fuzz testing imagemagick conjure

version

Version: ImageMagick 7.0.3-5 Q16 x86_64 2016-11-02 http://www.imagemagick.org
Copyright: Copyright (C) 1999-2016 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI
Delegates (built-in): bzlib djvu fftw fontconfig freetype gvc jbig jng jpeg lcms lqr lzma openexr png tiff webp wmf x xml zlib

system

dist: Ubuntu 16.04 xenial
linux_distribution: Ubuntu 16.04 xenial
system: Linux
machine: x86_64
platform: Linux-4.4.0-43-generic-x86_64-with-Ubuntu-16.04-xenial
uname: Linux ubuntu-xenial 4.4.0-43-generic #63-Ubuntu SMP Wed Oct 12 13:48:03 UTC 2016 x86_64 x86_64
version: #63-Ubuntu SMP Wed Oct 12 13:48:03 UTC 2016

command

conjure -dimensions 10x10 <filename>

Summary report

SIGSEGV, Segmentation fault 6

filename: id:000000,sig:06,src:000000,op:havoc,rep:4

file content

0000  3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31  |<?xml version="1|
0010  2E 30 22 20 65 6E 63 6F 64 69 6E 67 3D 22 55 54  |.0" encoding="UT|
0020  46 2D 38 22 3F 3E 3C 69 6D 61 67 65 20 73 69 7A  |F-8"?><image siz|
0030  65 3D 22 34 30 30 78 34 30 30 22 20 3E 3C 72 65  |e="400x400" ><re|
0040  61 64 20 66 69 6C 65 6E 61 6D 65 3D 22 69 6D 61  |ad filename="ima|
0050  67 65 2E 62 61 73 65 2D 68 65 69 67 68 74 5D 20  |ge.base-height] |
0060  74 6F 20 25 5B 77 69 64 74 67 69 66 22 20 2F 3E  |to %[widtgif" />|
0070  3C 67 65 74 20 77 3D 22 62 61 74 22 20 2F 3E 3C  |<get w="bat" /><|
0080  72 65 73 69 7A 65 20 67 65 6F 6D 65 74 72 79 3D  |resize geometry=|
0090  22 56 56 56 56 56 56 56 56 56 56 56 56 56 20 77  |"VVVVVVVVVVVVV w|
00A0  69 64 74 68 3D 22 77 69 64 74 68 22 20 68 65 69  |idth="width" hei|
00B0  67 68 74 3D 22 68 65 69 67 68 20 2F 3E 3C 70 72  |ght="heigh /><pr|
00C0  69 6E 74 20 6F 75 74 70 75 74 3D 22 7A 65 64 20  |int output="zed |
00D0  66 72 6F 6D 20 25 5B 62 61 73 65 2D 77 69 64 74  |from %[base-widt|
00E0  68 5D 78 25 5B 62 61 73 65 2D 68 65 69 67 68 74  |h]x%[base-height|
00F0  5D 20 74 6F 20 25 5B 77 69 64 74 68 5D 78 25 5B  |] to %[width]x%[|
0100  68 65 69 67 68 74 5D 2E 5C 6E 22 20 2F 3E 3C 77  |height].\n" /><w|
0110  72 69 74 65 20 66 69 6C 65 6E 50 6D 65 3D 22 69  |rite filenPme="i|
0120  6D 61 67 65 2E 70 6E 67 22 20 2F 3E 3C 2F 69 6D  |mage.png" /></im|
0130  61 67 65 3E 0A -- -- -- -- -- -- -- -- -- -- --  |age>.           |

gdb output

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000004a32f4 in CopyMagickString (destination=0x1027f20 "/tmp/findings.conjure//crashes/id:000000,sig:06,src:000000,op:havoc,rep:4", source=0x0, length=4096) at MagickCore/string.c:761
761	    *q=(*p++);

filename: id:000001,sig:06,src:000000,op:havoc,rep:4

file content

0000  3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31  |<?xml version="1|
0010  2E 30 22 20 65 6E 63 6F 64 69 6E 67 3D 22 55 54  |.0" encoding="UT|
0020  46 2D 38 22 3F 3E 3C 69 6D 61 67 65 20 73 69 7A  |F-8"?><image siz|
0030  65 3D 22 34 30 30 78 34 30 30 22 20 3E 3C 72 65  |e="400x400" ><re|
0040  61 64 20 66 69 6C 65 6E 61 6D 65 3D 22 20 66 69  |ad filename=" fi|
0050  6C 65 6E 61 69 6E 67 2D 77 69 64 74 68 5D 78 25  |lenaing-width]x%|
0060  5B 62 61 73 74 22 20 2F 3E 3C 72 65 73 69 7A 65  |[bast" /><resize|
0070  20 67 65 6F 6D 65 74 72 79 3D 22 25 5B 64 69 6D  | geometry="%[dim|
0080  22 20 2F 3E 3C 67 65 74 20 77 69 64 74 68 3D 22  |" /><get width="|
0090  77 69 64 74 68 22 20 68 65 69 67 68 74 3D 22 68  |width" height="h|
00A0  65 69 67 68 74 22 20 2F 3E 3C 70 72 69 6E 74 20  |eight" /><print |
00B0  6F 75 74 70 75 74 3D 22 7A 65 64 20 66 72 6F 65  |output="zed froe|
00C0  6E 63 6F 64 69 6E 67 2D 77 69 64 74 68 5D 78 25  |ncoding-width]x%|
00D0  5B 62 61 73 65 2D 68 65 69 67 68 74 5D 20 74 6F  |[base-height] to|
00E0  80 00 00 00 69 64 74 68 5D 78 25 5B 68 65 69 67  |....idth]x%[heig|
00F0  68 74 5D 2E 5C 6E 22 20 2F 3E 3C 77 72 69 74 65  |ht].\n" /><write|
0100  20 66 69 6C 65 6E 61 6D 65 3D 22 69 6D 61 67 65  | filename="image|
0110  2E 70 6E 67 22 20 2F 3E 3C 2F 69 6D 61 67 65 3E  |.png" /></image>|
0120  0A -- -- -- -- -- -- -- -- -- -- -- -- -- -- --  |.               |

gdb output

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000004a32f4 in CopyMagickString (destination=0x1027f20 "/tmp/findings.conjure//crashes/id:000001,sig:06,src:000000,op:havoc,rep:4", source=0x0, length=4096) at MagickCore/string.c:761
761	    *q=(*p++);

filename: id:000002,sig:06,src:000000,op:havoc,rep:2

file content

0000  3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31  |<?xml version="1|
0010  2E 30 22 20 65 6E 63 6F 64 69 6E 67 3D 22 55 54  |.0" encoding="UT|
0020  46 2D 38 22 3F 3E 3C 69 6D 61 67 65 20 73 69 7A  |F-8"?><image siz|
0030  65 3D 22 34 30 30 78 34 30 30 22 20 3E 3C 72 65  |e="400x400" ><re|
0040  61 64 20 66 69 6C 65 6E 61 6D 65 3D 22 69 6D 61  |ad filename="ima|
0050  67 25 5B 62 61 73 65 2D 68 65 69 67 68 74 5D 20  |g%[base-height] |
0060  74 6F 20 25 5B 77 69 64 74 68 5D 78 25 5B 65 2E  |to %[width]x%[e.|
0070  67 69 66 22 20 2F 3E 3C 67 65 74 20 77 3D 22 62  |gif" /><get w="b|
0080  61 74 22 20 2F 3E 3C 72 65 73 69 7A 65 20 67 65  |at" /><resize ge|
0090  6F 6D 65 74 72 79 3D 22 25 5B 64 69 6D 22 20 22  |ometry="%[dim" "|
00A0  68 65 69 67 68 74 22 20 2F 3E 3C 70 72 69 6E 74  |height" /><print|
00B0  20 6F 75 74 70 75 74 3D 22 7A 65 64 20 66 72 6F  | output="zed fro|
00C0  6D 20 25 5B 62 61 73 65 2D 77 69 64 74 68 5D 78  |m %[base-width]x|
00D0  25 5B 62 61 73 65 2D 68 65 69 67 68 74 5D 20 74  |%[base-height] t|
00E0  6F 20 25 5B 77 69 64 74 68 5D 78 25 5B 68 65 69  |o %[width]x%[hei|
00F0  67 68 74 5D 2E 5C 6E 22 20 2F 3E 3C 77 72 69 74  |ght].\n" /><writ|
0100  65 20 66 69 6C 65 6E 61 6D 65 3D 22 69 6D 61 67  |e filename="imag|
0110  65 2E 70 6E 67 22 20 2F 3E 3C 2F 69 6D 61 67 65  |e.png" /></image|
0120  3E 0A -- -- -- -- -- -- -- -- -- -- -- -- -- --  |>.              |

gdb output

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000004a32f4 in CopyMagickString (destination=0x1027f20 "/tmp/findings.conjure//crashes/id:000002,sig:06,src:000000,op:havoc,rep:2", source=0x0, length=4096) at MagickCore/string.c:761
761	    *q=(*p++);

filename: id:000003,sig:06,src:000000,op:havoc,rep:4

file content

0000  3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31  |<?xml version="1|
0010  2E 30 22 20 65 6E 63 6F 64 69 6E 67 3D 22 55 54  |.0" encoding="UT|
0020  46 2D 38 22 3F 3E 3C 69 6D 61 67 65 20 73 69 7A  |F-8"?><image siz|
0030  65 3D 22 34 30 42 78 34 30 30 22 20 3E 3C 72 65  |e="40Bx400" ><re|
0040  61 64 20 66 69 6C 65 6E 61 6D 65 3D 22 69 6D 61  |ad filename="ima|
0050  67 65 2E 67 25 5B 62 61 73 65 2D 77 69 64 74 68  |ge.g%[base-width|
0060  5D 78 25 5B 62 61 69 66 22 20 2F 3E 3C 67 65 74  |]x%[baif" /><get|
0070  20 77 3D 22 62 61 74 22 20 2F 3E 3C 72 65 73 69  | w="bat" /><resi|
0080  6A 65 20 67 65 6F 6D 65 74 72 79 3D 22 25 5B 64  |je geometry="%[d|
0090  69 6D 22 20 2F 3E 3C 67 65 74 20 77 69 64 74 68  |im" /><get width|
00A0  3D 22 77 69 64 74 68 22 20 68 65 69 67 68 74 3D  |="width" height=|
00B0  22 68 65 69 67 68 74 22 20 2F 3E 3C 70 72 69 6E  |"height" /><prin|
00C0  74 20 6F 75 74 70 75 74 3D 22 7A 65 64 20 66 72  |t output="zed fr|
00D0  6F 6D 20 25 5B 62 61 73 65 2D 77 69 64 74 68 5D  |om %[base-width]|
00E0  78 25 5B 62 61 73 65 2D 68 65 69 67 68 74 5D 20  |x%[base-height] |
00F0  74 6F 20 25 5B 77 69 64 74 68 5D 78 25 5B 68 65  |to %[width]x%[he|
0100  69 67 68 74 5D 2E 5C 6E 22 20 2F 3E 3C 77 72 69  |ight].\n" /><wri|
0110  74 65 20 66 69 6C 65 6E 61 6D 65 3D 22 69 6D 61  |te filename="ima|
0120  67 65 2E 65 69 67 68 74 2F 3E 3C 2F 69 6D 61 67  |ge.eight/></imag|
0130  65 3E 0A -- -- -- -- -- -- -- -- -- -- -- -- --  |e>.             |

gdb output

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000004a32f4 in CopyMagickString (destination=0x1027f20 "/tmp/findings.conjure//crashes/id:000003,sig:06,src:000000,op:havoc,rep:4", source=0x0, length=4096) at MagickCore/string.c:761
761	    *q=(*p++);

filename: id:000004,sig:06,src:000026,op:havoc,rep:2

file content

0000  3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31  |<?xml version="1|
0010  2E 30 22 20 65 6E 63 6F 64 69 6E 67 3D 22 55 54  |.0" encoding="UT|
0020  46 2D 38 22 3F 3E 3C 69 6D 61 67 65 20 63 69 7A  |F-8"?><image ciz|
0030  65 3D 22 34 30 30 78 34 30 30 22 20 3E 3C 72 65  |e="400x400" ><re|
0040  61 64 20 66 69 6C 65 6E 61 6D 65 3D 22 69 65 2D  |ad filename="ie-|
0050  68 65 69 67 68 74 5D 20 74 6F 20 25 5B 77 69 64  |height] to %[wid|
0060  74 68 5D 78 25 5B 6D 61 67 65 2E 67 69 66 22 20  |th]x%[mage.gif" |
0070  2F 3E 3C 67 65 74 20 77 3D 22 62 61 74 22 20 2F  |/><get w="bat" /|
0080  3E 3C 72 65 73 69 7A 65 20 67 65 6F 6D 65 74 72  |><resize geometr|
0090  79 3D 22 25 5B 64 69 6D 22 20 2F 3E 3C 67 65 74  |y="%[dim" /><get|
00A0  20 77 69 64 74 68 3D 22 77 69 64 74 68 22 20 68  | width="width" h|
00B0  65 69 67 68 74 3D 22 68 65 69 67 68 74 22 20 2F  |eight="height" /|
00C0  3E 3C 70 72 69 6E 74 20 6F 75 74 70 75 74 3D 22  |><print output="|
00D0  7A 65 64 20 66 72 6F 6D 20 25 5B 62 61 73 65 2D  |zed from %[base-|
00E0  77 69 64 74 68 5D 78 25 5B 62 61 73 65 2D 68 65  |width]x%[base-he|
00F0  69 67 68 74 5D 20 74 6F 20 25 5B 77 69 64 74 68  |ight] to %[width|
0100  5D 78 25 5B 68 65 69 67 68 74 5D 2E 5C 6E 22 20  |]x%[height].\n" |
0110  2F 3E 3C 77 72 69 74 65 20 66 69 6C 65 6E 61 6D  |/><write filenam|
0120  65 3D 22 69 6D 61 67 65 2E 70 6E 67 22 20 2F 3E  |e="image.png" />|
0130  3C 2F 69 6D 61 67 65 3E 0A -- -- -- -- -- -- --  |</image>.       |

gdb output

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000004a32f4 in CopyMagickString (destination=0x1027f20 "/tmp/findings.conjure//crashes/id:000004,sig:06,src:000026,op:havoc,rep:2", source=0x0, length=4096) at MagickCore/string.c:761
761	    *q=(*p++);

filename: id:000005,sig:06,src:000108,op:havoc,rep:4

file content

0000  3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31  |<?xml version="1|
0010  2E 30 22 20 65 6E 63 6F 64 69 6E 67 3D 22 55 54  |.0" encoding="UT|
0020  46 2D 38 22 3F 3E 3C 69 6D 61 67 65 20 73 69 7A  |F-8"?><image siz|
0030  65 3D 22 34 30 30 78 34 30 30 22 20 3E 3C 72 65  |e="400x400" ><re|
0040  61 64 20 66 69 6C 65 6E 61 6D 65 3D 22 69 6D 61  |ad filename="ima|
0050  67 65 2E 67 69 66 20 66 72 6F 6D 20 25 5B 72 61  |ge.gif from %[ra|
0060  73 65 2D 77 69 64 74 68 5D 78 25 5B 62 22 20 2F  |se-width]x%[b" /|
0070  3E 3C 67 65 74 20 77 3D 22 62 61 74 22 20 2F 3E  |><get w="bat" />|
0080  3C 72 65 73 69 7A 65 20 67 65 6F 6D 65 74 72 79  |<resize geometry|
0090  3D 22 25 5B 64 69 6D 22 20 2F 3E 3C 67 65 74 20  |="%[dim" /><get |
00A0  77 69 64 74 68 3D 22 77 69 64 74 68 22 20 68 65  |width="width" he|
00B0  69 67 68 74 3D 22 68 65 69 67 68 74 22 20 2F 3E  |ight="height" />|
00C0  3C 70 72 69 6E 74 20 6F 75 74 70 75 74 3D 22 7A  |<print output="z|
00D0  65 64 20 66 72 6F 6D 20 25 5B 72 61 73 65 2D 77  |ed from %[rase-w|
00E0  69 64 74 68 5D 78 25 5B 62 61 73 65 2D 68 65 69  |idth]x%[base-hei|
00F0  67 68 74 5D 20 74 6F 20 25 5B 77 69 64 74 68 5D  |ght] to %[width]|
0100  78 25 5B 68 65 40 00 68 00 5D 2E 5C 6E 22 20 2F  |x%[he@.h.].\n" /|
0110  3E 3C 77 72 69 74 65 20 66 69 6C 65 6E 61 6D 65  |><write filename|
0120  3D 22 69 6D 61 67 65 2E 70 6E 67 22 20 2F 3E 3C  |="image.png" /><|
0130  2F 69 6D 61 67 65 3E 0A -- -- -- -- -- -- -- --  |/image>.        |

gdb output

[Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". 
Program received signal SIGSEGV, Segmentation fault. 
0x00000000004a32f4 in CopyMagickString (destination=0x1027f20 "/tmp/findings.conjure//crashes/id:000005,sig:06,src:000108,op:havoc,rep:4", source=0x0, length=4096) at MagickCore/string.c:761 761 *q=(*p++);

This issue was reported to ImageMagick and fixed rather quickly @ http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=30797