On Mon, Feb 23, 2015 at 4:40 PM, Mathieu Malaterre <[email protected]> wrote: > Package: libmagickcore5 > Version: 8:6.7.7.10-5+deb7u3 > > Looks like there is an invalid read when dealing with some PNG files. > See attached sample for info.
Could you test the pending to security since four month queue ? Under git it is branch from upstream debian-patches/6.7.7.10-5+deb7u4 Could you also test 8:6.8.9.9-5 ? Bastien Thanks > Steps: > > $ cd /tmp > $ wget [...]/readpng.c > $ wget [...]/018.png > $ gcc -o readpng -I /usr/include/ImageMagick readpng.c -lMagickCore > $ valgrind ./readpng > ==14575== Memcheck, a memory error detector > ==14575== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al. > ==14575== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info > ==14575== Command: ./readpng > ==14575== > ==14575== Use of uninitialised value of size 8 > ==14575== at 0x531DEBB: _itoa_word (_itoa.c:195) > ==14575== by 0x531FE96: vfprintf (vfprintf.c:1622) > ==14575== by 0x53CA52F: __vsnprintf_chk (vsnprintf_chk.c:65) > ==14575== by 0x4F5690A: FormatLocaleStringList (in > /usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0) > ==14575== by 0x4F569F1: FormatLocaleString (in > /usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0) > ==14575== by 0x98D3106: ??? (in > /usr/lib/x86_64-linux-gnu/ImageMagick-6.7.7/modules-Q16/coders/png.so) > ==14575== by 0x98D4A37: ??? (in > /usr/lib/x86_64-linux-gnu/ImageMagick-6.7.7/modules-Q16/coders/png.so) > ==14575== by 0x4EB970F: ReadImage (in > /usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0) > ==14575== by 0x40078E: main (in /home/mathieu/tmp/flou/bin4/readpng) > ==14575== > ==14575== Conditional jump or move depends on uninitialised value(s) > ==14575== at 0x531DEC5: _itoa_word (_itoa.c:195) > ==14575== by 0x531FE96: vfprintf (vfprintf.c:1622) > ==14575== by 0x53CA52F: __vsnprintf_chk (vsnprintf_chk.c:65) > ==14575== by 0x4F5690A: FormatLocaleStringList (in > /usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0) > ==14575== by 0x4F569F1: FormatLocaleString (in > /usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0) > ==14575== by 0x98D3106: ??? (in > /usr/lib/x86_64-linux-gnu/ImageMagick-6.7.7/modules-Q16/coders/png.so) > ==14575== by 0x98D4A37: ??? (in > /usr/lib/x86_64-linux-gnu/ImageMagick-6.7.7/modules-Q16/coders/png.so) > ==14575== by 0x4EB970F: ReadImage (in > /usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0) > ==14575== by 0x40078E: main (in /home/mathieu/tmp/flou/bin4/readpng) > ==14575== > ==14575== Conditional jump or move depends on uninitialised value(s) > ==14575== at 0x531FFAA: vfprintf (vfprintf.c:1622) > ==14575== by 0x53CA52F: __vsnprintf_chk (vsnprintf_chk.c:65) > ==14575== by 0x4F5690A: FormatLocaleStringList (in > /usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0) > ==14575== by 0x4F569F1: FormatLocaleString (in > /usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0) > ==14575== by 0x98D3106: ??? (in > /usr/lib/x86_64-linux-gnu/ImageMagick-6.7.7/modules-Q16/coders/png.so) > ==14575== by 0x98D4A37: ??? (in > /usr/lib/x86_64-linux-gnu/ImageMagick-6.7.7/modules-Q16/coders/png.so) > ==14575== by 0x4EB970F: ReadImage (in > /usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0) > ==14575== by 0x40078E: main (in /home/mathieu/tmp/flou/bin4/readpng) > ==14575== > ==14575== Conditional jump or move depends on uninitialised value(s) > ==14575== at 0x531FFC8: vfprintf (vfprintf.c:1622) > ==14575== by 0x53CA52F: __vsnprintf_chk (vsnprintf_chk.c:65) > ==14575== by 0x4F5690A: FormatLocaleStringList (in > /usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0) > ==14575== by 0x4F569F1: FormatLocaleString (in > /usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0) > ==14575== by 0x98D3106: ??? (in > /usr/lib/x86_64-linux-gnu/ImageMagick-6.7.7/modules-Q16/coders/png.so) > ==14575== by 0x98D4A37: ??? (in > /usr/lib/x86_64-linux-gnu/ImageMagick-6.7.7/modules-Q16/coders/png.so) > ==14575== by 0x4EB970F: ReadImage (in > /usr/lib/x86_64-linux-gnu/libMagickCore.so.5.0.0) > ==14575== by 0x40078E: main (in /home/mathieu/tmp/flou/bin4/readpng) > ==14575== > ==14575== > ==14575== HEAP SUMMARY: > ==14575== in use at exit: 1,364,861 bytes in 786 blocks > ==14575== total heap usage: 3,753 allocs, 2,967 frees, 5,529,461 > bytes allocated > ==14575== > ==14575== LEAK SUMMARY: > ==14575== definitely lost: 30,200 bytes in 4 blocks > ==14575== indirectly lost: 22,804 bytes in 53 blocks > ==14575== possibly lost: 1,280,000 bytes in 1 blocks > ==14575== still reachable: 31,857 bytes in 728 blocks > ==14575== suppressed: 0 bytes in 0 blocks > ==14575== Rerun with --leak-check=full to see details of leaked memory > ==14575== > ==14575== For counts of detected and suppressed errors, rerun with: -v > ==14575== Use --track-origins=yes to see where uninitialised values come from > ==14575== ERROR SUMMARY: 4 errors from 4 contexts (suppressed: 6 from 6) -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
