[Bug 1490362] Re: Double free in coders/tga.c:221

Tue Sep 1 19:39:51 UTC 2015

https://github.com/ImageMagick/ImageMagick/commit/4f68e9661518463fca523c9726bb5d940a2aa6d8

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to imagemagick in Ubuntu.
https://bugs.launchpad.net/bugs/1490362

Title:
  Double free in coders/tga.c:221

Status in imagemagick package in Ubuntu:
  New

Bug description:
  On Ubuntu 14.04, x64 and Imagemagick version 7.0+ (commit
  087a059e56eec2efedefdceb6b52a093e4589dde )
  https://github.com/ImageMagick/ImageMagick/commit/087a059e56eec2efedefdceb6b52a093e4589dde

  gdb$ r double_free.tga  /dev/null
  Starting program: /home/moshe/Downloads/ImageMagick-master/utilities/magick double_free.tga  /dev/null
  [Thread debugging using libthread_db enabled]
  Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
  Traceback (most recent call last):
    File "/usr/share/gdb/auto-load/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19-gdb.py", line 63, in <module>
      from libstdcxx.v6.printers import register_libstdcxx_printers
  ImportError: No module named 'libstdcxx'
  *** Error in `/home/moshe/Downloads/ImageMagick-master/utilities/magick': double free or corruption (!prev): 0x0000000001780ec0 ***

  
  Program received signal SIGABRT, Aborted.
  -----------------------------------------------------------------------------------------------------------------------[regs]
    RAX: 0x0000000000000000  RBX: 0x0000000000000084  RCX: 0xFFFFFFFFFFFFFFFF  RDX: 0x0000000000000006  o d I t s z a P c 
    RSI: 0x0000000000007524  RDI: 0x0000000000007524  RBP: 0x00007FFFFFFF6560  RSP: 0x00007FFFFFFF61C8  RIP: 0x00007FFFF375CCC9
    R8 : 0x3063653038373130  R9 : 0x6F6974707572726F  R10: 0x0000000000000008  R11: 0x0000000000000206  R12: 0x00007FFFFFFF6370
    R13: 0x0000000000000007  R14: 0x0000000000000084  R15: 0x0000000000000007
    CS: 0033  DS: 0000  ES: 0000  FS: 0000  GS: 0000  SS: 002B			
  -----------------------------------------------------------------------------------------------------------------------[code]
  => 0x7ffff375ccc9 <__GI_raise+57>:	cmp    rax,0xfffffffffffff000
     0x7ffff375cccf <__GI_raise+63>:	ja     0x7ffff375ccea <__GI_raise+90>
     0x7ffff375ccd1 <__GI_raise+65>:	repz ret 
     0x7ffff375ccd3 <__GI_raise+67>:	nop    DWORD PTR [rax+rax*1+0x0]
     0x7ffff375ccd8 <__GI_raise+72>:	test   eax,eax
     0x7ffff375ccda <__GI_raise+74>:	jg     0x7ffff375ccb9 <__GI_raise+41>
     0x7ffff375ccdc <__GI_raise+76>:	mov    ecx,eax
     0x7ffff375ccde <__GI_raise+78>:	neg    ecx
  -----------------------------------------------------------------------------------------------------------------------------
  0x00007ffff375ccc9 in __GI_raise (sig=sig at entry=0x6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
  56	../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
  gdb$ bt
  #0  0x00007ffff375ccc9 in __GI_raise (sig=sig at entry=0x6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
  #1  0x00007ffff37600d8 in __GI_abort () at abort.c:89
  #2  0x00007ffff3799394 in __libc_message (do_abort=do_abort at entry=0x1, fmt=fmt at entry=0x7ffff38a7b28 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
  #3  0x00007ffff37a566e in malloc_printerr (ptr=<optimized out>, str=0x7ffff38a7c10 "double free or corruption (!prev)", action=0x1) at malloc.c:4996
  #4  _int_free (av=<optimized out>, p=<optimized out>, have_lock=0x0) at malloc.c:3840
  #5  0x000000000048db72 in RelinquishMagickMemory (memory=<optimized out>) at MagickCore/memory.c:967
  #6  0x00000000004456c9 in DestroyImage (image=image at entry=0x1793ff0) at MagickCore/image.c:1200
  #7  0x000000000045f6e4 in DeleteImageFromList (images=<synthetic pointer>) at MagickCore/list.c:298
  #8  DestroyImageList (images=0x0, images at entry=0x1793ff0) at MagickCore/list.c:451
  #9  0x0000000000991b20 in ReadTGAImage (image_info=<optimized out>, exception=0x1763f90) at coders/tga.c:221
  #10 0x0000000000c20414 in ReadImage (image_info=image_info at entry=0x1768350, exception=exception at entry=0x1763f90) at MagickCore/constitute.c:547
  #11 0x0000000000c23a6b in ReadImages (image_info=0x1764110, filename=0x175f1f0 "/home/moshe/Desktop/imagemagick_crashes/examine_more/sf_540cee04253030f363f7902b6edc732d-lpszam-0x00000000-minimized.tga", exception=0x1763f90) at MagickCore/constitute.c:846
  #12 0x0000000001302829 in CLINoImageOperator (cli_wand=cli_wand at entry=0x1761320, option=option at entry=0x138d002 "-read", arg1n=arg1n at entry=0x7fffffffe12f "/home/moshe/Desktop/imagemagick_crashes/examine_more/sf_540cee04253030f363f7902b6edc732d-lpszam-0x00000000-minimized.tga", arg2n=arg2n at entry=0x0) at MagickWand/operation.c:4654
  #13 0x0000000001305cb1 in CLIOption (cli_wand=cli_wand at entry=0x1761320, option=option at entry=0x138d002 "-read") at MagickWand/operation.c:5148
  #14 0x000000000110d833 in ProcessCommandOptions (cli_wand=cli_wand at entry=0x1761320, argc=argc at entry=0x3, argv=argv at entry=0x7fffffffdd68, index=index at entry=0x1) at MagickWand/magick-cli.c:421
  #15 0x000000000110f64f in MagickImageCommand (image_info=image_info at entry=0x1764110, argc=argc at entry=0x3, argv=argv at entry=0x7fffffffdd68, metadata=metadata at entry=0x0, exception=exception at entry=0x1763f90) at MagickWand/magick-cli.c:786
  #16 0x0000000001164ade in MagickCommandGenesis (image_info=image_info at entry=0x1764110, command=0x110e300 <MagickImageCommand>, argc=argc at entry=0x3, argv=argv at entry=0x7fffffffdd68, metadata=metadata at entry=0x0, exception=exception at entry=0x1763f90) at MagickWand/mogrify.c:172
  #17 0x000000000041238f in MagickMain (argv=0x7fffffffdd68, argc=0x3) at utilities/magick.c:74
  #18 main (argc=0x3, argv=0x7fffffffdd68) at utilities/magick.c:85

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1490362/+subscriptions