[Pkg-gmagick-im-team] Bug#671002: convert segfaults on jpegs

Vincent Fourmond fourmond at debian.org
Tue May 1 21:36:35 UTC 2012


forcemerge  671002 670980
severity 671002 grave
tag 671002 security
thanks

  Hello,

On Tue, May 1, 2012 at 6:44 PM, Matthew Somerville
<matthew at mysociety.org> wrote:
> We are having this issue too, and it has caused our live site to go down once (due to segfaulting on perfectly respectable JPEGs, quite ironic given this patch was meant to prevent DoS due to malicious JPEGs :-) ).
>
> After some investigation, the issue appears to be in the code applied by patch 0002-Fix-security-holes-JPEG-EXIF-TIFF.patch - the following two lines in coders/jpeg.c:
>
> +  if (jpeg_info->err->num_warnings++ > 1000) /* 1000 = JPEGEcessiveWarnings */
> +        JPEGErrorHandler(jpeg_info);
>
> are not placed where the patch on http://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=20629 implies they should be (ie. directly above the if statement within the level<0 if statement). Moving these two lines down the few lines to that location and recompiling stops the segfaulting on the JPEGs previously causing the issue.
>
> I don't know enough about the ImageMagick source code to know if that is entirely the solution, but I hope is helpful in diagnosing this problem.

  Thanks a lot for the investigation. I regret having uploaded the fix
with not enough testing. Would it be possible for you to provide me
with examples of JPEGs giving segfaults (by private mail if you can't
have them publicly available on the bug tracker), in order to make
sure that the (new) fix is correct ?

  Cheers,

      Vincent





More information about the Pkg-gmagick-im-team mailing list