AddressSanitizer CHECK failed in ImageMagick fuzz test.

[asarubbo]

During the fuzz of imagemagick I noticed a memory allocation failure in openexr.

# identify $FILE
==28896==AddressSanitizer CHECK failed: /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:366 "((__interception::real___cxa_throw)) != (0)" (0x0, 0x0)
    #0 0x4ca10d in AsanCheckFailed /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_rtl.cc:67
    #1 0x4d0c43 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:159
    #2 0x42b084 in __cxa_throw /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:366
    #3 0x7fe4a940390e in Imf_2_1::GenericInputFile::readMagicNumberAndVersionField(Imf_2_1::IStream&, int&) /tmp/portage/media-libs/openexr-2.1.0/work/openexr-2.1.0/IlmImf/ImfGenericInputFile.cpp:71
    #4 0x7fe4a93c50b0 in Imf_2_1::InputFile::InputFile(char const*, int) /tmp/portage/media-libs/openexr-2.1.0/work/openexr-2.1.0/IlmImf/ImfInputFile.cpp:355
    #5 0x7fe4a93ccf5b in Imf_2_1::RgbaInputFile::RgbaInputFile(char const*, int) /tmp/portage/media-libs/openexr-2.1.0/work/openexr-2.1.0/IlmImf/ImfRgbaFile.cpp:1166
    #6 0x7fe4a93b8d69 in ImfOpenInputFile /tmp/portage/media-libs/openexr-2.1.0/work/openexr-2.1.0/IlmImf/ImfCRgbaFile.cpp:1170
    #7 0x7fe4a968a37d in ReadEXRImage /tmp/portage/media-gfx/imagemagick-7.0.3.1/work/ImageMagick-7.0.3-1/coders/exr.c:202:8
    #8 0x7fe4b5dfc9e5 in ReadImage /tmp/portage/media-gfx/imagemagick-7.0.3.1/work/ImageMagick-7.0.3-1/MagickCore/constitute.c:496:13                                                                                                                                          
    #9 0x7fe4b6304d6f in ReadStream /tmp/portage/media-gfx/imagemagick-7.0.3.1/work/ImageMagick-7.0.3-1/MagickCore/stream.c:1012:9                                                                                                                                             
    #10 0x7fe4b5dfb5fd in PingImage /tmp/portage/media-gfx/imagemagick-7.0.3.1/work/ImageMagick-7.0.3-1/MagickCore/constitute.c:226:9                                                                                                                                          
    #11 0x7fe4b5dfbe0e in PingImages /tmp/portage/media-gfx/imagemagick-7.0.3.1/work/ImageMagick-7.0.3-1/MagickCore/constitute.c:326:10                                                                                                                                        
    #12 0x7fe4b571f4ca in IdentifyImageCommand /tmp/portage/media-gfx/imagemagick-7.0.3.1/work/ImageMagick-7.0.3-1/MagickWand/identify.c:319:18                                                                                                                                
    #13 0x7fe4b579a814 in MagickCommandGenesis /tmp/portage/media-gfx/imagemagick-7.0.3.1/work/ImageMagick-7.0.3-1/MagickWand/mogrify.c:183:14                                                                                                                                 
    #14 0x4f1fae in MagickMain /tmp/portage/media-gfx/imagemagick-7.0.3.1/work/ImageMagick-7.0.3-1/utilities/magick.c:145:10                                                                                                                                                   
    #15 0x4f1fae in main /tmp/portage/media-gfx/imagemagick-7.0.3.1/work/ImageMagick-7.0.3-1/utilities/magick.c:176                                                                                                                                                            
    #16 0x7fe4b466d61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                                                                                                       
    #17 0x4192a8 in _init (/usr/bin/magick+0x4192a8)

Testcase: https://github.com/asarubbo/poc/blob/master/00033-openexr-memalloc-ImfGenericInputFile_cpp

[ehanway-ilm]

That doesn't look like a memory allocation failure to me. The OpenEXR code involved looks sound: when reading the input, which I assume is a fuzzed file, the flags in the header aren't recognized, so a C++ exception is thrown. The 'CHECK failed' message looks like internal confusion of AddressSanitizer.

How is this built? What platform, compiler, etc? ImageMagick, written in C, is calling OpenEXR via a shim layer provided by OpenEXR that wraps its normal C++ API, which, among other things, puts functions inside a try/catch and using a different means of reporting errors back to the caller. That should all be sound, but perhaps something about the way the program under test is compiled and linked causes it to be missing code to handle C++ exceptions that is needed here.

[asarubbo]

You are right. This is not a problem with the memory. I'm sorry, I got confused fro another thing.

Openexr here is built from portage (the gentoo package manager) so from source. The compiler is gcc-4.9.3 on x86_64
Do you need other info?

[cary-ilm]

Looking into the OpenEXR issue backlog. Is this still reproducible? Is there any further information?

[cary-ilm]

Closing the issue for now, feel free to re-open or file a new issue if you need further help.