Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

double-free #1025

Closed
3 tasks done
SmileBugs opened this issue Mar 15, 2018 · 3 comments
Closed
3 tasks done

double-free #1025

SmileBugs opened this issue Mar 15, 2018 · 3 comments

Comments

@SmileBugs
Copy link

Prerequisites

  • I have written a descriptive issue title
  • I have verified that I am using the latest version of ImageMagick
  • I have searched open and closed issues to ensure it has not already been reported

Description

Version: ImageMagick 7.0.7-25 Q16 i686 2018-03-08 http://www.imagemagick.org
Copyright: © 1999-2018 ImageMagick Studio LLC
License: http://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI Modules OpenMP
Delegates (built-in): bzlib djvu fftw flif fontconfig fpx freetype jbig jng jp2 jpeg lcms ltdl openexr pangocairo png raw tiff webp x xml zlib

ASAN OUTPUT

root@v22017125319057172:/opt/lib_fuzz/test# convert not_kitty.jpg not_kitty.EPT2 
=================================================================
==13524==ERROR: AddressSanitizer: attempting double-free on 0xadd00800 in thread T0:
    #0 0xb72ab144 in __interceptor_realloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x97144)
    #1 0xb666c14e in ResizeMagickMemory MagickCore/memory.c:1260
    #2 0xb666c217 in ResizeQuantumMemory MagickCore/memory.c:1324
    #3 0xb6215460 in WriteBlob MagickCore/blob.c:5443
    #4 0xb2220123 in TerminateDestination coders/jpeg.c:1948
    #5 0xb20a3d3e in jpeg_finish_compress (/usr/lib/i386-linux-gnu/libjpeg.so.8+0x2d3e)
    #6 0xb223a6d4 in WriteJPEGImage coders/jpeg.c:2928
    #7 0xb630ce64 in WriteImage MagickCore/constitute.c:1118
    #8 0xb6216e5f in InjectImageBlob MagickCore/blob.c:2605
    #9 0xb209000c in WritePS2Image coders/ps2.c:865
    #10 0xb630ce64 in WriteImage MagickCore/constitute.c:1118
    #11 0xb621186c in ImageToBlob MagickCore/blob.c:1912
    #12 0xb220ea44 in WriteEPTImage coders/ept.c:424
    #13 0xb630ce64 in WriteImage MagickCore/constitute.c:1118
    #14 0xb630ed51 in WriteImages MagickCore/constitute.c:1337
    #15 0xb5b5708d in ConvertImageCommand MagickWand/convert.c:3280
    #16 0xb5d77825 in MagickCommandGenesis MagickWand/mogrify.c:183
    #17 0x80498ce in MagickMain utilities/magick.c:149
    #18 0x804907a in main utilities/magick.c:180
    #19 0xb588a636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #20 0x80490fb  (/usr/bin/magick+0x80490fb)

0xadd00800 is located 0 bytes inside of 65536-byte region [0xadd00800,0xadd10800)
freed by thread T0 here:
    #0 0xb72ab144 in __interceptor_realloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x97144)
    #1 0xb666c14e in ResizeMagickMemory MagickCore/memory.c:1260

previously allocated by thread T0 here:
    #0 0xb72aadee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
    #1 0xb6669ab2 in AcquireMagickMemory MagickCore/memory.c:468

SUMMARY: AddressSanitizer: double-free ??:0 __interceptor_realloc
==13524==ABORTING

POC

poc.zip

System Configuration

System Configuration
ImageMagick version: 7.0.7-25
Environment (Operating system, version and so on): ubuntu-16.04.3-server-i386
Additional information:

Found by: Wang Yan

@urban-warrior
Copy link
Contributor

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

@nohmask
Copy link

nohmask commented Mar 22, 2018

This was assigned CVE-2018-8804.

@SmileBugs
Copy link
Author

credit: zxsoft security team.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

3 participants