e454 in MagickCommand magick/command.c:8916
    #9 0x55b32b55ca53 in GMCommandSingle magick/command.c:17454
    #10 0x55b32b55cd56 in GMCommand magick/command.c:17507
    #11 0x55b32b501319 in main utilities/gm.c:61
    #12 0x7fc536e19bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #13 0x55b32b501219 in _start (/extra/irfanariq/reportbugs/subject-report/graphicsmagick-git/install_asan/bin/gm+0xd6219)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV coders/msl.c:922 in MSLStartElement
==20969==ABORTING
     

  • Bob Friesenhahn

    Bob Friesenhahn - 2021-11-03
    • status: open --> closed-fixed
    • assigned_to: Bob Friesenhahn
     

  • Bob Friesenhahn

    Bob Friesenhahn - 2021-11-03

    This problem is fixed by Mercurial changeset 16557:2067faf19869. When GraphicsMagick started, the MSL/conjure implementation was "experimental". Fuzz testing (starting with oss-fuzz) has exposed how fragile/broken the implementation was. This changeset should improve the robustness quite a lot since it addresses a fundamental error reporting issue.

    The MSL script itself should be considered "trusted" since it is able to request arbitrary commands. Non-trusted users should never be allowed to compose arbitrary MSL scripts. Regardless, this changeset should help the script quit with an error as soon as a problem is detected.

    Thank you very much for submitting this test case.

     

Log in to post a comment.

MongoDB Logo MongoDB