Package: libmagickcore5
Version: 8:6.7.7.10-5+deb7u3
Looks like there is an invalid read when dealing with some PNG files.
See attached sample for info.
Steps:
$ cd /tmp
$ wget [...]/readpng.c
$ wget [...]/018.png
$ gcc -o readpng -I /usr/include/ImageMagick readpng.c -lMagickCore
$ valgrind ./readpng
==14575== Memcheck, a memory error detector
==14575== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==14575== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==14575== Command: ./readpng
==14575==
==14575== Use of uninitialised value of size 8
==14575== at 0x531DEBB: _itoa_word (_itoa.c:195)
==14575== by 0x531FE96: vfprintf (vfprintf.c:1622)
==14575== by 0x53CA52F: __vsnprintf_chk (vsnprintf_chk.c:65)
==14575== by 0x4F5690A: FormatLocaleStringList (in
/usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0)
==14575== by 0x4F569F1: FormatLocaleString (in
/usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0)
==14575== by 0x98D3106: ??? (in
/usr/lib/x86_64-linux-gnu/ImageMagick-6.7.7/modules-Q16/coders/png.so)
==14575== by 0x98D4A37: ??? (in
/usr/lib/x86_64-linux-gnu/ImageMagick-6.7.7/modules-Q16/coders/png.so)
==14575== by 0x4EB970F: ReadImage (in
/usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0)
==14575== by 0x40078E: main (in /home/mathieu/tmp/flou/bin4/readpng)
==14575==
==14575== Conditional jump or move depends on uninitialised value(s)
==14575== at 0x531DEC5: _itoa_word (_itoa.c:195)
==14575== by 0x531FE96: vfprintf (vfprintf.c:1622)
==14575== by 0x53CA52F: __vsnprintf_chk (vsnprintf_chk.c:65)
==14575== by 0x4F5690A: FormatLocaleStringList (in
/usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0)
==14575== by 0x4F569F1: FormatLocaleString (in
/usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0)
==14575== by 0x98D3106: ??? (in
/usr/lib/x86_64-linux-gnu/ImageMagick-6.7.7/modules-Q16/coders/png.so)
==14575== by 0x98D4A37: ??? (in
/usr/lib/x86_64-linux-gnu/ImageMagick-6.7.7/modules-Q16/coders/png.so)
==14575== by 0x4EB970F: ReadImage (in
/usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0)
==14575== by 0x40078E: main (in /home/mathieu/tmp/flou/bin4/readpng)
==14575==
==14575== Conditional jump or move depends on uninitialised value(s)
==14575== at 0x531FFAA: vfprintf (vfprintf.c:1622)
==14575== by 0x53CA52F: __vsnprintf_chk (vsnprintf_chk.c:65)
==14575== by 0x4F5690A: FormatLocaleStringList (in
/usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0)
==14575== by 0x4F569F1: FormatLocaleString (in
/usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0)
==14575== by 0x98D3106: ??? (in
/usr/lib/x86_64-linux-gnu/ImageMagick-6.7.7/modules-Q16/coders/png.so)
==14575== by 0x98D4A37: ??? (in
/usr/lib/x86_64-linux-gnu/ImageMagick-6.7.7/modules-Q16/coders/png.so)
==14575== by 0x4EB970F: ReadImage (in
/usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0)
==14575== by 0x40078E: main (in /home/mathieu/tmp/flou/bin4/readpng)
==14575==
==14575== Conditional jump or move depends on uninitialised value(s)
==14575== at 0x531FFC8: vfprintf (vfprintf.c:1622)
==14575== by 0x53CA52F: __vsnprintf_chk (vsnprintf_chk.c:65)
==14575== by 0x4F5690A: FormatLocaleStringList (in
/usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0)
==14575== by 0x4F569F1: FormatLocaleString (in
/usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0)
==14575== by 0x98D3106: ??? (in
/usr/lib/x86_64-linux-gnu/ImageMagick-6.7.7/modules-Q16/coders/png.so)
==14575== by 0x98D4A37: ??? (in
/usr/lib/x86_64-linux-gnu/ImageMagick-6.7.7/modules-Q16/coders/png.so)
==14575== by 0x4EB970F: ReadImage (in
/usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0)
==14575== by 0x40078E: main (in /home/mathieu/tmp/flou/bin4/readpng)
==14575==
==14575==
==14575== HEAP SUMMARY:
==14575== in use at exit: 1,364,861 bytes in 786 blocks
==14575== total heap usage: 3,753 allocs, 2,967 frees, 5,529,461
bytes allocated
==14575==
==14575== LEAK SUMMARY:
==14575== definitely lost: 30,200 bytes in 4 blocks
==14575== indirectly lost: 22,804 bytes in 53 blocks
==14575== possibly lost: 1,280,000 bytes in 1 blocks
==14575== still reachable: 31,857 bytes in 728 blocks
==14575== suppressed: 0 bytes in 0 blocks
==14575== Rerun with --leak-check=full to see details of leaked memory
==14575==
==14575== For counts of detected and suppressed errors, rerun with: -v
==14575== Use --track-origins=yes to see where uninitialised values come from
==14575== ERROR SUMMARY: 4 errors from 4 contexts (suppressed: 6 from 6)
#include <string.h>
#include <magick/api.h>
int main(int argc,char **argv)
{
ExceptionInfo exception;
Image *images;
ImageInfo *image_info;
GetExceptionInfo(&exception);
image_info=CloneImageInfo((ImageInfo *) NULL);
(void) strcpy(image_info->filename,"018.png");
images = ReadImage(image_info,&exception);
return 0;
}
