705423 – ImageMagick's StripString calls memcpy() on overlapping regions.

Bug 705423 - ImageMagick's StripString calls memcpy() on overlapping regions.

Summary: ImageMagick's StripString calls memcpy() on overlapping regions.

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	ImageMagick
Sub Component:
Version:	14
Hardware:	i686
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Pavel Alexeev
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:bc10f1b6a0c7e7ce7ba7444dd5e...
Depends On:
Blocks:	696096
TreeView+	depends on / blocked

Reported:	2011-05-17 16:02 UTC by Orion Poplawski
Modified:	2011-06-02 19:53 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2011-06-02 19:53:05 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
File: backtrace (14.68 KB, text/plain) 2011-05-17 16:02 UTC, Orion Poplawski	no flags	Details
View All

Description Orion Poplawski 2011-05-17 16:02:03 UTC

abrt version: 1.1.18
architecture: i686
Attached file: backtrace, 15029 bytes
cmdline: display NovopashinMuriel2002_IsTheCriticalReynoldsNumberUniversal.ps
component: ImageMagick
Attached file: coredump, 4096000 bytes
crash_function: __libc_message
executable: /usr/bin/display
kernel: 2.6.35.13-91.fc14.i686.PAE
package: ImageMagick-6.6.4.1-15.fc14
rating: 3
reason: Process /usr/bin/display was killed by signal 6 (SIGABRT)
release: Fedora release 14 (Laughlin)
time: 1305647536
uid: 1744

How to reproduce
-----
I'm running with memcpy checking installed.  ImageMagick's StripString improperly uses memcpy() on overlapping regions of memory.  It should use memmove() instead.

--- ./ImageMagick-6.6.4-1/magick/string.c.memcpy        2010-09-03 10:02:04.000000000 -0600
+++ ./ImageMagick-6.6.4-1/magick/string.c       2011-05-17 09:59:28.440876901 -0600
@@ -2326,7 +2326,7 @@
   if (q > p)
     if ((*q == '\'') || (*q == '"'))
       q--;
-  (void) memcpy(message,p,(size_t) (q-p+1));
+  (void) memmove(message,p,(size_t) (q-p+1));
   message[q-p+1]='\0';
   for (p=message; *p != '\0'; p++)
     if (*p == '\n')

Comment 1 Orion Poplawski 2011-05-17 16:02:06 UTC

Created attachment 499401 [details]
File: backtrace

Comment 2 Pavel Alexeev 2011-05-17 19:01:07 UTC

How initial bug may be reproduced?

Comment 3 Orion Poplawski 2011-05-17 19:07:32 UTC

You need to be running the ld.preload library from bug 696096.  I triggered the crash by using display to display a postscript file.

Comment 4 Pavel Alexeev 2011-05-29 16:46:28 UTC

Can you say if version 6.7.0-2 affected too?

Comment 5 Orion Poplawski 2011-05-31 20:05:04 UTC

Yes, it is affected too.

Comment 6 Pavel Alexeev 2011-06-02 19:53:05 UTC

http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=18867

Comment 7 Pavel Alexeev 2011-06-02 19:53:33 UTC

Orion, thank you very much for bugreport and help.

Note You need to log in before you can comment on or make changes to this bug.