Bug 1484196 - There is an invalid free in magick/memory.c of GraphicsMagick.
Summary: There is an invalid free in magick/memory.c of GraphicsMagick.
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: GraphicsMagick
Version: 28
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Andreas Thienemann
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-08-23 02:06 UTC by owl337
Modified: 2019-05-28 19:32 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-05-28 19:32:01 UTC


Attachments (Terms of Use)
Triggered by " ./gm montage POC2 /dev/null " (400 bytes, application/x-rar)
2017-08-23 02:06 UTC, owl337
no flags Details

Description owl337 2017-08-23 02:06:53 UTC
Created attachment 1316928 [details]
Triggered by " ./gm  montage POC2 /dev/null "

Description of problem:

There is an invalid free in  magick/memory.c of GraphicsMagick.

Version-Release number of selected component (if applicable):

<= latest version


How reproducible:

./gm  montage POC1 /dev/null  

Steps to Reproduce:

$ ./gm  montage POC1 /dev/null  
*** Error in `./gm': free(): invalid next size (fast): 0x0000000001677e10 ***
./gm montage: abort due to signal 6 (SIGABRT) "Abort"...
Aborted


The GDB debugging information is as follows:

$ ./gm  montage POC1 /dev/null  
(gdb) r
...
Breakpoint 1, MagickFree (memory=0xaecdd0) at magick/memory.c:509
509	    (FreeFunc)(memory);
(gdb) c 37
...

Breakpoint 1, MagickFree (memory=0xaece10) at magick/memory.c:509
509	    (FreeFunc)(memory);
(gdb) n
*** Error in `/home/icy/secreal/GraphicsMagick-1.3.26/install/bin/gm': free(): invalid next size (fast): 0x0000000000aece10 ***

Program received signal SIGABRT, Aborted.
0x00007ffff59d41c7 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55
55	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt 
#0  0x00007ffff59d41c7 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55
#1  0x00007ffff59d5e2a in __GI_abort () at abort.c:89
#2  0x00007ffff5a17ba3 in __libc_message (do_abort=do_abort@entry=1, 
    fmt=fmt@entry=0x7ffff5b300f8 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff5a1fbb9 in malloc_printerr (ptr=<optimized out>, str=0x7ffff5b30170 "free(): invalid next size (fast)", 
    action=1) at malloc.c:4965
#4  _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3834
#5  0x00007ffff5a237ec in __GI___libc_free (mem=<optimized out>) at malloc.c:2950
#6  0x00000000004c0b79 in MagickFree (memory=0x1d949) at magick/memory.c:509
#7  0x000000000073a758 in ReadTIFFImage (image_info=0xaf9470, exception=0x7fffffffcb98) at coders/tiff.c:2375
#8  0x0000000000478774 in ReadImage (image_info=<optimized out>, exception=0x7fffffffcb98) at magick/constitute.c:1607
#9  0x0000000000453114 in MontageImageCommand (image_info=0xaf4750, argc=<optimized out>, argv=<optimized out>, 
    metadata=0x0, exception=0x7fffffffcb98) at magick/command.c:14064
#10 0x0000000000443507 in MagickCommand (image_info=<optimized out>, argc=<optimized out>, argv=0x7fffffffe550, 
    metadata=<optimized out>, exception=0x7fffffffcb98) at magick/command.c:8869
#11 0x0000000000460435 in GMCommandSingle (argc=<optimized out>, argv=<optimized out>) at magick/command.c:17396
#12 0x000000000045f7c8 in GMCommand (argc=4, argv=0x7fffffffe548) at magick/command.c:17449
#13 0x00007ffff59bfac0 in __libc_start_main (main=0x40bcc0 <main>, argc=4, argv=0x7fffffffe548, init=<optimized out>, 
    fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe538) at libc-start.c:289
#14 0x000000000040bbe9 in _start ()

The vulnerability was triggered in function:
MagickFree (memory=0xaece10) at magick/memory.c:509
509	    (FreeFunc)(memory);


Actual results:


Expected results:


Additional info:

Comment 1 Bob Friesenhahn 2017-08-29 13:48:50 UTC
I believe that this bug is likely fixed by libtiff change:

2017-05-13 Even Rouault <even.rouault at spatialys.com>

        * libtiff/tif_pixarlog.c, tif_luv.c: avoid potential int32
        overflows in multiply_ms() and add_ms().
        Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1558
        Credit to OSS-Fuzz

While I test development GraphicsMagick using latest libtiff sources, I see these error traces from libtiff:

08:41:48 0:01 0.000u 25164 tiff.c/unknown/2268/Coder:
  Allocating scanline buffer of 104 bytes
08:41:48 0:01 0.000u 25164 tiff.c/unknown/932/Coder:
  TIFF Warning: Discarding 89 bytes to avoid buffer overrun.
08:41:48 0:01 0.000u 25164 tiff.c/unknown/932/Coder:
  TIFF Warning: Discarding 16 bytes to avoid buffer overrun.
08:41:48 0:01 0.000u 25164 tiff.c/unknown/932/Coder:
  TIFF Warning: Discarding 1 bytes to avoid buffer overrun.
08:41:48 0:01 0.000u 25164 tiff.c/unknown/932/Coder:
  TIFF Warning: Terminating PackBitsDecode due to lack of data..
08:41:48 0:01 0.000u 25164 tiff.c/unknown/793/Coder:
  Not enough data for scanline 3. (PackBitsDecode)

If this is indeed the fix which solved the problem, then it was already included in libtiff 4.0.8.

Bob

Comment 2 Salvatore Bonaccorso 2017-10-14 09:15:42 UTC
Hi Bob

I tired the following on a Debian unstable system with:

graphicsmagick 1.3.26-14
libtiff5 4.0.8-5

gdb --args gm montage ./POC1 /dev/null                                                                    
GNU gdb (Debian 7.12-6+b1) 7.12.0.20161007-git                                                                        
Copyright (C) 2016 Free Software Foundation, Inc.                                                                     
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>                                         
This is free software: you are free to change and redistribute it.                                                  
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"                                          
and "show warranty" for details.                                                                                        
This GDB was configured as "x86_64-linux-gnu".                                                                          
Type "show configuration" for configuration details.                                                                    
For bug reporting instructions, please see:                                                                               
<http://www.gnu.org/software/gdb/bugs/>.                                                                           
Find the GDB manual and other documentation resources online at:                                                   
<http://www.gnu.org/software/gdb/documentation/>.                                                                  
For help, type "help".                                                                                             
Type "apropos word" to search for commands related to "word"...                                                     
Reading symbols from gm...Reading symbols from /usr/lib/debug/.build-id/aa/32c79ad494cd49bec1714fd719b635a8701413.debug...done.
done.                                                                                                                
(gdb) r                                                                                                              
Starting program: /usr/bin/gm montage ./POC1 /dev/null                                                               
[Thread debugging using libthread_db enabled]                                                                        
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".                                           
*** Error in `/usr/bin/gm': free(): invalid next size (fast): 0x000055555576ce90 ***                               
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x70bfb)[0x7ffff7115bfb]                                                          
/lib/x86_64-linux-gnu/libc.so.6(+0x76fc6)[0x7ffff711bfc6]                                                          
/lib/x86_64-linux-gnu/libc.so.6(+0x7780e)[0x7ffff711c80e]                                                         
/usr/lib/libGraphicsMagick-Q16.so.3(+0x22915b)[0x7ffff7ab715b]                                                       
/usr/lib/libGraphicsMagick-Q16.so.3(ReadImage+0x1c8)[0x7ffff79475d8]                                                 
/usr/lib/libGraphicsMagick-Q16.so.3(MontageImageCommand+0xa44)[0x7ffff7933ad4]                                       
/usr/lib/libGraphicsMagick-Q16.so.3(MagickCommand+0x194)[0x7ffff7916a94]                                             
/usr/lib/libGraphicsMagick-Q16.so.3(+0x89ae6)[0x7ffff7917ae6]                                                     
/usr/lib/libGraphicsMagick-Q16.so.3(GMCommand+0x2e)[0x7ffff793a45e]                                                                                                        
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7ffff70c52e1]                                                                                                  
/usr/bin/gm(+0x66a)[0x55555555466a]
======= Memory map: ========                                                                                                                                                                [147/1852]
555555554000-555555555000 r-xp 00000000 fd:00 269963                     /usr/bin/gm                                                                  
555555754000-555555755000 r--p 00000000 fd:00 269963                     /usr/bin/gm                                                                                                   
555555755000-555555756000 rw-p 00001000 fd:00 269963                     /usr/bin/gm                                                                                           
555555756000-555555788000 rw-p 00000000 00:00 0                          [heap]                                    
7fffe8000000-7fffe8021000 rw-p 00000000 00:00 0                                                                                           
7fffe8021000-7fffec000000 ---p 00000000 00:00 0                                                                           
7fffefbe5000-7ffff10d3000 rw-p 00000000 00:00 0                                                                                                                             
7ffff10d3000-7ffff10e9000 r-xp 00000000 fd:00 524299                     /lib/x86_64-linux-gnu/libgcc_s.so.1              
7ffff10e9000-7ffff12e8000 ---p 00016000 fd:00 524299                     /lib/x86_64-linux-gnu/libgcc_s.so.1              
7ffff12e8000-7ffff12e9000 r--p 00015000 fd:00 524299                     /lib/x86_64-linux-gnu/libgcc_s.so.1          
7ffff12e9000-7ffff12ea000 rw-p 00016000 fd:00 524299                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff12ea000-7ffff145a000 r-xp 00000000 fd:00 262666                     /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.24
7ffff145a000-7ffff165a000 ---p 00170000 fd:00 262666                     /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.24
7ffff165a000-7ffff1664000 r--p 00170000 fd:00 262666                     /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.24
7ffff1664000-7ffff1666000 rw-p 0017a000 fd:00 262666                     /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.24
7ffff1666000-7ffff1669000 rw-p 00000000 00:00 0
7ffff1669000-7ffff166e000 r-xp 00000000 fd:00 264024                     /usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0
7ffff166e000-7ffff186d000 ---p 00005000 fd:00 264024                     /usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0
7ffff186d000-7ffff186e000 r--p 00004000 fd:00 264024                     /usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0
7ffff186e000-7ffff186f000 rw-p 00005000 fd:00 264024                     /usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0
7ffff186f000-7ffff1871000 r-xp 00000000 fd:00 273208                     /usr/lib/x86_64-linux-gnu/libXau.so.6.0.0
7ffff1871000-7ffff1a71000 ---p 00002000 fd:00 273208                     /usr/lib/x86_64-linux-gnu/libXau.so.6.0.0
7ffff1a71000-7ffff1a72000 r--p 00002000 fd:00 273208                     /usr/lib/x86_64-linux-gnu/libXau.so.6.0.0
7ffff1a72000-7ffff1a73000 rw-p 00003000 fd:00 273208                     /usr/lib/x86_64-linux-gnu/libXau.so.6.0.0
7ffff1a73000-7ffff1a7a000 r-xp 00000000 fd:00 525221                     /lib/x86_64-linux-gnu/librt-2.24.so
7ffff1a7a000-7ffff1c79000 ---p 00007000 fd:00 525221                     /lib/x86_64-linux-gnu/librt-2.24.so
7ffff1c79000-7ffff1c7a000 r--p 00006000 fd:00 525221                     /lib/x86_64-linux-gnu/librt-2.24.so
7ffff1c7a000-7ffff1c7b000 rw-p 00007000 fd:00 525221                     /lib/x86_64-linux-gnu/librt-2.24.so
7ffff1c7b000-7ffff34f7000 r-xp 00000000 fd:00 271415                     /usr/lib/x86_64-linux-gnu/libicudata.so.57.1
7ffff34f7000-7ffff36f6000 ---p 0187c000 fd:00 271415                     /usr/lib/x86_64-linux-gnu/libicudata.so.57.1
7ffff36f6000-7ffff36f7000 r--p 0187b000 fd:00 271415                     /usr/lib/x86_64-linux-gnu/libicudata.so.57.1
7ffff36f7000-7ffff36f8000 rw-p 0187c000 fd:00 271415                     /usr/lib/x86_64-linux-gnu/libicudata.so.57.1
7ffff36f8000-7ffff388c000 r-xp 00000000 fd:00 271422                     /usr/lib/x86_64-linux-gnu/libicuuc.so.57.1
7ffff388c000-7ffff3a8b000 ---p 00194000 fd:00 271422                     /usr/lib/x86_64-linux-gnu/libicuuc.so.57.1
7ffff3a8b000-7ffff3a9d000 r--p 00193000 fd:00 271422                     /usr/lib/x86_64-linux-gnu/libicuuc.so.57.1
7ffff3a9d000-7ffff3a9e000 rw-p 001a5000 fd:00 271422                     /usr/lib/x86_64-linux-gnu/libicuuc.so.57.1
7ffff3a9e000-7ffff3aa0000 rw-p 00000000 00:00 0
7ffff3aa0000-7ffff3d0b000 r-xp 00000000 fd:00 271416                     /usr/lib/x86_64-linux-gnu/libicui18n.so.57.1
7ffff3d0b000-7ffff3f0a000 ---p 0026b000 fd:00 271416                     /usr/lib/x86_64-linux-gnu/libicui18n.so.57.1
7ffff3f0a000-7ffff3f17000 r--p 0026a000 fd:00 271416                     /usr/lib/x86_64-linux-gnu/libicui18n.so.57.1
7ffff3f17000-7ffff3f19000 rw-p 00277000 fd:00 271416                     /usr/lib/x86_64-linux-gnu/libicui18n.so.57.1
7ffff3f19000-7ffff3f1a000 rw-p 00000000 00:00 0
7ffff3f1a000-7ffff3f41000 r-xp 00000000 fd:00 262444                     /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0
7ffff3f41000-7ffff4140000 ---p 00027000 fd:00 262444                     /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0
7ffff4140000-7ffff4141000 r--p 00026000 fd:00 262444                     /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0
7ffff4141000-7ffff4142000 rw-p 00027000 fd:00 262444                     /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0
7ffff4142000-7ffff4155000 r-xp 00000000 fd:00 524388                     /lib/x86_64-linux-gnu/libbsd.so.0.8.6
7ffff4155000-7ffff4354000 ---p 00013000 fd:00 524388                     /lib/x86_64-linux-gnu/libbsd.so.0.8.6
7ffff4354000-7ffff4355000 r--p 00012000 fd:00 524388                     /lib/x86_64-linux-gnu/libbsd.so.0.8.6
7ffff4355000-7ffff4356000 rw-p 00013000 fd:00 524388                     /lib/x86_64-linux-gnu/libbsd.so.0.8.6
7ffff4356000-7ffff4357000 rw-p 00000000 00:00 0
7ffff4357000-7ffff435b000 r-xp 00000000 fd:00 528520                     /lib/x86_64-linux-gnu/libuuid.so.1.3.0
7ffff435b000-7ffff455a000 ---p 00004000 fd:00 528520                     /lib/x86_64-linux-gnu/libuuid.so.1.3.0
7ffff455a000-7ffff455b000 r--p 00003000 fd:00 528520                     /lib/x86_64-linux-gnu/libuuid.so.1.3.0
7ffff455b000-7ffff455c000 rw-p 00004000 fd:00 528520                     /lib/x86_64-linux-gnu/libuuid.so.1.3.0
7ffff455c000-7ffff455e000 r-xp 00000000 fd:00 524418                     /lib/x86_64-linux-gnu/libdl-2.24.so
7ffff455e000-7ffff475e000 ---p 00002000 fd:00 524418                     /lib/x86_64-linux-gnu/libdl-2.24.so
7ffff475e000-7ffff475f000 r--p 00002000 fd:00 524418                     /lib/x86_64-linux-gnu/libdl-2.24.so
7ffff475f000-7ffff4760000 rw-p 00003000 fd:00 524418                     /lib/x86_64-linux-gnu/libdl-2.24.so
7ffff4760000-7ffff4863000 r-xp 00000000 fd:00 524422                     /lib/x86_64-linux-gnu/libm-2.24.so
7ffff4863000-7ffff4a62000 ---p 00103000 fd:00 524422                     /lib/x86_64-linux-gnu/libm-2.24.so
7ffff4a62000-7ffff4a63000 r--p 00102000 fd:00 524422                     /lib/x86_64-linux-gnu/libm-2.24.so
7ffff4a63000-7ffff4a64000 rw-p 00103000 fd:00 524422                     /lib/x86_64-linux-gnu/libm-2.24.so
7ffff4a64000-7ffff4a7d000 r-xp 00000000 fd:00 524383                     /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff4a7d000-7ffff4c7c000 ---p 00019000 fd:00 524383                     /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff4c7c000-7ffff4c7d000 r--p 00018000 fd:00 524383                     /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff4c7d000-7ffff4c7e000 rw-p 00019000 fd:00 524383                     /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff4c7e000-7ffff4e35000 r-xp 00000000 fd:00 262792                     /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.4
7ffff4e35000-7ffff5035000 ---p 001b7000 fd:00 262792                     /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.4
7ffff5035000-7ffff503d000 r--p 001b7000 fd:00 262792                     /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.4
7ffff503d000-7ffff503f000 rw-p 001bf000 fd:00 262792                     /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.4
7ffff503f000-7ffff5040000 rw-p 00000000 00:00 0
7ffff5040000-7ffff504f000 r-xp 00000000 fd:00 524598                     /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7ffff504f000-7ffff524e000 ---p 0000f000 fd:00 524598                     /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7ffff524e000-7ffff524f000 r--p 0000e000 fd:00 524598                     /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7ffff524f000-7ffff5250000 rw-p 0000f000 fd:00 524598                     /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7ffff5250000-7ffff5275000 r-xp 00000000 fd:00 524413                     /lib/x86_64-linux-gnu/liblzma.so.5.2.2
7ffff5275000-7ffff5474000 ---p 00025000 fd:00 524413                     /lib/x86_64-linux-gnu/liblzma.so.5.2.2
7ffff5474000-7ffff5475000 r--p 00024000 fd:00 524413                     /lib/x86_64-linux-gnu/liblzma.so.5.2.2
7ffff5475000-7ffff5476000 rw-p 00025000 fd:00 524413                     /lib/x86_64-linux-gnu/liblzma.so.5.2.2
7ffff5476000-7ffff55b0000 r-xp 00000000 fd:00 262209                     /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0
7ffff55b0000-7ffff57b0000 ---p 0013a000 fd:00 262209                     /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0
7ffff57b0000-7ffff57b1000 r--p 0013a000 fd:00 262209                     /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0
7ffff57b1000-7ffff57b6000 rw-p 0013b000 fd:00 262209                     /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0
7ffff57b6000-7ffff57cd000 r-xp 00000000 fd:00 283799                     /usr/lib/x86_64-linux-gnu/libICE.so.6.3.0
7ffff57cd000-7ffff59cd000 ---p 00017000 fd:00 283799                     /usr/lib/x86_64-linux-gnu/libICE.so.6.3.0
7ffff59cd000-7ffff59ce000 r--p 00017000 fd:00 283799                     /usr/lib/x86_64-linux-gnu/libICE.so.6.3.0
7ffff59ce000-7ffff59cf000 rw-p 00018000 fd:00 283799                     /usr/lib/x86_64-linux-gnu/libICE.so.6.3.0
7ffff59cf000-7ffff59d3000 rw-p 00000000 00:00 0
7ffff59d3000-7ffff59da000 r-xp 00000000 fd:00 283801                     /usr/lib/x86_64-linux-gnu/libSM.so.6.0.1
7ffff59da000-7ffff5bd9000 ---p 00007000 fd:00 283801                     /usr/lib/x86_64-linux-gnu/libSM.so.6.0.1
7ffff5bd9000-7ffff5bda000 r--p 00006000 fd:00 283801                     /usr/lib/x86_64-linux-gnu/libSM.so.6.0.1
7ffff5bda000-7ffff5bdb000 rw-p 00007000 fd:00 283801                     /usr/lib/x86_64-linux-gnu/libSM.so.6.0.1
7ffff5bdb000-7ffff5bec000 r-xp 00000000 fd:00 262622                     /usr/lib/x86_64-linux-gnu/libXext.so.6.4.0
7ffff5bec000-7ffff5deb000 ---p 00011000 fd:00 262622                     /usr/lib/x86_64-linux-gnu/libXext.so.6.4.0
7ffff5deb000-7ffff5dec000 r--p 00010000 fd:00 262622                     /usr/lib/x86_64-linux-gnu/libXext.so.6.4.0
7ffff5dec000-7ffff5ded000 rw-p 00011000 fd:00 262622                     /usr/lib/x86_64-linux-gnu/libXext.so.6.4.0
7ffff5ded000-7ffff5e0b000 r-xp 00000000 fd:00 292288                     /usr/lib/x86_64-linux-gnu/libwmflite-0.2.so.7.0.1
7ffff5e0b000-7ffff600a000 ---p 0001e000 fd:00 292288                     /usr/lib/x86_64-linux-gnu/libwmflite-0.2.so.7.0.1
7ffff600a000-7ffff600b000 r--p 0001d000 fd:00 292288                     /usr/lib/x86_64-linux-gnu/libwmflite-0.2.so.7.0.1
7ffff600b000-7ffff600c000 rw-p 0001e000 fd:00 292288                     /usr/lib/x86_64-linux-gnu/libwmflite-0.2.so.7.0.1
7ffff600c000-7ffff603e000 r-xp 00000000 fd:00 265762                     /usr/lib/x86_64-linux-gnu/libpng16.so.16.34.0
7ffff603e000-7ffff623d000 ---p 00032000 fd:00 265762                     /usr/lib/x86_64-linux-gnu/libpng16.so.16.34.0
7ffff623d000-7ffff623e000 r--p 00031000 fd:00 265762                     /usr/lib/x86_64-linux-gnu/libpng16.so.16.34.0
7ffff623e000-7ffff623f000 rw-p 00032000 fd:00 265762                     /usr/lib/x86_64-linux-gnu/libpng16.so.16.34.0
7ffff623f000-7ffff62a6000 r-xp 00000000 fd:00 268837                     /usr/lib/x86_64-linux-gnu/libjpeg.so.62.2.0
7ffff62a6000-7ffff64a6000 ---p 00067000 fd:00 268837                     /usr/lib/x86_64-linux-gnu/libjpeg.so.62.2.0
7ffff64a6000-7ffff64a7000 r--p 00067000 fd:00 268837                     /usr/lib/x86_64-linux-gnu/libjpeg.so.62.2.0
7ffff64a7000-7ffff64a8000 rw-p 00068000 fd:00 268837                     /usr/lib/x86_64-linux-gnu/libjpeg.so.62.2.0
7ffff64a8000-7ffff6556000 r-xp 00000000 fd:00 280816                     /usr/lib/x86_64-linux-gnu/libfreetype.so.6.14.0
7ffff6556000-7ffff6755000 ---p 000ae000 fd:00 280816                     /usr/lib/x86_64-linux-gnu/libfreetype.so.6.14.0
7ffff6755000-7ffff675c000 r--p 000ad000 fd:00 280816                     /usr/lib/x86_64-linux-gnu/libfreetype.so.6.14.0
7ffff675c000-7ffff675d000 rw-p 000b4000 fd:00 280816                     /usr/lib/x86_64-linux-gnu/libfreetype.so.6.14.0
7ffff675d000-7ffff67d0000 r-xp 00000000 fd:00 278111                     /usr/lib/x86_64-linux-gnu/libtiff.so.5.2.6
7ffff67d0000-7ffff69cf000 ---p 00073000 fd:00 278111                     /usr/lib/x86_64-linux-gnu/libtiff.so.5.2.6
7ffff69cf000-7ffff69d3000 r--p 00072000 fd:00 278111                     /usr/lib/x86_64-linux-gnu/libtiff.so.5.2.6
7ffff69d3000-7ffff69d4000 rw-p 00076000 fd:00 278111                     /usr/lib/x86_64-linux-gnu/libtiff.so.5.2.6
7ffff69d4000-7ffff6a2a000 r-xp 00000000 fd:00 285298                     /usr/lib/x86_64-linux-gnu/liblcms2.so.2.0.8
7ffff6a2a000-7ffff6c29000 ---p 00056000 fd:00 285298                     /usr/lib/x86_64-linux-gnu/liblcms2.so.2.0.8
7ffff6c29000-7ffff6c2b000 r--p 00055000 fd:00 285298                     /usr/lib/x86_64-linux-gnu/liblcms2.so.2.0.8
7ffff6c2b000-7ffff6c2f000 rw-p 00057000 fd:00 285298                     /usr/lib/x86_64-linux-gnu/liblcms2.so.2.0.8
7ffff6c2f000-7ffff6c30000 rw-p 00000000 00:00 0
7ffff6c30000-7ffff6c94000 r-xp 00000000 fd:00 273346                     /usr/lib/x86_64-linux-gnu/libwebp.so.6.0.1
7ffff6c94000-7ffff6e93000 ---p 00064000 fd:00 273346                     /usr/lib/x86_64-linux-gnu/libwebp.so.6.0.1
7ffff6e93000-7ffff6e94000 r--p 00063000 fd:00 273346                     /usr/lib/x86_64-linux-gnu/libwebp.so.6.0.1
7ffff6e94000-7ffff6e95000 rw-p 00064000 fd:00 273346                     /usr/lib/x86_64-linux-gnu/libwebp.so.6.0.1
7ffff6e95000-7ffff6e97000 rw-p 00000000 00:00 0
7ffff6e97000-7ffff6ea2000 r-xp 00000000 fd:00 285632                     /usr/lib/x86_64-linux-gnu/libjbig.so.0
7ffff6ea2000-7ffff70a1000 ---p 0000b000 fd:00 285632                     /usr/lib/x86_64-linux-gnu/libjbig.so.0
7ffff70a1000-7ffff70a2000 r--p 0000a000 fd:00 285632                     /usr/lib/x86_64-linux-gnu/libjbig.so.0
7ffff70a2000-7ffff70a5000 rw-p 0000b000 fd:00 285632                     /usr/lib/x86_64-linux-gnu/libjbig.so.0
7ffff70a5000-7ffff7238000 r-xp 00000000 fd:00 524379                     /lib/x86_64-linux-gnu/libc-2.24.so
7ffff7238000-7ffff7438000 ---p 00193000 fd:00 524379                     /lib/x86_64-linux-gnu/libc-2.24.so
7ffff7438000-7ffff743c000 r--p 00193000 fd:00 524379                     /lib/x86_64-linux-gnu/libc-2.24.so
7ffff743c000-7ffff743e000 rw-p 00197000 fd:00 524379                     /lib/x86_64-linux-gnu/libc-2.24.so
7ffff743e000-7ffff7442000 rw-p 00000000 00:00 0
7ffff7442000-7ffff745a000 r-xp 00000000 fd:00 525210                     /lib/x86_64-linux-gnu/libpthread-2.24.so
7ffff745a000-7ffff7659000 ---p 00018000 fd:00 525210                     /lib/x86_64-linux-gnu/libpthread-2.24.so
7ffff7659000-7ffff765a000 r--p 00017000 fd:00 525210                     /lib/x86_64-linux-gnu/libpthread-2.24.so
7ffff765a000-7ffff765b000 rw-p 00018000 fd:00 525210                     /lib/x86_64-linux-gnu/libpthread-2.24.so
7ffff765b000-7ffff765f000 rw-p 00000000 00:00 0
7ffff765f000-7ffff768c000 r-xp 00000000 fd:00 262814                     /usr/lib/x86_64-linux-gnu/libgomp.so.1.0.0
7ffff768c000-7ffff788c000 ---p 0002d000 fd:00 262814                     /usr/lib/x86_64-linux-gnu/libgomp.so.1.0.0
7ffff788c000-7ffff788d000 r--p 0002d000 fd:00 262814                     /usr/lib/x86_64-linux-gnu/libgomp.so.1.0.0
7ffff788d000-7ffff788e000 rw-p 0002e000 fd:00 262814                     /usr/lib/x86_64-linux-gnu/libgomp.so.1.0.0
7ffff788e000-7ffff7b45000 r-xp 00000000 fd:00 299164                     /usr/lib/libGraphicsMagick-Q16.so.3.16.0
7ffff7b45000-7ffff7d45000 ---p 002b7000 fd:00 299164                     /usr/lib/libGraphicsMagick-Q16.so.3.16.0
7ffff7d45000-7ffff7d9d000 r--p 002b7000 fd:00 299164                     /usr/lib/libGraphicsMagick-Q16.so.3.16.0
7ffff7d9d000-7ffff7dc0000 rw-p 0030f000 fd:00 299164                     /usr/lib/libGraphicsMagick-Q16.so.3.16.0
7ffff7dc0000-7ffff7dd9000 rw-p 00000000 00:00 0
7ffff7dd9000-7ffff7dfc000 r-xp 00000000 fd:00 524317                     /lib/x86_64-linux-gnu/ld-2.24.so
7ffff7e4a000-7ffff7e9b000 r--p 00000000 fd:00 265503                     /usr/lib/locale/aa_DJ.utf8/LC_CTYPE
7ffff7e9b000-7ffff7fcb000 r--p 00000000 fd:00 265502                     /usr/lib/locale/aa_DJ.utf8/LC_COLLATE
7ffff7fcb000-7ffff7fdc000 rw-p 00000000 00:00 0
7ffff7fe2000-7ffff7fe3000 rw-p 00000000 00:00 0
7ffff7fe3000-7ffff7fe4000 r--p 00000000 fd:00 265740                     /usr/lib/locale/aa_ET/LC_NUMERIC
7ffff7fe4000-7ffff7fe5000 r--p 00000000 fd:00 310047                     /usr/lib/locale/en_US.utf8/LC_TIME
7ffff7fe5000-7ffff7fe6000 r--p 00000000 fd:00 309676                     /usr/lib/locale/chr_US/LC_MONETARY
7ffff7fe6000-7ffff7fe7000 r--p 00000000 fd:00 309892                     /usr/lib/locale/en_AG/LC_MESSAGES/SYS_LC_MESSAGES
7ffff7fe7000-7ffff7fe8000 r--p 00000000 fd:00 309678                     /usr/lib/locale/chr_US/LC_PAPER
7ffff7fe8000-7ffff7fe9000 r--p 00000000 fd:00 309677                     /usr/lib/locale/chr_US/LC_NAME
7ffff7fe9000-7ffff7fea000 r--p 00000000 fd:00 310045                     /usr/lib/locale/en_US.utf8/LC_ADDRESS
7ffff7fea000-7ffff7feb000 r--p 00000000 fd:00 309679                     /usr/lib/locale/chr_US/LC_TELEPHONE
7ffff7feb000-7ffff7fec000 r--p 00000000 fd:00 309674                     /usr/lib/locale/chr_US/LC_MEASUREMENT
7ffff7fec000-7ffff7ff3000 r--s 00000000 fd:00 338332                     /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache
7ffff7ff3000-7ffff7ff4000 r--p 00000000 fd:00 310046                     /usr/lib/locale/en_US.utf8/LC_IDENTIFICATION
7ffff7ff4000-7ffff7ff7000 rw-p 00000000 00:00 0
7ffff7ff7000-7ffff7ffa000 r--p 00000000 00:00 0                          [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00023000 fd:00 524317                     /lib/x86_64-linux-gnu/ld-2.24.so
7ffff7ffd000-7ffff7ffe000 rw-p 00024000 fd:00 524317                     /lib/x86_64-linux-gnu/ld-2.24.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff70d942a in __GI_abort () at abort.c:89
#2  0x00007ffff7115c00 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7ffff720ad78 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff711bfc6 in malloc_printerr (action=3, str=0x7ffff720ae88 "free(): invalid next size (fast)", ptr=<optimized out>, ar_ptr=<optimized out>) at malloc.c:5049
#4  0x00007ffff711c80e in _int_free (av=0x7ffff743cb00 <main_arena>, p=0x55555576ce80, have_lock=0) at malloc.c:3905
#5  0x00007ffff7ab715b in ReadTIFFImage (image_info=<optimized out>, exception=<optimized out>) at coders/tiff.c:2375
#6  0x00007ffff79475d8 in ReadImage (image_info=image_info@entry=0x555555774850, exception=exception@entry=0x7fffffffe2c0) at magick/constitute.c:1607
#7  0x00007ffff7933ad4 in MontageImageCommand (image_info=0x555555774850, argc=<optimized out>, argv=<optimized out>, metadata=0x0, exception=0x7fffffffe2c0) at magick/command.c:14064
#8  0x00007ffff7916a94 in MagickCommand (image_info=image_info@entry=0x555555774850, argc=argc@entry=3, argv=argv@entry=0x7fffffffec40, metadata=metadata@entry=0x7fffffffe2b8,
    exception=exception@entry=0x7fffffffe2c0) at magick/command.c:8869
#9  0x00007ffff7917ae6 in GMCommandSingle (argc=3, argc@entry=4, argv=0x7fffffffec40, argv@entry=0x7fffffffec38) at magick/command.c:17396
#10 0x00007ffff793a45e in GMCommand (argc=4, argv=0x7fffffffec38) at magick/command.c:17449
#11 0x00007ffff70c52e1 in __libc_start_main (main=0x555555554630 <main>, argc=4, argv=0x7fffffffec38, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
    stack_end=0x7fffffffec28) at ../csu/libc-start.c:291
#12 0x000055555555466a in _start ()
(gdb)

Regards,
Salvatore

Comment 3 Salvatore Bonaccorso 2017-10-14 18:30:11 UTC
Upstream fix: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/3db9449e3d6a/

Comment 4 Bob Friesenhahn 2017-10-23 13:26:39 UTC
It seems that information is still requested from me on this report.  What is still needed from me?

In my test setup, on Ubuntu 16 with development (CVS) libtiff and development GraphicsMagick, there are no more memory issues.

Bob

Comment 5 Rex Dieter 2017-10-23 14:17:55 UTC
I can clear needinfo

Comment 6 Fedora End Of Life 2018-02-20 15:27:27 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle.
Changing version to '28'.

Comment 7 Ben Cotton 2019-05-02 22:05:50 UTC
This message is a reminder that Fedora 28 is nearing its end of life.
On 2019-May-28 Fedora will stop maintaining and issuing updates for
Fedora 28. It is Fedora's policy to close all bug reports from releases
that are no longer maintained. At that time this bug will be closed as
EOL if it remains open with a Fedora 'version' of '28'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 28 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 8 Ben Cotton 2019-05-28 19:32:01 UTC
Fedora 28 changed to end-of-life (EOL) status on 2019-05-28. Fedora 28 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.