[Bug 1448803] Re: Double free in coders/pict.c:2000
Launchpad Bug Tracker
1448803 at bugs.launchpad.net
Mon Jan 18 07:45:31 UTC 2016
This bug was fixed in the package imagemagick - 8:6.8.9.9-7
---------------
imagemagick (8:6.8.9.9-7) unstable; urgency=low
* Fix various minor security issues
- Fix an integer overflow that can lead to a buffer overrun
in the icon parsing code (LP: #1459747, closes: #806441)
- Fix an integer overflow that can lead to a double free in
pict parsing (LP: #1448803, closes: #806441).
- Memory Leak while handle psd file (closes: #811308)
http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=28791
- IM 6.9.2 crash with some PNG (closes: #811308, LP: #1492881)
http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=28466
- Null pointer access in magick/constitute.c (closes: #811308)
https://github.com/ImageMagick/ImageMagick/pull/34
- PixelColor off by one on i386 (closes: #811308)
https://github.com/ImageMagick/ImageMagick/issues/54
- Fixed other memory leaks (closes: #811308)
-- Vincent Fourmond <fourmond at debian.org> Sun, 17 Jan 2016 21:18:19
+0100
** Changed in: imagemagick (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to imagemagick in Ubuntu.
https://bugs.launchpad.net/bugs/1448803
Title:
Double free in coders/pict.c:2000
Status in imagemagick package in Ubuntu:
Fix Released
Bug description:
Running: convert pict_double_free.pict /dev/null
Program received signal SIGABRT, Aborted.
Stack Trace:
--------------------------------------------------------------------------------
0xb7fdbbe0 in __kernel_vsyscall ()
gdb$ bt
#0 0xffffffff in __kernel_vsyscall ()
#1 0xffffffff in __GI_raise (sig=0x6) at ../sysdeps/unix/sysv/linux/raise.c:55
#2 0xffffffff in __GI_abort () at abort.c:89
#3 0xffffffff in __libc_message (do_abort=0x1, fmt=0xb78bc444 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#4 0xffffffff in malloc_printerr (action=<optimized out>, str=0xb78bc4fc "double free or corruption (out)", ptr=0x8092f20) at malloc.c:4965
#5 0xffffffff in _int_free (av=0xb790f840 <main_arena>, p=<optimized out>, have_lock=0x0) at malloc.c:3834
#6 0xffffffff in RelinquishMagickMemory (memory=0x8092f20) at magick/memory.c:956
#7 0xffffffff in WritePICTImage (image_info=0x807fc28, image=0x807fc28) at coders/pict.c:2000
#8 0xffffffff in WriteImage (image_info=0x1, image=0x807fc28) at magick/constitute.c:1184
#9 0xffffffff in WriteImages (image_info=0x0, images=0x807fc28, filename=0x0, exception=0x80538d8) at magick/constitute.c:1327
#10 0xffffffff in ConvertImageCommand (image_info=0x8082df0, argc=0x3, argv=0x8054ce8, metadata=0x0, exception=0x80538d8) at wand/convert.c:3215
#11 0xffffffff in MagickCommandGenesis (image_info=0x8056248, command=0x8048620 <ConvertImageCommand at plt>, argc=0x3, argv=0xbffff024, metadata=0x0, exception=0x80538d8) at wand/mogrify.c:168
#12 0x080486ec in main (argv=0xbffff024, argc=<optimized out>) at utilities/convert.c:81
#13 0x080486ec in main (argc=0x3, argv=0xbffff024) at utilities/convert.c:92
gdb$
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1448803/+subscriptions
More information about the foundations-bugs
mailing list