heap-use-after-free

[zer0min9]

Prerequisites

• I have written a descriptive issue title
• I have verified that I am using the latest version of ImageMagick
• I have searched open and closed issues to ensure it has not already been reported

Description

Version: ImageMagick 7.0.7-36 Q16 x86_64 2018-05-29

Steps to Reproduce

# ./magick identify ./poc
=================================================================
==32001==ERROR: AddressSanitizer: heap-use-after-free on address 0x627000022d50 at pc 0x7f2a4381ee54 bp 0x7fff0be4ade0 sp 0x7fff0be4add0
READ of size 8 at 0x627000022d50 thread T0
    #0 0x7f2a4381ee53 in CloseBlob MagickCore/blob.c:605
    #1 0x7f2a43cd4d87 in ReadMATImage coders/mat.c:1088
    #2 0x7f2a438a67d7 in ReadImage MagickCore/constitute.c:500
    #3 0x7f2a43b6b33e in ReadStream MagickCore/stream.c:1043
    #4 0x7f2a438a57f5 in PingImage MagickCore/constitute.c:226
    #5 0x7f2a438a5de8 in PingImages MagickCore/constitute.c:327
    #6 0x7f2a4318d9fd in IdentifyImageCommand MagickWand/identify.c:319
    #7 0x7f2a4321b71a in MagickCommandGenesis MagickWand/mogrify.c:183
    #8 0x4017e1 in MagickMain utilities/magick.c:149
    #9 0x4019c2 in main utilities/magick.c:180
    #10 0x7f2a4298f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x4012f8 in _start (/home/zm/workspace/ImageMagick/utilities/.libs/lt-magick+0x4012f8)

0x627000022d50 is located 13392 bytes inside of 13504-byte region [0x62700001f900,0x627000022dc0)
freed by thread T0 here:
    #0 0x7f2a444522ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
    #1 0x7f2a43a58276 in RelinquishMagickMemory MagickCore/memory.c:1058
    #2 0x7f2a43a1d9f2 in DestroyImage MagickCore/image.c:1221
    #3 0x7f2a43a3e782 in DeleteImageFromList MagickCore/list.c:302
    #4 0x7f2a43cd4cfd in ReadMATImage coders/mat.c:1084
    #5 0x7f2a438a67d7 in ReadImage MagickCore/constitute.c:500
    #6 0x7f2a43b6b33e in ReadStream MagickCore/stream.c:1043
    #7 0x7f2a438a57f5 in PingImage MagickCore/constitute.c:226
    #8 0x7f2a438a5de8 in PingImages MagickCore/constitute.c:327
    #9 0x7f2a4318d9fd in IdentifyImageCommand MagickWand/identify.c:319
    #10 0x7f2a4321b71a in MagickCommandGenesis MagickWand/mogrify.c:183
    #11 0x4017e1 in MagickMain utilities/magick.c:149
    #12 0x4019c2 in main utilities/magick.c:180
    #13 0x7f2a4298f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

previously allocated by thread T0 here:
    #0 0x7f2a44452602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x7f2a43a57360 in AcquireMagickMemory MagickCore/memory.c:468
    #2 0x7f2a43a15f90 in AcquireCriticalMemory MagickCore/memory-private.h:64
    #3 0x7f2a43a16541 in AcquireImage MagickCore/image.c:171
    #4 0x7f2a43cd3ebb in ReadMATImage coders/mat.c:895
    #5 0x7f2a438a67d7 in ReadImage MagickCore/constitute.c:500
    #6 0x7f2a43b6b33e in ReadStream MagickCore/stream.c:1043
    #7 0x7f2a438a57f5 in PingImage MagickCore/constitute.c:226
    #8 0x7f2a438a5de8 in PingImages MagickCore/constitute.c:327
    #9 0x7f2a4318d9fd in IdentifyImageCommand MagickWand/identify.c:319
    #10 0x7f2a4321b71a in MagickCommandGenesis MagickWand/mogrify.c:183
    #11 0x4017e1 in MagickMain utilities/magick.c:149
    #12 0x4019c2 in main utilities/magick.c:180
    #13 0x7f2a4298f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-use-after-free MagickCore/blob.c:605 CloseBlob
Shadow bytes around the buggy address:
  0x0c4e7fffc550: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4e7fffc560: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4e7fffc570: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4e7fffc580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4e7fffc590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c4e7fffc5a0: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
  0x0c4e7fffc5b0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c4e7fffc5c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4e7fffc5d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4e7fffc5e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4e7fffc5f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==32001==ABORTING

POC

poc.zip

System Configuration

• ImageMagick version:7.0.7-36 Q16 x86_64
• Environment (Operating system, version and so on):ubuntu 16.04
• Additional information:
  Found by: Wang Zongming

[urban-warrior]

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

[nohmask]

This was assigned CVE-2018-11624.

[zer0min9]

Credit: Zongming Wang from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd.