Description of problem: ImageMagick crashes with evidence of memory corruption of heap memory after attempt to open a fuzzed PCX picture. Version-Release number of selected component (if applicable): ImageMagick-6.2.8.0-4.fc6 How reproducible: Always. Steps to Reproduce: $ gdb display (gdb) run broken.pcx Actual Results [Thread debugging using libthread_db enabled] [New Thread 46912507440048 (LWP 29371)] [Switching to Thread 46912507440048 (LWP 29371)] *** glibc detected *** /usr/bin/display: malloc(): memory corruption: 0x0000000000625b10 *** ======= Backtrace: ========= /lib64/libc.so.6[0x3a95c6f0e4] /lib64/libc.so.6(__libc_malloc+0x7d)[0x3a95c7086d] /usr/lib64/libMagick.so.10(AcquireMagickMemory+0x2e)[0x2aaaaabc5c16] /usr/lib64/libMagick.so.10(NewLinkedList+0x16)[0x2aaaaabac12e] /usr/lib64/libMagick.so.10(GetExceptionInfo+0x59)[0x2aaaaab99932] /usr/lib64/libMagick.so.10(GetLocaleMessage+0x46)[0x2aaaaabbee00] /usr/lib64/libMagick.so.10(GetLocaleExceptionMessage+0x82)[0x2aaaaab99dba] /usr/lib64/libMagick.so.10(ThrowMagickExceptionList+0xa4)[0x2aaaaab9a2f4] /usr/lib64/libMagick.so.10(ThrowMagickException+0x120)[0x2aaaaab9a506] /usr/lib64/libMagick.so.10[0x2aaaaabb920c] /usr/lib64/libMagick.so.10(SyncImage+0x124)[0x2aaaaabb90e3] /usr/lib64/ImageMagick-6.2.8/modules-Q16/coders/pcx.so[0x2aaaab57ab76] /usr/lib64/libMagick.so.10(ReadImage+0x370)[0x2aaaaab3bfa1] /usr/lib64/libWand.so.10(DisplayImageCommand+0x13d5)[0x2aaaaaf4f0a3] /usr/bin/display[0x400c2a] /lib64/libc.so.6(__libc_start_main+0xf4)[0x3a95c1da44] /usr/bin/display[0x400a19] ======= Memory map: ======== 00400000-00401000 r-xp 00000000 fd:00 13936173 /usr/bin/display 00601000-00602000 rw-p 00001000 fd:00 13936173 /usr/bin/display 00602000-0066f000 rw-p 00602000 00:00 0 [heap] 3267000000-326700f000 r-xp 00000000 fd:00 13939823 /usr/lib64/libbz2.so.1.0.3 326700f000-326720e000 ---p 0000f000 fd:00 13939823 /usr/lib64/libbz2.so.1.0.3 326720e000-3267210000 rw-p 0000e000 fd:00 13939823 /usr/lib64/libbz2.so.1.0.3 3288c00000-3288c2b000 r-xp 00000000 fd:00 13952546 /usr/lib64/libjpeg.so.62.0.0 3288c2b000-3288e2b000 ---p 0002b000 fd:00 13952546 /usr/lib64/libjpeg.so.62.0.0 3288e2b000-3288e2c000 rw-p 0002b000 fd:00 13952546 /usr/lib64/libjpeg.so.62.0.0 328c400000-328c457000 r-xp 00000000 fd:00 13933060 /usr/lib64/libtiff.so.3.8.2 328c457000-328c656000 ---p 00057000 fd:00 13933060 /usr/lib64/libtiff.so.3.8.2 328c656000-328c659000 rw-p 00056000 fd:00 13933060 /usr/lib64/libtiff.so.3.8.2 3804600000-3804704000 r-xp 00000000 fd:00 13927188 /usr/lib64/libX11.so.6.2.0 3804704000-3804904000 ---p 00104000 fd:00 13927188 /usr/lib64/libX11.so.6.2.0 3804904000-380490b000 rw-p 00104000 fd:00 13927188 /usr/lib64/libX11.so.6.2.0 3804a00000-3804a10000 r-xp 00000000 fd:00 13938591 /usr/lib64/libXext.so.6.4.0 3804a10000-3804c10000 ---p 00010000 fd:00 13938591 /usr/lib64/libXext.so.6.4.0 3804c10000-3804c11000 rw-p 00010000 fd:00 13938591 /usr/lib64/libXext.so.6.4.0 3a95800000-3a9581a000 r-xp 00000000 fd:00 1409429 /lib64/ld-2.5.so 3a95a19000-3a95a1a000 r--p 00019000 fd:00 1409429 /lib64/ld-2.5.so 3a95a1a000-3a95a1b000 rw-p 0001a000 fd:00 1409429 /lib64/ld-2.5.so 3a95c00000-3a95d44000 r-xp 00000000 fd:00 1409618 /lib64/libc-2.5.so 3a95d44000-3a95f44000 ---p 00144000 fd:00 1409618 /lib64/libc-2.5.so 3a95f44000-3a95f48000 r--p 00144000 fd:00 1409618 /lib64/libc-2.5.so 3a95f48000-3a95f49000 rw-p 00148000 fd:00 1409618 /lib64/libc-2.5.so 3a95f49000-3a95f4e000 rw-p 3a95f49000 00:00 0 3a96000000-3a96082000 r-xp 00000000 fd:00 1409620 /lib64/libm-2.5.so 3a96082000-3a96281000 ---p 00082000 fd:00 1409620 /lib64/libm-2.5.so 3a96281000-3a96282000 r--p 00081000 fd:00 1409620 /lib64/libm-2.5.so 3a96282000-3a96283000 rw-p 00082000 fd:00 1409620 /lib64/libm-2.5.so 3a96400000-3a96403000 r-xp 00000000 fd:00 1409621 /lib64/libdl-2.5.so 3a96403000-3a96602000 ---p 00003000 fd:00 1409621 /lib64/libdl-2.5.so 3a96602000-3a96603000 r--p 00002000 fd:00 1409621 /lib64/libdl-2.5.so 3a96603000-3a96604000 rw-p 00003000 fd:00 1409621 /lib64/libdl-2.5.so 3a96800000-3a96815000 r-xp 00000000 fd:00 1409906 /lib64/libpthread-2.5.so 3a96815000-3a96a14000 ---p 00015000 fd:00 1409906 /lib64/libpthread-2.5.so 3a96a14000-3a96a15000 r--p 00014000 fd:00 1409906 /lib64/libpthread-2.5.so 3a96a15000-3a96a16000 rw-p 00015000 fd:00 1409906 /lib64/libpthread-2.5.so 3a96a16000-3a96a1a000 rw-p 3a96a16000 00:00 0 3a96c00000-3a96c02000 r-xp 00000000 fd:00 23494807 /usr/lib64/libXau.so.6.0.0 3a96c02000-3a96e01000 ---p 00002000 fd:00 23494807 /usr/lib64/libXau.so.6.0.0 3a96e01000-3a96e02000 rw-p 00001000 fd:00 23494807 /usr/lib64/libXau.so.6.0.0 3a97000000-3a97005000 r-xp 00000000 fd:00 23494808 /usr/lib64/libXdmcp.so.6.0.0 3a97005000-3a97204000 ---p 00005000 fd:00 23494808 /usr/lib64/libXdmcp.so.6.0.0 3a97204000-3a97205000 rw-p 00004000 fd:00 23494808 /usr/lib64/libXdmcp.so.6.0.0 3a97800000-3a97814000 r-xp 00000000 fd:00 13955127 /usr/lib64/libz.so.1.2.3 3a97814000-3a97a13000 ---p 00014000 fd:00 13955127 /usr/lib64/libz.so.1.2.3 3a97a13000-3a97a14000 rw-p 00013000 fd:00 13955127 /usr/lib64/libz.so.1.2.3 3a98800000-3a9887f000 r-xp 00000000 fd:00 23494804 /usr/lib64/libfreetype.so.6.3.10 3a9887f000-3a98a7f000 ---p 0007f000 fd:00 23494804 /usr/lib64/libfreetype.so.6.3.10 3a98a7f000-3a98a84000 rw-p 0007f000 fd:00 23494804 /usr/lib64/libfreetype.so.6.3.10 3a98c00000-3a98c20000 r-xp 00000000 fd:00 1409619 /lib64/libexpat.so.0.5.0 3a98c20000-3a98e1f000 ---p 00020000 fd:00 1409619 /lib64/libexpat.so.0.5.0 3a98e1f000-3a98e22000 rw-p 0001f000 fd:00 1409619 /lib64/libexpat.so.0.5.0 3a99400000-3a99429000 r-xp 00000000 fd:00 23494805 /usr/lib64/libfontconfig.so.1.1.0 3a99429000-3a99629000 ---p 00029000 fd:00 23494805 /usr/lib64/libfontconfig.so.1.1.0 3a99629000-3a99633000 rw-p 00029000 fd:00 23494805 /usr/lib64/libfontconfig.so.1.1.0 3a99633000-3a99634000 rw-p 3a99633000 00:00 0 3a9b000000-3a9b00d000 r-xp 00000000 fd:00 1409622 /lib64/libgcc_s-4.1.1-20070105.so.1 3a9b00d000-3a9b20c000 ---p 0000d000 fd:00 1409622 /lib64/libgcc_s-4.1.1-20070105.so.1 3a9b20c000-3a9b20d000 rw-p 0000c000 fd:00 1409622 /lib64/libgcc_s-4.1.1-20070105.so.1 3a9fe00000-3a9fe30000 r-xp 00000000 fd:00 13955130 /usr/lib64/liblcms.so.1.0.15 3a9fe30000-3aa0030000 ---p 00030000 fd:00 13955130 /usr/lib64/liblcms.so.1.0.15 3aa0030000-3aa0032000 rw-p 00030000 fd:00 13955130 /usr/lib64/liblcms.so.1.0.15 3aa0032000-3aa0034000 rw-p 3aa0032000 00:00 0 2aaaaaaab000-2aaaaaaac000 rw-p 2aaaaaaab000 00:00 0 2aaaaaacd000-2aaaaaace000 rw-p 2aaaaaacd000 00:00 0 2aaaaaace000-2aaaaac9d000 r-xp 00000000 fd:00 13936512 /usr/lib64/libMagick.so.10.0.3 2aaaaac9d000-2aaaaae9d000 ---p 001cf000 fd:00 13936512 /usr/lib64/libMagick.so.10.0.3 2aaaaae9d000-2aaaaaeea000 rw-p 001cf000 fd:00 13936512 /usr/lib64/libMagick.so.10.0.3 2aaaaaeea000-2aaaaaf02000 rw-p 2aaaaaeea000 00:00 0 2aaaaaf02000-2aaaaafe8000 r-xp 00000000 fd:00 13936518 /usr/lib64/libWand.so.10.0.3 2aaaaafe8000-2aaaab1e8000 ---p 000e6000 fd:00 13936518 /usr/lib64/libWand.so.10.0.3 2aaaab1e8000-2aaaab1eb000 rw-p 000e6000 fd:00 13936518 /usr/lib64/libWand.so.10.0.3 2aaaab1eb000-2aaaab1ed000 rw-p 2aaaab1eb000 00:00 0 2aaaab1ed000-2aaaab240000 r-xp 00000000 fd:00 29819317 /opt/win4linpro/lib/sys/libXt.so.6 2aaaab240000-2aaaab340000 ---p 00053000 fd:00 29819317 /opt/win4linpro/lib/sys/libXt.so.6 2aaaab340000-2aaaab34d000 rw-p 00053000 fd:00 29819317 /opt/win4linpro/lib/sys/libXt.so.6 2aaaab34d000-2aaaab350000 rw-p 2aaaab34d000 00:00 0 2aaaab350000-2aaaab359000 r-xp 00000000 fd:00 29819313 /opt/win4linpro/lib/sys/libSM.so.6 2aaaab359000-2aaaab458000 ---p 00009000 fd:00 29819313 /opt/win4linpro/lib/sys/libSM.so.6 Program received signal SIGABRT, Aborted. 0x0000003a95c301b5 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 64 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. in ../nptl/sysdeps/unix/sysv/linux/raise.c (gdb) bt #0 0x0000003a95c301b5 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #1 0x0000003a95c31b20 in *__GI_abort () at abort.c:88 #2 0x0000003a95c6766b in __libc_message (do_abort=2, fmt=0x3a95d19be8 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:170 #3 0x0000003a95c6f0e4 in _int_malloc (av=0x3a95f49980, bytes=64) at malloc.c:5758 #4 0x0000003a95c7086d in *__GI___libc_malloc (bytes=64) at malloc.c:3468 #5 0x00002aaaaabc5c16 in AcquireMagickMemory (size=64) at magick/memory.c:321 #6 0x00002aaaaabac12e in NewLinkedList (capacity=0) at magick/hashmap.c:1408 #7 0x00002aaaaab99932 in GetExceptionInfo (exception=0x7fff0b0010e0) at magick/exception.c:428 #8 0x00002aaaaabbee00 in GetLocaleMessage (tag=0x7fff0b002160 "Exception/Corrupt/Image/Error/InvalidColormapIndex") at magick/locale.c:433 #9 0x00002aaaaab99dba in GetLocaleExceptionMessage (severity=CorruptImageError, tag=0x2aaaaac7dbc7 "InvalidColormapIndex") at magick/exception.c:565 #10 0x00002aaaaab9a2f4 in ThrowMagickExceptionList (exception=0x630e68, module=0x2aaaaac7dbdc "./magick/color-private.h", function=0x2aaaaac7dbb0 "ConstrainColormapIndex", line=46, severity=CorruptImageError, tag=0x2aaaaac7dbc7 "InvalidColormapIndex", format=0x2aaaaac7d140 "`%s'", operands=0x7fff0b004240) at magick/exception.c:962 #11 0x00002aaaaab9a506 in ThrowMagickException (exception=0x630e68, module=0x2aaaaac7dbdc "./magick/color-private.h", function=0x2aaaaac7dbb0 "ConstrainColormapIndex", line=46, severity=CorruptImageError, tag=0x2aaaaac7dbc7 "InvalidColormapIndex", format=0x2aaaaac7d140 "`%s'") at magick/exception.c:989 #12 0x00002aaaaabb920c in ConstrainColormapIndex (image=0x62dbf0, index=4) at magick/color-private.h:46 #13 0x00002aaaaabb90e3 in SyncImage (image=0x62dbf0) at magick/image.c:3420 #14 0x00002aaaab57ab76 in ReadPCXImage (image_info=0x61f350, exception=0x7fff0b009b90) at coders/pcx.c:595 #15 0x00002aaaaab3bfa1 in ReadImage (image_info=0x61a1b0, exception=0x7fff0b009b90) at magick/constitute.c:389 #16 0x00002aaaaaf4f0a3 in DisplayImageCommand (image_info=0x61a1b0, argc=2, argv=0x6068b0, wand_unused_metadata=0x0, exception=0x7fff0b009b90) at wand/display.c:498 #17 0x0000000000400c2a in main (argc=2, argv=0x7fff0b009cc8) at utilities/display.c:132 #18 0x0000003a95c1da44 in __libc_start_main (main=0x400aa8 <main>, argc=2, ubp_av=0x7fff0b009cc8, init=<value optimized out>, fini=<value optimized out>, rtld_fini=<value optimized out>, stack_end=0x7fff0b009cb8) at libc-start.c:231 #19 0x0000000000400a19 in _start () (gdb) Additional info: I assume that arbitrary code execution is possible, unless proven otherwise. See the debian bug report referred to in URL for more information.
Created attachment 157538 [details] Reproducer for ImageMagick PCX coder heap corruption
Created attachment 157539 [details] Fix for the ImageMagick PCX coder heap overflow This one was taken from Debian.
Reporter changed to security-response-team by request of Jay Turner.
I'm closing this due to its age.