[Pkg-gmagick-im-team] Bug#779038: Use of uninitialised value of size 8

Mathieu Malaterre malat at debian.org
Mon Feb 23 15:40:00 UTC 2015 

Package: libmagickcore5
Version: 8:6.7.7.10-5+deb7u3

Looks like there is an invalid read when dealing with some PNG files.
See attached sample for info.

Steps:

$ cd /tmp
$ wget [...]/readpng.c
$ wget [...]/018.png
$ gcc -o readpng -I /usr/include/ImageMagick readpng.c -lMagickCore
$ valgrind ./readpng
==14575== Memcheck, a memory error detector
==14575== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==14575== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==14575== Command: ./readpng
==14575==
==14575== Use of uninitialised value of size 8
==14575==    at 0x531DEBB: _itoa_word (_itoa.c:195)
==14575==    by 0x531FE96: vfprintf (vfprintf.c:1622)
==14575==    by 0x53CA52F: __vsnprintf_chk (vsnprintf_chk.c:65)
==14575==    by 0x4F5690A: FormatLocaleStringList (in
/usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0)
==14575==    by 0x4F569F1: FormatLocaleString (in
/usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0)
==14575==    by 0x98D3106: ??? (in
/usr/lib/x86_64-linux-gnu/ImageMagick-6.7.7/modules-Q16/coders/png.so)
==14575==    by 0x98D4A37: ??? (in
/usr/lib/x86_64-linux-gnu/ImageMagick-6.7.7/modules-Q16/coders/png.so)
==14575==    by 0x4EB970F: ReadImage (in
/usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0)
==14575==    by 0x40078E: main (in /home/mathieu/tmp/flou/bin4/readpng)
==14575==
==14575== Conditional jump or move depends on uninitialised value(s)
==14575==    at 0x531DEC5: _itoa_word (_itoa.c:195)
==14575==    by 0x531FE96: vfprintf (vfprintf.c:1622)
==14575==    by 0x53CA52F: __vsnprintf_chk (vsnprintf_chk.c:65)
==14575==    by 0x4F5690A: FormatLocaleStringList (in
/usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0)
==14575==    by 0x4F569F1: FormatLocaleString (in
/usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0)
==14575==    by 0x98D3106: ??? (in
/usr/lib/x86_64-linux-gnu/ImageMagick-6.7.7/modules-Q16/coders/png.so)
==14575==    by 0x98D4A37: ??? (in
/usr/lib/x86_64-linux-gnu/ImageMagick-6.7.7/modules-Q16/coders/png.so)
==14575==    by 0x4EB970F: ReadImage (in
/usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0)
==14575==    by 0x40078E: main (in /home/mathieu/tmp/flou/bin4/readpng)
==14575==
==14575== Conditional jump or move depends on uninitialised value(s)
==14575==    at 0x531FFAA: vfprintf (vfprintf.c:1622)
==14575==    by 0x53CA52F: __vsnprintf_chk (vsnprintf_chk.c:65)
==14575==    by 0x4F5690A: FormatLocaleStringList (in
/usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0)
==14575==    by 0x4F569F1: FormatLocaleString (in
/usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0)
==14575==    by 0x98D3106: ??? (in
/usr/lib/x86_64-linux-gnu/ImageMagick-6.7.7/modules-Q16/coders/png.so)
==14575==    by 0x98D4A37: ??? (in
/usr/lib/x86_64-linux-gnu/ImageMagick-6.7.7/modules-Q16/coders/png.so)
==14575==    by 0x4EB970F: ReadImage (in
/usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0)
==14575==    by 0x40078E: main (in /home/mathieu/tmp/flou/bin4/readpng)
==14575==
==14575== Conditional jump or move depends on uninitialised value(s)
==14575==    at 0x531FFC8: vfprintf (vfprintf.c:1622)
==14575==    by 0x53CA52F: __vsnprintf_chk (vsnprintf_chk.c:65)
==14575==    by 0x4F5690A: FormatLocaleStringList (in
/usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0)
==14575==    by 0x4F569F1: FormatLocaleString (in
/usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0)
==14575==    by 0x98D3106: ??? (in
/usr/lib/x86_64-linux-gnu/ImageMagick-6.7.7/modules-Q16/coders/png.so)
==14575==    by 0x98D4A37: ??? (in
/usr/lib/x86_64-linux-gnu/ImageMagick-6.7.7/modules-Q16/coders/png.so)
==14575==    by 0x4EB970F: ReadImage (in
/usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0)
==14575==    by 0x40078E: main (in /home/mathieu/tmp/flou/bin4/readpng)
==14575==
==14575==
==14575== HEAP SUMMARY:
==14575==     in use at exit: 1,364,861 bytes in 786 blocks
==14575==   total heap usage: 3,753 allocs, 2,967 frees, 5,529,461
bytes allocated
==14575==
==14575== LEAK SUMMARY:
==14575==    definitely lost: 30,200 bytes in 4 blocks
==14575==    indirectly lost: 22,804 bytes in 53 blocks
==14575==      possibly lost: 1,280,000 bytes in 1 blocks
==14575==    still reachable: 31,857 bytes in 728 blocks
==14575==         suppressed: 0 bytes in 0 blocks
==14575== Rerun with --leak-check=full to see details of leaked memory
==14575==
==14575== For counts of detected and suppressed errors, rerun with: -v
==14575== Use --track-origins=yes to see where uninitialised values come from
==14575== ERROR SUMMARY: 4 errors from 4 contexts (suppressed: 6 from 6)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 018.png
Type: image/png
Size: 91785 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gmagick-im-team/attachments/20150223/42a92cfe/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: readpng.c
Type: text/x-csrc
Size: 338 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gmagick-im-team/attachments/20150223/42a92cfe/attachment-0001.c>

More information about the Pkg-gmagick-im-team mailing list