Version : ImageMagick 7.0.7-4 Q16 x86_64 2017-09-22 http://www.imagemagick.org
In order to reproduce this bug, need to build ImageMagick and Freetype2 with ASAN.
Add a crafted font in ~/.config/ImageMagick/type.xml
<type
format="ttf"
name="test"
fullname="Z003 Medium Italic"
family="Z003"
glyphs="/root/out/crashes/test.ttf"
/>
The crafted font file : https://github.com/noirfate/test/blob/master/test1.ttf
After have added the crafted font, run :
magick -background lightblue -fill blue -font test -size 480x360 caption:hello world 1.gif
ASAN would report :
==3531==ERROR: AddressSanitizer: heap-use-after-free on address 0x6080000092a0 at pc 0x7f31ab1cc934 bp 0x7ffd03c83330 sp 0x7ffd03c83328
READ of size 8 at 0x6080000092a0 thread T0
#0 0x7f31ab1cc933 in FT_Done_Glyph /root/dep_src/freetype2/src/base/ftglyph.c:637:46
#1 0x7f31ac530d4c in RenderFreetype /root/dep_src/ImageMagick-master/MagickCore/annotate.c:1797:7
#2 0x7f31ac529114 in RenderType /root/dep_src/ImageMagick-master/MagickCore/annotate.c:1027:10
#3 0x7f31ac527944 in GetTypeMetrics /root/dep_src/ImageMagick-master/MagickCore/annotate.c:906:10
#4 0x7f31ac52aa77 in FormatMagickCaption /root/dep_src/ImageMagick-master/MagickCore/annotate.c:627:12
#5 0x7f31ac99ea52 in ReadCAPTIONImage /root/dep_src/ImageMagick-master/coders/caption.c:221:11
#6 0x7f31ac5c8688 in ReadImage /root/dep_src/ImageMagick-master/MagickCore/constitute.c:497:13
#7 0x7f31ac5cad54 in ReadImages /root/dep_src/ImageMagick-master/MagickCore/constitute.c:866:9
#8 0x7f31abf87ad9 in CLINoImageOperator /root/dep_src/ImageMagick-master/MagickWand/operation.c:4760:22
#9 0x7f31abf8a1fc in CLIOption /root/dep_src/ImageMagick-master/MagickWand/operation.c:5255:7
#10 0x7f31abe84577 in ProcessCommandOptions /root/dep_src/ImageMagick-master/MagickWand/magick-cli.c:424:13
#11 0x7f31abe853e0 in MagickImageCommand /root/dep_src/ImageMagick-master/MagickWand/magick-cli.c:794:5
#12 0x7f31abeb7ad7 in MagickCommandGenesis /root/dep_src/ImageMagick-master/MagickWand/mogrify.c:183:14
#13 0x4ee16d in MagickMain /root/dep_src/ImageMagick-master/utilities/magick.c:149:10
#14 0x4ee16d in main /root/dep_src/ImageMagick-master/utilities/magick.c:180
#15 0x7f31a30f482f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
#16 0x41a2d8 in _start (/root/deps/bin/magick+0x41a2d8)
0x6080000092a0 is located 0 bytes inside of 88-byte region [0x6080000092a0,0x6080000092f8)
freed by thread T0 here:
#0 0x4c0c8b in __interceptor_free /home/snd-local/releases/4.0.1/release/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
#1 0x7f31ac530ad0 in RenderFreetype /root/dep_src/ImageMagick-master/MagickCore/annotate.c:1772:5
#2 0x7f31ac529114 in RenderType /root/dep_src/ImageMagick-master/MagickCore/annotate.c:1027:10
#3 0x7f31ac527944 in GetTypeMetrics /root/dep_src/ImageMagick-master/MagickCore/annotate.c:906:10
#4 0x7f31ac52aa77 in FormatMagickCaption /root/dep_src/ImageMagick-master/MagickCore/annotate.c:627:12
#5 0x7f31ac99ea52 in ReadCAPTIONImage /root/dep_src/ImageMagick-master/coders/caption.c:221:11
#6 0x7f31ac5c8688 in ReadImage /root/dep_src/ImageMagick-master/MagickCore/constitute.c:497:13
#7 0x7f31ac5cad54 in ReadImages /root/dep_src/ImageMagick-master/MagickCore/constitute.c:866:9
#8 0x7f31abf87ad9 in CLINoImageOperator /root/dep_src/ImageMagick-master/MagickWand/operation.c:4760:22
#9 0x7f31abf8a1fc in CLIOption /root/dep_src/ImageMagick-master/MagickWand/operation.c:5255:7
#10 0x7f31abe84577 in ProcessCommandOptions /root/dep_src/ImageMagick-master/MagickWand/magick-cli.c:424:13
previously allocated by thread T0 here:
#0 0x4c0fdc in __interceptor_malloc /home/snd-local/releases/4.0.1/release/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66:3
#1 0x7f31ab1952e2 in ft_mem_qalloc /root/dep_src/freetype2/src/base/ftutil.c:76:15
#2 0x7f31ab1952e2 in ft_mem_alloc /root/dep_src/freetype2/src/base/ftutil.c:55
#3 0x7f31ac52f508 in RenderFreetype /root/dep_src/ImageMagick-master/MagickCore/annotate.c:1613:15
#4 0x7f31ac529114 in RenderType /root/dep_src/ImageMagick-master/MagickCore/annotate.c:1027:10
#5 0x7f31ac527944 in GetTypeMetrics /root/dep_src/ImageMagick-master/MagickCore/annotate.c:906:10
#6 0x7f31ac52aa77 in FormatMagickCaption /root/dep_src/ImageMagick-master/MagickCore/annotate.c:627:12
#7 0x7f31ac99ea52 in ReadCAPTIONImage /root/dep_src/ImageMagick-master/coders/caption.c:221:11
#8 0x7f31ac5c8688 in ReadImage /root/dep_src/ImageMagick-master/MagickCore/constitute.c:497:13
#9 0x7f31ac5cad54 in ReadImages /root/dep_src/ImageMagick-master/MagickCore/constitute.c:866:9
#10 0x7f31abf87ad9 in CLINoImageOperator /root/dep_src/ImageMagick-master/MagickWand/operation.c:4760:22
#11 0x7f31abf8a1fc in CLIOption /root/dep_src/ImageMagick-master/MagickWand/operation.c:5255:7
#12 0x7f31abe84577 in ProcessCommandOptions /root/dep_src/ImageMagick-master/MagickWand/magick-cli.c:424:13
After I took a look at the code, I think it maybe caused by calling FT_Done_Glyph multiple times.
First when last_glyph.id != 0, it will enter the if condition
annotate.c:1762
if (last_glyph.id != 0)
FT_Done_Glyph(last_glyph.image);
last_glyph=glyph;
code=GetUTFCode(p+grapheme[i].cluster);
}
Thus last_glyph is equal to glyph.
And then, in some cases, it will call FT_Done_Glyph(last_glyph.image) and FT_Done_Glyph(glyph.image) both. Since last_glyph = glyph, the last call will trigger this bug.
if (last_glyph.id != 0)
FT_Done_Glyph(last_glyph.image);
/*
Determine font metrics.
*/
glyph.id=FT_Get_Char_Index(face,'_');
glyph.origin=origin;
ft_status=FT_Load_Glyph(face,glyph.id,flags);
if (ft_status == 0)
{
...
FT_Done_Glyph(glyph.image);
}
