[Bug 1448803] Re: Double free in coders/pict.c:2000

Seth Arnold 1448803 at bugs.launchpad.net
Thu Oct 8 18:48:10 UTC 2015 

Stefan Cornelius suggests the pict.c changes in
https://github.com/ImageMagick/ImageMagick/commit/0f6fc2d5bf8f500820c3dbcf0d23ee14f2d9f734
address this issue: http://www.openwall.com/lists/oss-
security/2015/10/08/3

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to imagemagick in Ubuntu.
https://bugs.launchpad.net/bugs/1448803

Title:
  Double free in coders/pict.c:2000

Status in imagemagick package in Ubuntu:
  Confirmed

Bug description:
  Running: convert pict_double_free.pict /dev/null

  
  Program received signal SIGABRT, Aborted.

  Stack Trace:
  --------------------------------------------------------------------------------
  0xb7fdbbe0 in __kernel_vsyscall ()
  gdb$ bt
  #0  0xffffffff in __kernel_vsyscall ()
  #1  0xffffffff in __GI_raise (sig=0x6) at ../sysdeps/unix/sysv/linux/raise.c:55
  #2  0xffffffff in __GI_abort () at abort.c:89
  #3  0xffffffff in __libc_message (do_abort=0x1, fmt=0xb78bc444 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
  #4  0xffffffff in malloc_printerr (action=<optimized out>, str=0xb78bc4fc "double free or corruption (out)", ptr=0x8092f20) at malloc.c:4965
  #5  0xffffffff in _int_free (av=0xb790f840 <main_arena>, p=<optimized out>, have_lock=0x0) at malloc.c:3834
  #6  0xffffffff in RelinquishMagickMemory (memory=0x8092f20) at magick/memory.c:956
  #7  0xffffffff in WritePICTImage (image_info=0x807fc28, image=0x807fc28) at coders/pict.c:2000
  #8  0xffffffff in WriteImage (image_info=0x1, image=0x807fc28) at magick/constitute.c:1184
  #9  0xffffffff in WriteImages (image_info=0x0, images=0x807fc28, filename=0x0, exception=0x80538d8) at magick/constitute.c:1327
  #10 0xffffffff in ConvertImageCommand (image_info=0x8082df0, argc=0x3, argv=0x8054ce8, metadata=0x0, exception=0x80538d8) at wand/convert.c:3215
  #11 0xffffffff in MagickCommandGenesis (image_info=0x8056248, command=0x8048620 <ConvertImageCommand at plt>, argc=0x3, argv=0xbffff024, metadata=0x0, exception=0x80538d8) at wand/mogrify.c:168
  #12 0x080486ec in main (argv=0xbffff024, argc=<optimized out>) at utilities/convert.c:81
  #13 0x080486ec in main (argc=0x3, argv=0xbffff024) at utilities/convert.c:92
  gdb$

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1448803/+subscriptions

More information about the foundations-bugs mailing list