heap-buffer-overflow in MagickCore

[zer0min9]

Prerequisites

• I have written a descriptive issue title
• I have verified that I am using the latest version of ImageMagick
• I have searched open and closed issues to ensure it has not already been reported

Description

Version: ImageMagick 7.0.7-37 Q16 x86_64 2018-05-30

It will cause heap overflow when convert the POC to other formats(gif,magick,map,pnm,sun,xpm)

Steps to Reproduce

$ ./magick convert ./poc output.gif
=================================================================
==9998==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fb53387e7f8 at pc 0x7fb531e81e44 bp 0x7ffe4dad29a0 sp 0x7ffe4dad2990
READ of size 8 at 0x7fb53387e7f8 thread T0
    #0 0x7fb531e81e43 in SetGrayscaleImage._omp_fn.4 MagickCore/quantize.c:3444
    #1 0x7fb52f99fcbe in GOMP_parallel (/usr/lib/x86_64-linux-gnu/libgomp.so.1+0xbcbe)
    #2 0x7fb531e7ed46 in SetGrayscaleImage MagickCore/quantize.c:3423
    #3 0x7fb531e7c403 in QuantizeImage MagickCore/quantize.c:2668
    #4 0x7fb531bbc11e in SetImageType MagickCore/attribute.c:1260
    #5 0x7fb53203eeeb in WriteGIFImage coders/gif.c:1610
    #6 0x7fb531c4c005 in WriteImage MagickCore/constitute.c:1124
    #7 0x7fb531c4cc0f in WriteImages MagickCore/constitute.c:1338
    #8 0x7fb5314b01c9 in ConvertImageCommand MagickWand/convert.c:3280
    #9 0x7fb5315a871a in MagickCommandGenesis MagickWand/mogrify.c:183
    #10 0x4017e1 in MagickMain utilities/magick.c:149
    #11 0x4019c2 in main utilities/magick.c:180
    #12 0x7fb530d1c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x4012f8 in _start (/home/zm/workspace/ImageMagick/utilities/.libs/lt-magick+0x4012f8)

0x7fb53387e7f8 is located 0 bytes to the right of 524280-byte region [0x7fb5337fe800,0x7fb53387e7f8)
allocated by thread T0 here:
    #0 0x7fb53284f602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x7fb531df9b26 in AcquireMagickMemory MagickCore/memory.c:468
    #2 0x7fb531df9b7a in AcquireQuantumMemory MagickCore/memory.c:541
    #3 0x7fb531e7e083 in SetGrayscaleImage MagickCore/quantize.c:3322
    #4 0x7fb531e7c403 in QuantizeImage MagickCore/quantize.c:2668
    #5 0x7fb531bbc11e in SetImageType MagickCore/attribute.c:1260
    #6 0x7fb53203eeeb in WriteGIFImage coders/gif.c:1610
    #7 0x7fb531c4c005 in WriteImage MagickCore/constitute.c:1124
    #8 0x7fb531c4cc0f in WriteImages MagickCore/constitute.c:1338
    #9 0x7fb5314b01c9 in ConvertImageCommand MagickWand/convert.c:3280
    #10 0x7fb5315a871a in MagickCommandGenesis MagickWand/mogrify.c:183
    #11 0x4017e1 in MagickMain utilities/magick.c:149
    #12 0x4019c2 in main utilities/magick.c:180
    #13 0x7fb530d1c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/quantize.c:3444 SetGrayscaleImage._omp_fn.4
Shadow bytes around the buggy address:
  0x0ff726707ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff726707cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff726707cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff726707cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff726707ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff726707cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
  0x0ff726707d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff726707d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff726707d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff726707d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff726707d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==9998==ABORTING

$ ./magick convert ./poc output.xpm
=================================================================
==10017==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fb4da8b67f8 at pc 0x7fb4d8eb9e44 bp 0x7ffdda66cc00 sp 0x7ffdda66cbf0
READ of size 8 at 0x7fb4da8b67f8 thread T0
    #0 0x7fb4d8eb9e43 in SetGrayscaleImage._omp_fn.4 MagickCore/quantize.c:3444
    #1 0x7fb4d69d7cbe in GOMP_parallel (/usr/lib/x86_64-linux-gnu/libgomp.so.1+0xbcbe)
    #2 0x7fb4d8eb6d46 in SetGrayscaleImage MagickCore/quantize.c:3423
    #3 0x7fb4d8eb4403 in QuantizeImage MagickCore/quantize.c:2668
    #4 0x7fb4d8bf411e in SetImageType MagickCore/attribute.c:1260
    #5 0x7fb4d91c1dee in WriteXPMImage coders/xpm.c:946
    #6 0x7fb4d8c84005 in WriteImage MagickCore/constitute.c:1124
    #7 0x7fb4d8c84c0f in WriteImages MagickCore/constitute.c:1338
    #8 0x7fb4d84e81c9 in ConvertImageCommand MagickWand/convert.c:3280
    #9 0x7fb4d85e071a in MagickCommandGenesis MagickWand/mogrify.c:183
    #10 0x4017e1 in MagickMain utilities/magick.c:149
    #11 0x4019c2 in main utilities/magick.c:180
    #12 0x7fb4d7d5482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x4012f8 in _start (/home/zm/workspace/ImageMagick/utilities/.libs/lt-magick+0x4012f8)

0x7fb4da8b67f8 is located 0 bytes to the right of 524280-byte region [0x7fb4da836800,0x7fb4da8b67f8)
allocated by thread T0 here:
    #0 0x7fb4d9887602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x7fb4d8e31b26 in AcquireMagickMemory MagickCore/memory.c:468
    #2 0x7fb4d8e31b7a in AcquireQuantumMemory MagickCore/memory.c:541
    #3 0x7fb4d8eb6083 in SetGrayscaleImage MagickCore/quantize.c:3322
    #4 0x7fb4d8eb4403 in QuantizeImage MagickCore/quantize.c:2668
    #5 0x7fb4d8bf411e in SetImageType MagickCore/attribute.c:1260
    #6 0x7fb4d91c1dee in WriteXPMImage coders/xpm.c:946
    #7 0x7fb4d8c84005 in WriteImage MagickCore/constitute.c:1124
    #8 0x7fb4d8c84c0f in WriteImages MagickCore/constitute.c:1338
    #9 0x7fb4d84e81c9 in ConvertImageCommand MagickWand/convert.c:3280
    #10 0x7fb4d85e071a in MagickCommandGenesis MagickWand/mogrify.c:183
    #11 0x4017e1 in MagickMain utilities/magick.c:149
    #12 0x4019c2 in main utilities/magick.c:180
    #13 0x7fb4d7d5482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/quantize.c:3444 SetGrayscaleImage._omp_fn.4
Shadow bytes around the buggy address:
  0x0ff71b50eca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff71b50ecb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff71b50ecc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff71b50ecd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff71b50ece0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff71b50ecf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
  0x0ff71b50ed00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff71b50ed10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff71b50ed20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff71b50ed30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff71b50ed40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==10017==ABORTING

POC

poc.zip

System Configuration

• ImageMagick version: ImageMagick 7.0.7-37 Q16 x86_64
• Environment (Operating system, version and so on):ubuntu 16.04
• Additional information:
  Credit:
  Zongming Wang from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd.

[urban-warrior]

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

[nohmask]

This was assigned CVE-2018-11625.