Package: imagemagick Version: 7:6.3.7.9.dfsg2-1~lenny1 Severity: normal Playing around with the "zzuf" fuzzer from http://caca.zoy.org/wiki/zzuf, I managed to create a corrupt .tiff file that causes 'convert' to crash with a segmentation fault (most of the time). I've also compiled imagemagick from debian source and have a gdb backtrace that reveals the crash occurs in the .bmp writer, as it tries to encode an image with a horizontal resolution of 153249056 rows (?).
The original tiff image is available at http://www.noloop.net/bugs/imagemagick/001/good.tiff The corrupted image is available at http://www.noloop.net/bugs/imagemagick/001/corrupt.tiff The corrupt image was generated with zzuf-0.12, using zzuf -c -d -s 181 -r 0.004 cat good.tiff > corrupt.tiff Strangely enough, the segfault isn't 100% reproducible; sometimes 'convert' exits with error messages about "incorrect count for field" (but with different "expecting" values for each run). Here's a log of a gdb run on the un-stripped convert binary. % gdb --args bin/convert corrupt.tiff z.bmp GNU gdb 6.8-debian Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i486-linux-gnu"... (gdb) run Starting program: /home/user/temp/z/ziminst/bin/convert corrupt.tiff z.bmp [Thread debugging using libthread_db enabled] [New Thread 0xb79026b0 (LWP 1852)] convert: incorrect count for field "ImageLength" (5, expecting 1); tag trimmed. `corrupt.tiff'. convert: corrupt.tiff: wrong data type 21 for "XResolution"; tag ignored. `TIFFReadDirectory'. convert: incorrect count for field "ResolutionUnit" (131073, expecting 1); tag trimmed. `corrupt.tiff'. convert: incorrect count for field "StripOffsets" (1, expecting 212568); tag ignored. `corrupt.tiff'. convert: incorrect count for field "StripByteCounts" (1, expecting 212568); tag ignored. `corrupt.tiff'. convert: Error fetching data for field "ResolutionUnit". `corrupt.tiff'. convert: unable to extend cache `corrupt.tiff': Invalid argument. convert: missing an image filename `z.bmp'. Program exited with code 01. (gdb) run Starting program: /home/user/temp/z/ziminst/bin/convert corrupt.tiff z.bmp [Thread debugging using libthread_db enabled] [New Thread 0xb78bf6b0 (LWP 1856)] convert: incorrect count for field "ImageLength" (5, expecting 1); tag trimmed. `corrupt.tiff'. convert: corrupt.tiff: wrong data type 21 for "XResolution"; tag ignored. `TIFFReadDirectory'. convert: incorrect count for field "ResolutionUnit" (131073, expecting 1); tag trimmed. `corrupt.tiff'. convert: incorrect count for field "StripOffsets" (1, expecting 197072); tag ignored. `corrupt.tiff'. convert: incorrect count for field "StripByteCounts" (1, expecting 197072); tag ignored. `corrupt.tiff'. convert: Error fetching data for field "ResolutionUnit". `corrupt.tiff'. convert: unable to extend cache `corrupt.tiff': Invalid argument. convert: missing an image filename `z.bmp'. Program exited with code 01. (gdb) run Starting program: /home/user/temp/z/ziminst/bin/convert corrupt.tiff z.bmp [Thread debugging using libthread_db enabled] [New Thread 0xb78406b0 (LWP 1857)] convert: incorrect count for field "ImageLength" (5, expecting 1); tag trimmed. `corrupt.tiff'. convert: corrupt.tiff: wrong data type 21 for "XResolution"; tag ignored. `TIFFReadDirectory'. convert: incorrect count for field "ResolutionUnit" (131073, expecting 1); tag trimmed. `corrupt.tiff'. convert: incorrect count for field "StripOffsets" (1, expecting 195208); tag ignored. `corrupt.tiff'. convert: incorrect count for field "StripByteCounts" (1, expecting 195208); tag ignored. `corrupt.tiff'. convert: Error fetching data for field "ResolutionUnit". `corrupt.tiff'. convert: unable to extend cache `corrupt.tiff': Invalid argument. convert: missing an image filename `z.bmp'. Program exited with code 01. (gdb) run Starting program: /home/user/temp/z/ziminst/bin/convert corrupt.tiff z.bmp [Thread debugging using libthread_db enabled] [New Thread 0xb779d6b0 (LWP 1859)] convert: incorrect count for field "ImageLength" (5, expecting 1); tag trimmed. `corrupt.tiff'. convert: corrupt.tiff: wrong data type 21 for "XResolution"; tag ignored. `TIFFReadDirectory'. convert: incorrect count for field "ResolutionUnit" (131073, expecting 1); tag trimmed. `corrupt.tiff'. convert: incorrect count for field "StripOffsets" (1, expecting 207605); tag ignored. `corrupt.tiff'. convert: incorrect count for field "StripByteCounts" (1, expecting 207605); tag ignored. `corrupt.tiff'. convert: Error fetching data for field "ResolutionUnit". `corrupt.tiff'. convert: corrupt.tiff: Decoding error at scanline 0, invalid bit length repeat. `ZIPDecode'. convert: Memory allocation failed `z.bmp'. Program exited with code 01. (gdb) run Starting program: /home/user/temp/z/ziminst/bin/convert corrupt.tiff z.bmp [Thread debugging using libthread_db enabled] [New Thread 0xb79106b0 (LWP 1860)] convert: incorrect count for field "ImageLength" (5, expecting 1); tag trimmed. `corrupt.tiff'. convert: corrupt.tiff: wrong data type 21 for "XResolution"; tag ignored. `TIFFReadDirectory'. convert: incorrect count for field "ResolutionUnit" (131073, expecting 1); tag trimmed. `corrupt.tiff'. convert: incorrect count for field "StripOffsets" (1, expecting 186601); tag ignored. `corrupt.tiff'. convert: incorrect count for field "StripByteCounts" (1, expecting 186601); tag ignored. `corrupt.tiff'. convert: Error fetching data for field "ResolutionUnit". `corrupt.tiff'. convert: corrupt.tiff: Decoding error at scanline 0, invalid bit length repeat. `ZIPDecode'. convert: Memory allocation failed `z.bmp'. Program exited with code 01. (gdb) run Starting program: /home/user/temp/z/ziminst/bin/convert corrupt.tiff z.bmp [Thread debugging using libthread_db enabled] [New Thread 0xb77ad6b0 (LWP 1861)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xb77ad6b0 (LWP 1861)] 0xb7c55add in WriteBMPImage (image_info=0x878d118, image=0x8791928) at coders/bmp.c:1784 1784 *q++=ScaleQuantumToChar(p->blue); (gdb) (gdb) bt #0 0xb7c55add in WriteBMPImage (image_info=0x878d118, image=0x8791928) at coders/bmp.c:1784 #1 0xb7d8255d in WriteImage (image_info=0x877c5d0, image=0x8791928) at magick/constitute.c:955 #2 0xb7d82eed in WriteImages (image_info=0x87783f0, images=0x8791928, filename=0x8778328 "z.bmp", exception=0x8778030) at magick/constitute.c:1112 #3 0xb7c92441 in ConvertImageCommand (image_info=0x87783f0, argc=3, argv=0x877c570, metadata=0x0, exception=0x8778030) at wand/convert.c:2630 #4 0x08048b77 in main (argc=3, argv=0xbfd3d4a4) at utilities/convert.c:122 (gdb) print image $1 = (Image *) 0x8791928 (gdb) print q $2 = (unsigned char *) 0x19749a80 <Address 0x19749a80 out of bounds> (gdb) print *image $3 = {storage_class = DirectClass, colorspace = RGBColorspace, compression = ZipCompression, quality = 0, orientation = LeftTopOrientation, taint = MagickFalse, matte = MagickFalse, columns = 610, rows = 142112024, depth = 16, colors = 0, colormap = 0x0, background_color = {blue = 65535, green = 65535, red = 65535, opacity = 0}, border_color = {blue = 57311, green = 57311, red = 57311, opacity = 0}, matte_color = {blue = 48573, green = 48573, red = 48573, opacity = 0}, gamma = 0, chromaticity = { red_primary = {x = 0, y = 0, z = 0}, green_primary = {x = 0, y = 0, z = 0}, blue_primary = {x = 0, y = 0, z = 0}, white_point = {x = 0, y = 0, z = 0}}, rendering_intent = UndefinedIntent, profiles = 0x0, units = PixelsPerInchResolution, montage = 0x0, directory = 0x0, geometry = 0x0, offset = 0, x_resolution = 0, y_resolution = 72, page = { width = 610, height = 142112024, x = -2147483648, y = 0}, extract_info = { width = 0, height = 0, x = 0, y = 0}, tile_info = {width = 0, height = 0, x = 0, y = 0}, bias = 0, blur = 1, fuzz = 0, filter = UndefinedFilter, interlace = NoInterlace, endian = UndefinedEndian, gravity = UndefinedGravity, compose = OverCompositeOp, dispose = UnrecognizedDispose, clip_mask = 0x0, scene = 0, delay = 0, ticks_per_second = 100, iterations = 0, total_colors = 0, start_loop = 0, error = {mean_error_per_pixel = 0, normalized_mean_error = 0, normalized_maximum_error = 0}, timer = {user = {start = 0, stop = 0, total = 0}, elapsed = {start = 4627699, stop = 0, total = 0}, state = RunningTimerState, signature = 2880220587}, progress_monitor = 0, ---Type <return> to continue, or q <return> to quit--- client_data = 0x0, cache = 0x87850f0, attributes = 0x0, ascii85 = 0x0, blob = 0x87832f8, filename = "z.bmp\000t.tiff", '\0' <repeats 4083 times>, magick_filename = "corrupt.tiff", '\0' <repeats 4083 times>, magick = "TIFF", '\0' <repeats 4091 times>, magick_columns = 610, magick_rows = 142112024, exception = {severity = UndefinedException, error_number = 0, reason = 0x0, description = 0x0, exceptions = 0x8778058, relinquish = MagickFalse, semaphore = 0x0, signature = 2880220587}, debug = MagickFalse, reference_count = 1, semaphore = 0x0, color_profile = { name = 0x0, length = 0, info = 0x0, signature = 0}, iptc_profile = { name = 0x0, length = 0, info = 0x0, signature = 0}, generic_profile = 0x0, generic_profiles = 0, signature = 2880220587, previous = 0x0, list = 0x0, next = 0x0, interpolate = UndefinedInterpolatePixel, black_point_compensation = MagickFalse, transparent_color = {blue = 0, green = 0, red = 0, opacity = 65535}, mask = 0x0, tile_offset = { width = 0, height = 0, x = 0, y = 0}, properties = 0x87874e8, artifacts = 0x0} (gdb) (gdb) print y $4 = 1447156 (gdb) print image->rows $5 = 142112024 (gdb) print image->columns $6 = 610 -- System Information: Debian Release: 5.0.1 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.29.4 (SMP w/2 CPU cores) Locale: LANG=en_US, LC_CTYPE=nb_NO.iso88591 (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/bash Versions of packages imagemagick depends on: ii libbz2-1.0 1.0.5-1 high-quality block-sorting file co ii libc6 2.7-18 GNU C Library: Shared libraries ii libfontconfig1 2.6.0-3 generic font configuration library ii libfreetype6 2.3.7-2+lenny1 FreeType 2 font engine, shared lib ii libice6 2:1.0.4-1 X11 Inter-Client Exchange library ii libjpeg62 6b-14 The Independent JPEG Group's JPEG ii liblcms1 1.17.dfsg-1+lenny2 Color management library ii libmagick10 7:6.3.7.9.dfsg2-1~lenny1 image manipulation library ii libsm6 2:1.0.3-2 X11 Session Management library ii libtiff4 3.8.2-11 Tag Image File Format (TIFF) libra ii libx11-6 2:1.1.5-2 X11 client-side library ii libxext6 2:1.0.4-1 X11 miscellaneous extension librar ii libxt6 1:1.0.5-3 X11 toolkit intrinsics library ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime imagemagick recommends no packages. imagemagick suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
