imagemagick core dumps on reading gnus.svg

Bug #1796815 reported by Adam Sjøgren
20
This bug affects 4 people
Affects Status Importance Assigned to Milestone
imagemagick (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Running display on gnus.svg (from the emacs24-common package) results in a core dump:

    $ /usr/bin/display-im6 /usr/share/emacs/24.5/etc/images/gnus/gnus.svg
    Aborted (core dumped)

Trying to get a backtrace:

    $ gdb --args /usr/bin/display-im6 /usr/share/emacs/24.5/etc/images/gnus/gnus.svg
    [...]
    Reading symbols from /usr/bin/display-im6...(no debugging symbols found)...done.
    (gdb) run
    Starting program: /usr/bin/display-im6 /usr/share/emacs/24.5/etc/images/gnus/gnus.svg
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    [New Thread 0x7fffed953700 (LWP 17356)]
    [New Thread 0x7fffed152700 (LWP 17357)]

    Thread 1 "display-im6" received signal SIGSEGV, Segmentation fault.
0x00007ffff391f8b8 in ?? () from /usr/lib/x86_64-linux-gnu/ImageMagick-6.8.9/modules-Q16/coders/svg.so
    (gdb) bt
    #0 0x00007ffff391f8b8 in ?? () from /usr/lib/x86_64-linux-gnu/ImageMagick-6.8.9/modules-Q16/coders/svg.so
    #1 0x00007ffff79a4a18 in ReadImage () from /usr/lib/x86_64-linux-gnu/libMagickCore-6.Q16.so.2
    #2 0x00007ffff76627af in DisplayImageCommand () from /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.2
    #3 0x00007ffff76ab527 in MagickCommandGenesis () from /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.2
    #4 0x0000000000400877 in ?? ()
    #5 0x00007ffff7037830 in __libc_start_main (main=0x400830, argc=2, argv=0x7fffffffdff8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
    stack_end=0x7fffffffdfe8) at ../csu/libc-start.c:291
    #6 0x00000000004008d9 in ?? ()
    (gdb)

emacs also crashes when opening that file, with a segmentation fault inside ImageMagick, that's how I found the problem:

    $ emacs /usr/share/emacs/24.5/etc/images/gnus/gnus.svg
    Fatal error 11: Segmentation fault
    Backtrace:
    emacs[0x5036d3]
    emacs[0x4e9d6e]
    emacs[0x50249e]
    emacs[0x5026c3]
    /lib/x86_64-linux-gnu/libpthread.so.0(+0x11390)[0x7f6f140e0390]
    /usr/lib/x86_64-linux-gnu/ImageMagick-6.8.9/modules-Q16/coders/svg.so(+0xb8b8)[0x7f6f057768b8]
    /usr/lib/x86_64-linux-gnu/libMagickCore-6.Q16.so.2(ReadImage+0x198)[0x7f6f16470a18]
    /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.2(MagickReadImage+0x6a)[0x7f6f16942a3a]
    emacs[0x5cd004]
    emacs[0x5d0ea1]
    [....]
    emacs[0x55d74b]
    ...
    Segmentation fault (core dumped)

This is on:

  Description: Ubuntu 16.04.5 LTS
  Release: 16.04

With packages:

    imagemagick:
      Installed: 8:6.8.9.9-7ubuntu5.13
    emacs24-common:
      Installed: 24.5+1-6ubuntu1.1

Last week I didn't get these crashes, so I guess they are related to a security update of the imagemagick packages.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: imagemagick 8:6.8.9.9-7ubuntu5.13
ProcVersionSignature: Ubuntu 4.15.0-33.36~16.04.1-generic 4.15.18
Uname: Linux 4.15.0-33-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.18
Architecture: amd64
Date: Tue Oct 9 09:49:32 2018
InstallationDate: Installed on 2011-06-14 (2673 days ago)
InstallationMedia: Ubuntu 10.04.2 LTS "Lucid Lynx" - Release amd64 (20110211.1)
SourcePackage: imagemagick
UpgradeStatus: Upgraded to xenial on 2013-05-07 (1980 days ago)

Revision history for this message
Adam Sjøgren (adsj) wrote :
description: updated
Revision history for this message
Adam Sjøgren (adsj) wrote :

I tried removing things from gnus.svg to find a minimal example that makes imagemagick coredump.

Even this .svg results in a coredump:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg
   xmlns:dc="http://purl.org/dc/elements/1.1/"
   xmlns:cc="http://creativecommons.org/ns#"
   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
   xmlns:svg="http://www.w3.org/2000/svg"
   xmlns="http://www.w3.org/2000/svg"
   style="display:inline"
   version="1.0">
</svg>

So does the minimal Plain SVG that Inkscape writes:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg
   xmlns:dc="http://purl.org/dc/elements/1.1/"
   xmlns:cc="http://creativecommons.org/ns#"
   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
   xmlns:svg="http://www.w3.org/2000/svg"
   xmlns="http://www.w3.org/2000/svg"
   version="1.1"
   id="svg2"
   viewBox="0 0 744.09448819 1052.3622047"
   height="297mm"
   width="210mm">
  <defs
     id="defs4" />
  <metadata
     id="metadata7">
    <rdf:RDF>
      <cc:Work
  rdf:about="">
 <dc:format>image/svg+xml</dc:format>
 <dc:type
           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
 <dc:title></dc:title>
      </cc:Work>
    </rdf:RDF>
  </metadata>
  <g
     id="layer1" />
</svg>

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in imagemagick (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.