Bug 705423

Summary: ImageMagick's StripString calls memcpy() on overlapping regions.
Product: [Fedora] Fedora Reporter: Orion Poplawski <orion>
Component: ImageMagickAssignee: Pavel Alexeev <pahan>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 14CC: nmurray, pahan
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Unspecified   
Whiteboard: abrt_hash:bc10f1b6a0c7e7ce7ba7444dd5e7e6c2db833a6f
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-02 19:53:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 696096    
Attachments:
Description Flags
File: backtrace none

Description Orion Poplawski 2011-05-17 16:02:03 UTC 
abrt version: 1.1.18
architecture: i686
Attached file: backtrace, 15029 bytes
cmdline: display NovopashinMuriel2002_IsTheCriticalReynoldsNumberUniversal.ps
component: ImageMagick
Attached file: coredump, 4096000 bytes
crash_function: __libc_message
executable: /usr/bin/display
kernel: 2.6.35.13-91.fc14.i686.PAE
package: ImageMagick-6.6.4.1-15.fc14
rating: 3
reason: Process /usr/bin/display was killed by signal 6 (SIGABRT)
release: Fedora release 14 (Laughlin)
time: 1305647536
uid: 1744

How to reproduce
-----
I'm running with memcpy checking installed.  ImageMagick's StripString improperly uses memcpy() on overlapping regions of memory.  It should use memmove() instead.

--- ./ImageMagick-6.6.4-1/magick/string.c.memcpy        2010-09-03 10:02:04.000000000 -0600
+++ ./ImageMagick-6.6.4-1/magick/string.c       2011-05-17 09:59:28.440876901 -0600
@@ -2326,7 +2326,7 @@
   if (q > p)
     if ((*q == '\'') || (*q == '"'))
       q--;
-  (void) memcpy(message,p,(size_t) (q-p+1));
+  (void) memmove(message,p,(size_t) (q-p+1));
   message[q-p+1]='\0';
   for (p=message; *p != '\0'; p++)
     if (*p == '\n')
Comment 1 Orion Poplawski 2011-05-17 16:02:06 UTC 
Created attachment 499401 [details]
File: backtrace
Comment 2 Pavel Alexeev 2011-05-17 19:01:07 UTC 
How initial bug may be reproduced?
Comment 3 Orion Poplawski 2011-05-17 19:07:32 UTC 
You need to be running the ld.preload library from bug 696096.  I triggered the crash by using display to display a postscript file.
Comment 4 Pavel Alexeev 2011-05-29 16:46:28 UTC 
Can you say if version 6.7.0-2 affected too?
Comment 5 Orion Poplawski 2011-05-31 20:05:04 UTC 
Yes, it is affected too.
Comment 6 Pavel Alexeev 2011-06-02 19:53:05 UTC 
http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=18867
Comment 7 Pavel Alexeev 2011-06-02 19:53:33 UTC 
Orion, thank you very much for bugreport and help.