[Pkg-gmagick-im-team] Bug#779038: Use of uninitialised value of size 8

Bastien ROUCARIES roucaries.bastien+imagemagick at gmail.com
Fri Mar 6 22:28:32 UTC 2015 

On Mon, Feb 23, 2015 at 4:40 PM, Mathieu Malaterre <malat at debian.org> wrote:
> Package: libmagickcore5
> Version: 8:6.7.7.10-5+deb7u3
>
> Looks like there is an invalid read when dealing with some PNG files.
> See attached sample for info.

Could you test the pending to security since four month queue ?

Under git it is branch from upstream
debian-patches/6.7.7.10-5+deb7u4

Could you also test
8:6.8.9.9-5 ?

Bastien

Thanks

> Steps:
>
> $ cd /tmp
> $ wget [...]/readpng.c
> $ wget [...]/018.png
> $ gcc -o readpng -I /usr/include/ImageMagick readpng.c -lMagickCore
> $ valgrind ./readpng
> ==14575== Memcheck, a memory error detector
> ==14575== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
> ==14575== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
> ==14575== Command: ./readpng
> ==14575==
> ==14575== Use of uninitialised value of size 8
> ==14575==    at 0x531DEBB: _itoa_word (_itoa.c:195)
> ==14575==    by 0x531FE96: vfprintf (vfprintf.c:1622)
> ==14575==    by 0x53CA52F: __vsnprintf_chk (vsnprintf_chk.c:65)
> ==14575==    by 0x4F5690A: FormatLocaleStringList (in
> /usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0)
> ==14575==    by 0x4F569F1: FormatLocaleString (in
> /usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0)
> ==14575==    by 0x98D3106: ??? (in
> /usr/lib/x86_64-linux-gnu/ImageMagick-6.7.7/modules-Q16/coders/png.so)
> ==14575==    by 0x98D4A37: ??? (in
> /usr/lib/x86_64-linux-gnu/ImageMagick-6.7.7/modules-Q16/coders/png.so)
> ==14575==    by 0x4EB970F: ReadImage (in
> /usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0)
> ==14575==    by 0x40078E: main (in /home/mathieu/tmp/flou/bin4/readpng)
> ==14575==
> ==14575== Conditional jump or move depends on uninitialised value(s)
> ==14575==    at 0x531DEC5: _itoa_word (_itoa.c:195)
> ==14575==    by 0x531FE96: vfprintf (vfprintf.c:1622)
> ==14575==    by 0x53CA52F: __vsnprintf_chk (vsnprintf_chk.c:65)
> ==14575==    by 0x4F5690A: FormatLocaleStringList (in
> /usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0)
> ==14575==    by 0x4F569F1: FormatLocaleString (in
> /usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0)
> ==14575==    by 0x98D3106: ??? (in
> /usr/lib/x86_64-linux-gnu/ImageMagick-6.7.7/modules-Q16/coders/png.so)
> ==14575==    by 0x98D4A37: ??? (in
> /usr/lib/x86_64-linux-gnu/ImageMagick-6.7.7/modules-Q16/coders/png.so)
> ==14575==    by 0x4EB970F: ReadImage (in
> /usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0)
> ==14575==    by 0x40078E: main (in /home/mathieu/tmp/flou/bin4/readpng)
> ==14575==
> ==14575== Conditional jump or move depends on uninitialised value(s)
> ==14575==    at 0x531FFAA: vfprintf (vfprintf.c:1622)
> ==14575==    by 0x53CA52F: __vsnprintf_chk (vsnprintf_chk.c:65)
> ==14575==    by 0x4F5690A: FormatLocaleStringList (in
> /usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0)
> ==14575==    by 0x4F569F1: FormatLocaleString (in
> /usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0)
> ==14575==    by 0x98D3106: ??? (in
> /usr/lib/x86_64-linux-gnu/ImageMagick-6.7.7/modules-Q16/coders/png.so)
> ==14575==    by 0x98D4A37: ??? (in
> /usr/lib/x86_64-linux-gnu/ImageMagick-6.7.7/modules-Q16/coders/png.so)
> ==14575==    by 0x4EB970F: ReadImage (in
> /usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0)
> ==14575==    by 0x40078E: main (in /home/mathieu/tmp/flou/bin4/readpng)
> ==14575==
> ==14575== Conditional jump or move depends on uninitialised value(s)
> ==14575==    at 0x531FFC8: vfprintf (vfprintf.c:1622)
> ==14575==    by 0x53CA52F: __vsnprintf_chk (vsnprintf_chk.c:65)
> ==14575==    by 0x4F5690A: FormatLocaleStringList (in
> /usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0)
> ==14575==    by 0x4F569F1: FormatLocaleString (in
> /usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0)
> ==14575==    by 0x98D3106: ??? (in
> /usr/lib/x86_64-linux-gnu/ImageMagick-6.7.7/modules-Q16/coders/png.so)
> ==14575==    by 0x98D4A37: ??? (in
> /usr/lib/x86_64-linux-gnu/ImageMagick-6.7.7/modules-Q16/coders/png.so)
> ==14575==    by 0x4EB970F: ReadImage (in
> /usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0)
> ==14575==    by 0x40078E: main (in /home/mathieu/tmp/flou/bin4/readpng)
> ==14575==
> ==14575==
> ==14575== HEAP SUMMARY:
> ==14575==     in use at exit: 1,364,861 bytes in 786 blocks
> ==14575==   total heap usage: 3,753 allocs, 2,967 frees, 5,529,461
> bytes allocated
> ==14575==
> ==14575== LEAK SUMMARY:
> ==14575==    definitely lost: 30,200 bytes in 4 blocks
> ==14575==    indirectly lost: 22,804 bytes in 53 blocks
> ==14575==      possibly lost: 1,280,000 bytes in 1 blocks
> ==14575==    still reachable: 31,857 bytes in 728 blocks
> ==14575==         suppressed: 0 bytes in 0 blocks
> ==14575== Rerun with --leak-check=full to see details of leaked memory
> ==14575==
> ==14575== For counts of detected and suppressed errors, rerun with: -v
> ==14575== Use --track-origins=yes to see where uninitialised values come from
> ==14575== ERROR SUMMARY: 4 errors from 4 contexts (suppressed: 6 from 6)

More information about the Pkg-gmagick-im-team mailing list