Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in MagickCore #1156

Closed
zer0min9 opened this issue May 30, 2018 · 2 comments
Closed

heap-buffer-overflow in MagickCore #1156

zer0min9 opened this issue May 30, 2018 · 2 comments
Labels
bug

Comments

@zer0min9
Copy link

@zer0min9 zer0min9 commented May 30, 2018

Prerequisites

  • I have written a descriptive issue title
  • I have verified that I am using the latest version of ImageMagick
  • I have searched open and closed issues to ensure it has not already been reported

Description

Version: ImageMagick 7.0.7-37 Q16 x86_64 2018-05-30

It will cause heap overflow when convert the POC to other formats(gif,magick,map,pnm,sun,xpm)

Steps to Reproduce

$ ./magick convert ./poc output.gif
=================================================================
==9998==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fb53387e7f8 at pc 0x7fb531e81e44 bp 0x7ffe4dad29a0 sp 0x7ffe4dad2990
READ of size 8 at 0x7fb53387e7f8 thread T0
    #0 0x7fb531e81e43 in SetGrayscaleImage._omp_fn.4 MagickCore/quantize.c:3444
    #1 0x7fb52f99fcbe in GOMP_parallel (/usr/lib/x86_64-linux-gnu/libgomp.so.1+0xbcbe)
    #2 0x7fb531e7ed46 in SetGrayscaleImage MagickCore/quantize.c:3423
    #3 0x7fb531e7c403 in QuantizeImage MagickCore/quantize.c:2668
    #4 0x7fb531bbc11e in SetImageType MagickCore/attribute.c:1260
    #5 0x7fb53203eeeb in WriteGIFImage coders/gif.c:1610
    #6 0x7fb531c4c005 in WriteImage MagickCore/constitute.c:1124
    #7 0x7fb531c4cc0f in WriteImages MagickCore/constitute.c:1338
    #8 0x7fb5314b01c9 in ConvertImageCommand MagickWand/convert.c:3280
    #9 0x7fb5315a871a in MagickCommandGenesis MagickWand/mogrify.c:183
    #10 0x4017e1 in MagickMain utilities/magick.c:149
    #11 0x4019c2 in main utilities/magick.c:180
    #12 0x7fb530d1c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x4012f8 in _start (/home/zm/workspace/ImageMagick/utilities/.libs/lt-magick+0x4012f8)

0x7fb53387e7f8 is located 0 bytes to the right of 524280-byte region [0x7fb5337fe800,0x7fb53387e7f8)
allocated by thread T0 here:
    #0 0x7fb53284f602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x7fb531df9b26 in AcquireMagickMemory MagickCore/memory.c:468
    #2 0x7fb531df9b7a in AcquireQuantumMemory MagickCore/memory.c:541
    #3 0x7fb531e7e083 in SetGrayscaleImage MagickCore/quantize.c:3322
    #4 0x7fb531e7c403 in QuantizeImage MagickCore/quantize.c:2668
    #5 0x7fb531bbc11e in SetImageType MagickCore/attribute.c:1260
    #6 0x7fb53203eeeb in WriteGIFImage coders/gif.c:1610
    #7 0x7fb531c4c005 in WriteImage MagickCore/constitute.c:1124
    #8 0x7fb531c4cc0f in WriteImages MagickCore/constitute.c:1338
    #9 0x7fb5314b01c9 in ConvertImageCommand MagickWand/convert.c:3280
    #10 0x7fb5315a871a in MagickCommandGenesis MagickWand/mogrify.c:183
    #11 0x4017e1 in MagickMain utilities/magick.c:149
    #12 0x4019c2 in main utilities/magick.c:180
    #13 0x7fb530d1c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/quantize.c:3444 SetGrayscaleImage._omp_fn.4
Shadow bytes around the buggy address:
  0x0ff726707ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff726707cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff726707cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff726707cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff726707ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff726707cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
  0x0ff726707d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff726707d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff726707d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff726707d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff726707d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==9998==ABORTING

$ ./magick convert ./poc output.xpm
=================================================================
==10017==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fb4da8b67f8 at pc 0x7fb4d8eb9e44 bp 0x7ffdda66cc00 sp 0x7ffdda66cbf0
READ of size 8 at 0x7fb4da8b67f8 thread T0
    #0 0x7fb4d8eb9e43 in SetGrayscaleImage._omp_fn.4 MagickCore/quantize.c:3444
    #1 0x7fb4d69d7cbe in GOMP_parallel (/usr/lib/x86_64-linux-gnu/libgomp.so.1+0xbcbe)
    #2 0x7fb4d8eb6d46 in SetGrayscaleImage MagickCore/quantize.c:3423
    #3 0x7fb4d8eb4403 in QuantizeImage MagickCore/quantize.c:2668
    #4 0x7fb4d8bf411e in SetImageType MagickCore/attribute.c:1260
    #5 0x7fb4d91c1dee in WriteXPMImage coders/xpm.c:946
    #6 0x7fb4d8c84005 in WriteImage MagickCore/constitute.c:1124
    #7 0x7fb4d8c84c0f in WriteImages MagickCore/constitute.c:1338
    #8 0x7fb4d84e81c9 in ConvertImageCommand MagickWand/convert.c:3280
    #9 0x7fb4d85e071a in MagickCommandGenesis MagickWand/mogrify.c:183
    #10 0x4017e1 in MagickMain utilities/magick.c:149
    #11 0x4019c2 in main utilities/magick.c:180
    #12 0x7fb4d7d5482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x4012f8 in _start (/home/zm/workspace/ImageMagick/utilities/.libs/lt-magick+0x4012f8)

0x7fb4da8b67f8 is located 0 bytes to the right of 524280-byte region [0x7fb4da836800,0x7fb4da8b67f8)
allocated by thread T0 here:
    #0 0x7fb4d9887602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x7fb4d8e31b26 in AcquireMagickMemory MagickCore/memory.c:468
    #2 0x7fb4d8e31b7a in AcquireQuantumMemory MagickCore/memory.c:541
    #3 0x7fb4d8eb6083 in SetGrayscaleImage MagickCore/quantize.c:3322
    #4 0x7fb4d8eb4403 in QuantizeImage MagickCore/quantize.c:2668
    #5 0x7fb4d8bf411e in SetImageType MagickCore/attribute.c:1260
    #6 0x7fb4d91c1dee in WriteXPMImage coders/xpm.c:946
    #7 0x7fb4d8c84005 in WriteImage MagickCore/constitute.c:1124
    #8 0x7fb4d8c84c0f in WriteImages MagickCore/constitute.c:1338
    #9 0x7fb4d84e81c9 in ConvertImageCommand MagickWand/convert.c:3280
    #10 0x7fb4d85e071a in MagickCommandGenesis MagickWand/mogrify.c:183
    #11 0x4017e1 in MagickMain utilities/magick.c:149
    #12 0x4019c2 in main utilities/magick.c:180
    #13 0x7fb4d7d5482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/quantize.c:3444 SetGrayscaleImage._omp_fn.4
Shadow bytes around the buggy address:
  0x0ff71b50eca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff71b50ecb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff71b50ecc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff71b50ecd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff71b50ece0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff71b50ecf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
  0x0ff71b50ed00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff71b50ed10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff71b50ed20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff71b50ed30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff71b50ed40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==10017==ABORTING

POC

poc.zip

System Configuration

  • ImageMagick version: ImageMagick 7.0.7-37 Q16 x86_64
  • Environment (Operating system, version and so on):ubuntu 16.04
  • Additional information:
    Credit:
    Zongming Wang from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd.
urban-warrior pushed a commit that referenced this issue May 30, 2018
Cristy
urban-warrior pushed a commit to ImageMagick/ImageMagick6 that referenced this issue May 30, 2018
@urban-warrior
Copy link
Contributor

@urban-warrior urban-warrior commented May 30, 2018

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

@nohmask
Copy link

@nohmask nohmask commented Jun 1, 2018

This was assigned CVE-2018-11625.

netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Jun 3, 2018
2018-06-02 7.0.7-38 Cristy <quetzlzacatenango@image...>
Release ImageMagick version 7.0.7-38, GIT revision 14409:01e395a73:20180602.

2018-05-30 7.0.7-38 <quetzlzacatenango@image...>
Heap buffer overflow fix (reference ImageMagick/ImageMagick#1156).
Boundary issues with -gamma option when HDRI is enabled (reference ImageMagick/ImageMagick#1151).
Fixed numerous use of uninitialized values, integer overflow, memory exceeded, and timeouts (credit to OSS Fuzz).
@dlemstra dlemstra added the bug label Jul 8, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.