Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in 7.0.7-26 #1020

Closed
netoico opened this issue Mar 13, 2018 · 2 comments
Closed

heap-buffer-overflow in 7.0.7-26 #1020

netoico opened this issue Mar 13, 2018 · 2 comments

Comments

@netoico
Copy link

netoico commented Mar 13, 2018

root@vultr:/opt/poc# convert --version
Version: ImageMagick 7.0.7-26 Q16 x86_64 2018-03-05 http://www.imagemagick.org
Copyright: © 1999-2018 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP
Delegates (built-in): bzlib djvu fftw fontconfig fpx freetype jbig jng jpeg lcms lqr lzma openexr pangocairo png tiff webp wmf x xml zlib

root@vultr:/opt/poc# convert tif_heap-buffer-overflow dev/null
=================================================================
==13394==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c00000c97c at pc 0x7f856a3bc674 bp 0x7ffc3e5db890 sp 0x7ffc3e5db880
READ of size 4 at 0x60c00000c97c thread T0
    #0 0x7f856a3bc673 in ReadTIFFImage coders/tiff.c:2018
    #1 0x7f85697723e0 in ReadImage MagickCore/constitute.c:497
    #2 0x7f856977542a in ReadImages MagickCore/constitute.c:867
    #3 0x7f8568e3e49f in ConvertImageCommand MagickWand/convert.c:641
    #4 0x7f856900897d in MagickCommandGenesis MagickWand/mogrify.c:183
    #5 0x4020d9 in MagickMain utilities/magick.c:149
    #6 0x7f856872082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #7 0x401668 in _start (/usr/local/bin/magick+0x401668)

0x60c00000c97c is located 108 bytes inside of 4294967295-byte region [0x60c00000c910,0x60c10000c90f)
==13394==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/asan/asan_report.cc:515 "((chunk.AllocTid() != kInvalidTid)) != (0)" (0x0, 0x0)
    #0 0x7f856aa6d631  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa0631)
    #1 0x7f856aa725e3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa55e3)
    #2 0x7f856aa6a60c  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9d60c)
    #3 0x7f856aa6c624 in __asan_report_error (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9f624)
    #4 0x7f856aa6dbb2 in __asan_report_load4 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa0bb2)
    #5 0x7f856a3bc673 in ReadTIFFImage coders/tiff.c:2018
    #6 0x7f85697723e0 in ReadImage MagickCore/constitute.c:497
    #7 0x7f856977542a in ReadImages MagickCore/constitute.c:867
    #8 0x7f8568e3e49f in ConvertImageCommand MagickWand/convert.c:641
    #9 0x7f856900897d in MagickCommandGenesis MagickWand/mogrify.c:183
    #10 0x4020d9 in MagickMain utilities/magick.c:149
    #11 0x7f856872082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #12 0x401668 in _start (/usr/local/bin/magick+0x401668)

root@vultr:/opt/poc# 

No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 16.04.3 LTS
Release:	16.04
Codename:	xenial

https://github.com/ImageMagick/ImageMagick/files/1806047/tif_heap-buffer-overflow.zip
@netoico netoico changed the title heap-buffer-overflow heap-buffer-overflow in 7.0.7-26 Mar 14, 2018
@urban-warrior
Copy link
Contributor

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

@nohmask
Copy link

nohmask commented Mar 26, 2018

This was assigned CVE-2018-8960.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

3 participants