Bug 705423 - ImageMagick's StripString calls memcpy() on overlapping regions.
ImageMagick's StripString calls memcpy() on overlapping regions.
Status: CLOSED UPSTREAM
Product: Fedora
Classification: Fedora
Component: ImageMagick (Show other bugs)
14
i686 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Pavel Alexeev
Fedora Extras Quality Assurance
abrt_hash:bc10f1b6a0c7e7ce7ba7444dd5e...
:
Depends On:
Blocks: 696096
  Show dependency treegraph
 
Reported: 2011-05-17 12:02 EDT by Orion Poplawski
Modified: 2011-06-02 15:53 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-06-02 15:53:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
File: backtrace (14.68 KB, text/plain)
2011-05-17 12:02 EDT, Orion Poplawski
no flags Details

  None (edit)
Description Orion Poplawski 2011-05-17 12:02:03 EDT
abrt version: 1.1.18
architecture: i686
Attached file: backtrace, 15029 bytes
cmdline: display NovopashinMuriel2002_IsTheCriticalReynoldsNumberUniversal.ps
component: ImageMagick
Attached file: coredump, 4096000 bytes
crash_function: __libc_message
executable: /usr/bin/display
kernel: 2.6.35.13-91.fc14.i686.PAE
package: ImageMagick-6.6.4.1-15.fc14
rating: 3
reason: Process /usr/bin/display was killed by signal 6 (SIGABRT)
release: Fedora release 14 (Laughlin)
time: 1305647536
uid: 1744

How to reproduce
-----
I'm running with memcpy checking installed.  ImageMagick's StripString improperly uses memcpy() on overlapping regions of memory.  It should use memmove() instead.

--- ./ImageMagick-6.6.4-1/magick/string.c.memcpy        2010-09-03 10:02:04.000000000 -0600
+++ ./ImageMagick-6.6.4-1/magick/string.c       2011-05-17 09:59:28.440876901 -0600
@@ -2326,7 +2326,7 @@
   if (q > p)
     if ((*q == '\'') || (*q == '"'))
       q--;
-  (void) memcpy(message,p,(size_t) (q-p+1));
+  (void) memmove(message,p,(size_t) (q-p+1));
   message[q-p+1]='\0';
   for (p=message; *p != '\0'; p++)
     if (*p == '\n')
Comment 1 Orion Poplawski 2011-05-17 12:02:06 EDT
Created attachment 499401 [details]
File: backtrace
Comment 2 Pavel Alexeev 2011-05-17 15:01:07 EDT
How initial bug may be reproduced?
Comment 3 Orion Poplawski 2011-05-17 15:07:32 EDT
You need to be running the ld.preload library from bug 696096.  I triggered the crash by using display to display a postscript file.
Comment 4 Pavel Alexeev 2011-05-29 12:46:28 EDT
Can you say if version 6.7.0-2 affected too?
Comment 5 Orion Poplawski 2011-05-31 16:05:04 EDT
Yes, it is affected too.
Comment 7 Pavel Alexeev 2011-06-02 15:53:33 EDT
Orion, thank you very much for bugreport and help.

Note You need to log in before you can comment on or make changes to this bug.