New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap-use-after-free in MngInfoDiscardObject of coders/png.c #1791
Comments
Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow. |
@dlemstra Will this bug be assigned a CVE id? |
We're a small open-source development team. We count on our users to apply for CVE #'s so we can concentrate on development issues. |
There was one assigned, looks it is CVE-2019-19952. |
Hi, It appears that MITRE is reporting 7.0.9-7 as vulnerable in their CVE : where 7.0.9-7 is the fixed version you are reporting. |
These versions bellow all be affected |
Thank you for the quick response ! very appreciative.
|
For ImageMagick6: Is the conclusion correct that the issue has introduced in ImageMagick/ImageMagick6@524933c (6.9.10-61) for ImageMagick6, so for Imagemagick6 versions onwards 6.9.10-61 up to the fixing ImageMagick/ImageMagick6@7ef9238 (in 6.9.10-77) are affected only? |
Prerequisites
Description
There is a heap-use-after-free vulnerability in function MngInfoDiscardObject of coders/png.c whick can be reproduced as below.
Steps to Reproduce
poc
magick convert $poc /dev/null
=================================================================
==21864==ERROR: AddressSanitizer: heap-use-after-free on address 0xf0a2c1ad at pc 0x083e0eb3 bp 0xffafc948 sp 0xffafc938
READ of size 1 at 0xf0a2c1ad thread T0
#0 0x83e0eb2 in MngInfoDiscardObject coders/png.c:1569
#1 0x83e1237 in MngInfoFreeStruct coders/png.c:1609
#2 0x84021f5 in ReadMNGImage coders/png.c:7790
#3 0x84fccbf in ReadImage MagickCore/constitute.c:553
#4 0x810a116 in ReadStream MagickCore/stream.c:1043
#5 0x84fbcd1 in PingImage MagickCore/constitute.c:273
#6 0x84fc2e3 in PingImages MagickCore/constitute.c:374
#7 0x8991f79 in IdentifyImageCommand MagickWand/identify.c:304
#8 0x8a26ba8 in MagickCommandGenesis MagickWand/mogrify.c:185
#9 0x8053b31 in MagickMain utilities/magick.c:149
#10 0x8053d72 in main utilities/magick.c:180
#11 0xf60c5636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
#12 0x80535a0 (/home/ImageMagick/utilities/magick+0x80535a0)
0xf0a2c1ad is located 8365 bytes inside of 12368-byte region [0xf0a2a100,0xf0a2d150)
freed by thread T0 here:
#0 0xf7241a84 in free (/usr/lib/i386-linux-gnu/libasan.so.2+0x96a84)
#1 0x808a8e4 in RelinquishMagickMemory MagickCore/memory.c:1089
#2 0x83e12de in MngInfoFreeStruct coders/png.c:1614
#3 0x8401702 in ReadOneMNGImage coders/png.c:7681
#4 0x84021e4 in ReadMNGImage coders/png.c:7789
#5 0x84fccbf in ReadImage MagickCore/constitute.c:553
#6 0x810a116 in ReadStream MagickCore/stream.c:1043
#7 0x84fbcd1 in PingImage MagickCore/constitute.c:273
#8 0x84fc2e3 in PingImages MagickCore/constitute.c:374
#9 0x8991f79 in IdentifyImageCommand MagickWand/identify.c:304
#10 0x8a26ba8 in MagickCommandGenesis MagickWand/mogrify.c:185
#11 0x8053b31 in MagickMain utilities/magick.c:149
#12 0x8053d72 in main utilities/magick.c:180
#13 0xf60c5636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
previously allocated by thread T0 here:
#0 0xf7241dee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
#1 0x80899a2 in AcquireMagickMemory MagickCore/memory.c:488
#2 0x8402117 in ReadMNGImage coders/png.c:7780
#3 0x84fccbf in ReadImage MagickCore/constitute.c:553
#4 0x810a116 in ReadStream MagickCore/stream.c:1043
#5 0x84fbcd1 in PingImage MagickCore/constitute.c:273
#6 0x84fc2e3 in PingImages MagickCore/constitute.c:374
#7 0x8991f79 in IdentifyImageCommand MagickWand/identify.c:304
#8 0x8a26ba8 in MagickCommandGenesis MagickWand/mogrify.c:185
#9 0x8053b31 in MagickMain utilities/magick.c:149
#10 0x8053d72 in main utilities/magick.c:180
#11 0xf60c5636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
SUMMARY: AddressSanitizer: heap-use-after-free coders/png.c:1569 MngInfoDiscardObject
Shadow bytes around the buggy address:
0x3e1457e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x3e1457f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x3e145800: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x3e145810: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x3e145820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x3e145830: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
0x3e145840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x3e145850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x3e145860: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x3e145870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x3e145880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==21864==ABORTING
System Configuration
ImageMagick version:
Version: ImageMagick 7.0.9-7 Q16 x86_64 2019-11-27 https://imagemagick.org
Copyright: ? 1999-2020 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP(4.0)
Delegates (built-in): bzlib djvu fftw fontconfig freetype jbig jng jpeg lcms lqr lzma openexr pangocairo png tiff wmf x xml zlib
Environment (Operating system, version and so on):
Distributor ID: Ubuntu
Description: Ubuntu 16.04.5 LTS
Release: 16.04
Codename: xenial
Additional information:
The text was updated successfully, but these errors were encountered: