heap-use-after-free in MngInfoDiscardObject of coders/png.c

[galycannon]

Prerequisites

• I have written a descriptive issue title
• I have verified that I am using the latest version of ImageMagick
• I have searched open and closed issues to ensure it has not already been reported

Description

There is a heap-use-after-free vulnerability in function MngInfoDiscardObject of coders/png.c whick can be reproduced as below.

Steps to Reproduce

poc
magick convert $poc /dev/null
=================================================================
==21864==ERROR: AddressSanitizer: heap-use-after-free on address 0xf0a2c1ad at pc 0x083e0eb3 bp 0xffafc948 sp 0xffafc938
READ of size 1 at 0xf0a2c1ad thread T0
#0 0x83e0eb2 in MngInfoDiscardObject coders/png.c:1569
#1 0x83e1237 in MngInfoFreeStruct coders/png.c:1609
#2 0x84021f5 in ReadMNGImage coders/png.c:7790
#3 0x84fccbf in ReadImage MagickCore/constitute.c:553
#4 0x810a116 in ReadStream MagickCore/stream.c:1043
#5 0x84fbcd1 in PingImage MagickCore/constitute.c:273
#6 0x84fc2e3 in PingImages MagickCore/constitute.c:374
#7 0x8991f79 in IdentifyImageCommand MagickWand/identify.c:304
#8 0x8a26ba8 in MagickCommandGenesis MagickWand/mogrify.c:185
#9 0x8053b31 in MagickMain utilities/magick.c:149
#10 0x8053d72 in main utilities/magick.c:180
#11 0xf60c5636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
#12 0x80535a0 (/home/ImageMagick/utilities/magick+0x80535a0)

0xf0a2c1ad is located 8365 bytes inside of 12368-byte region [0xf0a2a100,0xf0a2d150)
freed by thread T0 here:
#0 0xf7241a84 in free (/usr/lib/i386-linux-gnu/libasan.so.2+0x96a84)
#1 0x808a8e4 in RelinquishMagickMemory MagickCore/memory.c:1089
#2 0x83e12de in MngInfoFreeStruct coders/png.c:1614
#3 0x8401702 in ReadOneMNGImage coders/png.c:7681
#4 0x84021e4 in ReadMNGImage coders/png.c:7789
#5 0x84fccbf in ReadImage MagickCore/constitute.c:553
#6 0x810a116 in ReadStream MagickCore/stream.c:1043
#7 0x84fbcd1 in PingImage MagickCore/constitute.c:273
#8 0x84fc2e3 in PingImages MagickCore/constitute.c:374
#9 0x8991f79 in IdentifyImageCommand MagickWand/identify.c:304
#10 0x8a26ba8 in MagickCommandGenesis MagickWand/mogrify.c:185
#11 0x8053b31 in MagickMain utilities/magick.c:149
#12 0x8053d72 in main utilities/magick.c:180
#13 0xf60c5636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)

previously allocated by thread T0 here:
#0 0xf7241dee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
#1 0x80899a2 in AcquireMagickMemory MagickCore/memory.c:488
#2 0x8402117 in ReadMNGImage coders/png.c:7780
#3 0x84fccbf in ReadImage MagickCore/constitute.c:553
#4 0x810a116 in ReadStream MagickCore/stream.c:1043
#5 0x84fbcd1 in PingImage MagickCore/constitute.c:273
#6 0x84fc2e3 in PingImages MagickCore/constitute.c:374
#7 0x8991f79 in IdentifyImageCommand MagickWand/identify.c:304
#8 0x8a26ba8 in MagickCommandGenesis MagickWand/mogrify.c:185
#9 0x8053b31 in MagickMain utilities/magick.c:149
#10 0x8053d72 in main utilities/magick.c:180
#11 0xf60c5636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)

SUMMARY: AddressSanitizer: heap-use-after-free coders/png.c:1569 MngInfoDiscardObject
Shadow bytes around the buggy address:
0x3e1457e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x3e1457f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x3e145800: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x3e145810: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x3e145820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x3e145830: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
0x3e145840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x3e145850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x3e145860: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x3e145870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x3e145880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==21864==ABORTING

System Configuration

• ImageMagick version:
  Version: ImageMagick 7.0.9-7 Q16 x86_64 2019-11-27 https://imagemagick.org
  Copyright: ? 1999-2020 ImageMagick Studio LLC
  License: https://imagemagick.org/script/license.php
  Features: Cipher DPC HDRI OpenMP(4.0)
  Delegates (built-in): bzlib djvu fftw fontconfig freetype jbig jng jpeg lcms lqr lzma openexr pangocairo png tiff wmf x xml zlib

• Environment (Operating system, version and so on):
  Distributor ID: Ubuntu
  Description: Ubuntu 16.04.5 LTS
  Release: 16.04
  Codename: xenial

• Additional information:

[dlemstra]

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

[galycannon]

@dlemstra Will this bug be assigned a CVE id?

[dlemstra]

We're a small open-source development team. We count on our users to apply for CVE #'s so we can concentrate on development issues.

[carnil]

@dlemstra Will this bug be assigned a CVE id?

There was one assigned, looks it is CVE-2019-19952.

[NicoleG25]

Hi, It appears that MITRE is reporting 7.0.9-7 as vulnerable in their CVE :
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19952

where 7.0.9-7 is the fixed version you are reporting.
Is it a mistake from their end?
Could you please specify what is the fixed version?
Thanks. :)

[galycannon]

Hi, It appears that MITRE is reporting 7.0.9-7 as vulnerable in their CVE :
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19952

where 7.0.9-7 is the fixed version you are reporting.
Is it a mistake from their end?
Could you please specify what is the fixed version?
Thanks. :)

These versions bellow all be affected
7.0.8-61
7.0.8-62
7.0.8-63
7.0.8-64
7.0.8-65
7.0.8-66
7.0.8-67
7.0.8-68
7.0.8-7
7.0.8-8
7.0.8-9
7.0.9-0
7.0.9-1
7.0.9-2
7.0.9-4
7.0.9-5
7.0.9-6
and fixed in release version 7.0.9-7

[NicoleG25]

Thank you for the quick response ! very appreciative.
Could you also specify if this affects ImageMagick6 and if so what versions and what is the fixed version?

Hi, It appears that MITRE is reporting 7.0.9-7 as vulnerable in their CVE :
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19952
where 7.0.9-7 is the fixed version you are reporting.
Is it a mistake from their end?
Could you please specify what is the fixed version?
Thanks. :)

These versions bellow all be affected
7.0.8-61
7.0.8-62
7.0.8-63
7.0.8-64
7.0.8-65
7.0.8-66
7.0.8-67
7.0.8-68
7.0.8-7
7.0.8-8
7.0.8-9
7.0.9-0
7.0.9-1
7.0.9-2
7.0.9-4
7.0.9-5
7.0.9-6
and fixed in release version 7.0.9-7

[carnil]

For ImageMagick6: Is the conclusion correct that the issue has introduced in ImageMagick/ImageMagick6@524933c (6.9.10-61) for ImageMagick6, so for Imagemagick6 versions onwards 6.9.10-61 up to the fixing ImageMagick/ImageMagick6@7ef9238 (in 6.9.10-77) are affected only?