[Pkg-gmagick-im-team] Bug#530363: imagemagick: convert .tif to .bmp crash (segmentation fault, SIGSEGV) on corrupt input file

reportbug debbug.imagick.tiffbmp at sub.noloop.net
Sun May 24 12:17:31 UTC 2009 

Package: imagemagick
Version: 7:6.3.7.9.dfsg2-1~lenny1
Severity: normal

Playing around with the "zzuf" fuzzer from http://caca.zoy.org/wiki/zzuf,
I managed to create a corrupt .tiff file that causes 'convert' to
crash with a segmentation fault (most of the time). I've also compiled
imagemagick from debian source and have a gdb backtrace that reveals
the crash occurs in the .bmp writer, as it tries to encode an image
with a horizontal resolution of 153249056 rows (?). 

The original tiff image is available at 
http://www.noloop.net/bugs/imagemagick/001/good.tiff
The corrupted image is available at 
http://www.noloop.net/bugs/imagemagick/001/corrupt.tiff

The corrupt image was generated with zzuf-0.12, using
zzuf -c -d -s 181 -r 0.004 cat good.tiff > corrupt.tiff

Strangely enough, the segfault isn't 100% reproducible;
sometimes 'convert' exits with error messages about
"incorrect count for field" (but with different "expecting" values
for each run). 

Here's a log of a gdb run on the un-stripped convert binary.


% gdb --args bin/convert corrupt.tiff z.bmp
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(gdb) run
Starting program: /home/user/temp/z/ziminst/bin/convert corrupt.tiff z.bmp
[Thread debugging using libthread_db enabled]
[New Thread 0xb79026b0 (LWP 1852)]
convert: incorrect count for field "ImageLength" (5, expecting 1); tag trimmed. `corrupt.tiff'.
convert: corrupt.tiff: wrong data type 21 for "XResolution"; tag ignored. `TIFFReadDirectory'.
convert: incorrect count for field "ResolutionUnit" (131073, expecting 1); tag trimmed. `corrupt.tiff'.
convert: incorrect count for field "StripOffsets" (1, expecting 212568); tag ignored. `corrupt.tiff'.
convert: incorrect count for field "StripByteCounts" (1, expecting 212568); tag ignored. `corrupt.tiff'.
convert: Error fetching data for field "ResolutionUnit". `corrupt.tiff'.
convert: unable to extend cache `corrupt.tiff': Invalid argument.
convert: missing an image filename `z.bmp'.

Program exited with code 01.
(gdb) run
Starting program: /home/user/temp/z/ziminst/bin/convert corrupt.tiff z.bmp
[Thread debugging using libthread_db enabled]
[New Thread 0xb78bf6b0 (LWP 1856)]
convert: incorrect count for field "ImageLength" (5, expecting 1); tag trimmed. `corrupt.tiff'.
convert: corrupt.tiff: wrong data type 21 for "XResolution"; tag ignored. `TIFFReadDirectory'.
convert: incorrect count for field "ResolutionUnit" (131073, expecting 1); tag trimmed. `corrupt.tiff'.
convert: incorrect count for field "StripOffsets" (1, expecting 197072); tag ignored. `corrupt.tiff'.
convert: incorrect count for field "StripByteCounts" (1, expecting 197072); tag ignored. `corrupt.tiff'.
convert: Error fetching data for field "ResolutionUnit". `corrupt.tiff'.
convert: unable to extend cache `corrupt.tiff': Invalid argument.
convert: missing an image filename `z.bmp'.

Program exited with code 01.
(gdb) run
Starting program: /home/user/temp/z/ziminst/bin/convert corrupt.tiff z.bmp
[Thread debugging using libthread_db enabled]
[New Thread 0xb78406b0 (LWP 1857)]
convert: incorrect count for field "ImageLength" (5, expecting 1); tag trimmed. `corrupt.tiff'.
convert: corrupt.tiff: wrong data type 21 for "XResolution"; tag ignored. `TIFFReadDirectory'.
convert: incorrect count for field "ResolutionUnit" (131073, expecting 1); tag trimmed. `corrupt.tiff'.
convert: incorrect count for field "StripOffsets" (1, expecting 195208); tag ignored. `corrupt.tiff'.
convert: incorrect count for field "StripByteCounts" (1, expecting 195208); tag ignored. `corrupt.tiff'.
convert: Error fetching data for field "ResolutionUnit". `corrupt.tiff'.
convert: unable to extend cache `corrupt.tiff': Invalid argument.
convert: missing an image filename `z.bmp'.

Program exited with code 01.
(gdb) run
Starting program: /home/user/temp/z/ziminst/bin/convert corrupt.tiff z.bmp
[Thread debugging using libthread_db enabled]
[New Thread 0xb779d6b0 (LWP 1859)]
convert: incorrect count for field "ImageLength" (5, expecting 1); tag trimmed. `corrupt.tiff'.
convert: corrupt.tiff: wrong data type 21 for "XResolution"; tag ignored. `TIFFReadDirectory'.
convert: incorrect count for field "ResolutionUnit" (131073, expecting 1); tag trimmed. `corrupt.tiff'.
convert: incorrect count for field "StripOffsets" (1, expecting 207605); tag ignored. `corrupt.tiff'.
convert: incorrect count for field "StripByteCounts" (1, expecting 207605); tag ignored. `corrupt.tiff'.
convert: Error fetching data for field "ResolutionUnit". `corrupt.tiff'.
convert: corrupt.tiff: Decoding error at scanline 0, invalid bit length repeat. `ZIPDecode'.
convert: Memory allocation failed `z.bmp'.

Program exited with code 01.
(gdb) run
Starting program: /home/user/temp/z/ziminst/bin/convert corrupt.tiff z.bmp
[Thread debugging using libthread_db enabled]
[New Thread 0xb79106b0 (LWP 1860)]
convert: incorrect count for field "ImageLength" (5, expecting 1); tag trimmed. `corrupt.tiff'.
convert: corrupt.tiff: wrong data type 21 for "XResolution"; tag ignored. `TIFFReadDirectory'.
convert: incorrect count for field "ResolutionUnit" (131073, expecting 1); tag trimmed. `corrupt.tiff'.
convert: incorrect count for field "StripOffsets" (1, expecting 186601); tag ignored. `corrupt.tiff'.
convert: incorrect count for field "StripByteCounts" (1, expecting 186601); tag ignored. `corrupt.tiff'.
convert: Error fetching data for field "ResolutionUnit". `corrupt.tiff'.
convert: corrupt.tiff: Decoding error at scanline 0, invalid bit length repeat. `ZIPDecode'.
convert: Memory allocation failed `z.bmp'.

Program exited with code 01.
(gdb) run
Starting program: /home/user/temp/z/ziminst/bin/convert corrupt.tiff z.bmp
[Thread debugging using libthread_db enabled]
[New Thread 0xb77ad6b0 (LWP 1861)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb77ad6b0 (LWP 1861)]
0xb7c55add in WriteBMPImage (image_info=0x878d118, image=0x8791928)
    at coders/bmp.c:1784
1784                *q++=ScaleQuantumToChar(p->blue);
(gdb) 

(gdb) bt
#0  0xb7c55add in WriteBMPImage (image_info=0x878d118, image=0x8791928)
    at coders/bmp.c:1784
#1  0xb7d8255d in WriteImage (image_info=0x877c5d0, image=0x8791928)
    at magick/constitute.c:955
#2  0xb7d82eed in WriteImages (image_info=0x87783f0, images=0x8791928, 
    filename=0x8778328 "z.bmp", exception=0x8778030)
    at magick/constitute.c:1112
#3  0xb7c92441 in ConvertImageCommand (image_info=0x87783f0, argc=3, 
    argv=0x877c570, metadata=0x0, exception=0x8778030) at wand/convert.c:2630
#4  0x08048b77 in main (argc=3, argv=0xbfd3d4a4) at utilities/convert.c:122
(gdb) print image
$1 = (Image *) 0x8791928
(gdb) print q     
$2 = (unsigned char *) 0x19749a80 <Address 0x19749a80 out of bounds>
(gdb) print *image
$3 = {storage_class = DirectClass, colorspace = RGBColorspace, 
  compression = ZipCompression, quality = 0, orientation = LeftTopOrientation, 
  taint = MagickFalse, matte = MagickFalse, columns = 610, rows = 142112024, 
  depth = 16, colors = 0, colormap = 0x0, background_color = {blue = 65535, 
    green = 65535, red = 65535, opacity = 0}, border_color = {blue = 57311, 
    green = 57311, red = 57311, opacity = 0}, matte_color = {blue = 48573, 
    green = 48573, red = 48573, opacity = 0}, gamma = 0, chromaticity = {
    red_primary = {x = 0, y = 0, z = 0}, green_primary = {x = 0, y = 0, 
      z = 0}, blue_primary = {x = 0, y = 0, z = 0}, white_point = {x = 0, 
      y = 0, z = 0}}, rendering_intent = UndefinedIntent, profiles = 0x0, 
  units = PixelsPerInchResolution, montage = 0x0, directory = 0x0, 
  geometry = 0x0, offset = 0, x_resolution = 0, y_resolution = 72, page = {
    width = 610, height = 142112024, x = -2147483648, y = 0}, extract_info = {
    width = 0, height = 0, x = 0, y = 0}, tile_info = {width = 0, height = 0, 
    x = 0, y = 0}, bias = 0, blur = 1, fuzz = 0, filter = UndefinedFilter, 
  interlace = NoInterlace, endian = UndefinedEndian, 
  gravity = UndefinedGravity, compose = OverCompositeOp, 
  dispose = UnrecognizedDispose, clip_mask = 0x0, scene = 0, delay = 0, 
  ticks_per_second = 100, iterations = 0, total_colors = 0, start_loop = 0, 
  error = {mean_error_per_pixel = 0, normalized_mean_error = 0, 
    normalized_maximum_error = 0}, timer = {user = {start = 0, stop = 0, 
      total = 0}, elapsed = {start = 4627699, stop = 0, total = 0}, 
    state = RunningTimerState, signature = 2880220587}, progress_monitor = 0, 
---Type <return> to continue, or q <return> to quit---
  client_data = 0x0, cache = 0x87850f0, attributes = 0x0, ascii85 = 0x0, 
  blob = 0x87832f8, filename = "z.bmp\000t.tiff", '\0' <repeats 4083 times>, 
  magick_filename = "corrupt.tiff", '\0' <repeats 4083 times>, 
  magick = "TIFF", '\0' <repeats 4091 times>, magick_columns = 610, 
  magick_rows = 142112024, exception = {severity = UndefinedException, 
    error_number = 0, reason = 0x0, description = 0x0, exceptions = 0x8778058, 
    relinquish = MagickFalse, semaphore = 0x0, signature = 2880220587}, 
  debug = MagickFalse, reference_count = 1, semaphore = 0x0, color_profile = {
    name = 0x0, length = 0, info = 0x0, signature = 0}, iptc_profile = {
    name = 0x0, length = 0, info = 0x0, signature = 0}, generic_profile = 0x0, 
  generic_profiles = 0, signature = 2880220587, previous = 0x0, list = 0x0, 
  next = 0x0, interpolate = UndefinedInterpolatePixel, 
  black_point_compensation = MagickFalse, transparent_color = {blue = 0, 
    green = 0, red = 0, opacity = 65535}, mask = 0x0, tile_offset = {
    width = 0, height = 0, x = 0, y = 0}, properties = 0x87874e8, 
  artifacts = 0x0}
(gdb) 
(gdb) print y
$4 = 1447156
(gdb) print image->rows
$5 = 142112024
(gdb) print image->columns
$6 = 610




-- System Information:
Debian Release: 5.0.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.29.4 (SMP w/2 CPU cores)
Locale: LANG=en_US, LC_CTYPE=nb_NO.iso88591 (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages imagemagick depends on:
ii  libbz2-1.0      1.0.5-1                  high-quality block-sorting file co
ii  libc6           2.7-18                   GNU C Library: Shared libraries
ii  libfontconfig1  2.6.0-3                  generic font configuration library
ii  libfreetype6    2.3.7-2+lenny1           FreeType 2 font engine, shared lib
ii  libice6         2:1.0.4-1                X11 Inter-Client Exchange library
ii  libjpeg62       6b-14                    The Independent JPEG Group's JPEG 
ii  liblcms1        1.17.dfsg-1+lenny2       Color management library
ii  libmagick10     7:6.3.7.9.dfsg2-1~lenny1 image manipulation library
ii  libsm6          2:1.0.3-2                X11 Session Management library
ii  libtiff4        3.8.2-11                 Tag Image File Format (TIFF) libra
ii  libx11-6        2:1.1.5-2                X11 client-side library
ii  libxext6        2:1.0.4-1                X11 miscellaneous extension librar
ii  libxt6          1:1.0.5-3                X11 toolkit intrinsics library
ii  zlib1g          1:1.2.3.3.dfsg-12        compression library - runtime

imagemagick recommends no packages.

imagemagick suggests no packages.

-- no debconf information

More information about the Pkg-gmagick-im-team mailing list