Skip to content

heap-buffer-overflow in MagickCore #1156

Closed
@zer0min9

Description

@zer0min9

Prerequisites

  • I have written a descriptive issue title
  • I have verified that I am using the latest version of ImageMagick
  • I have searched open and closed issues to ensure it has not already been reported

Description

Version: ImageMagick 7.0.7-37 Q16 x86_64 2018-05-30

It will cause heap overflow when convert the POC to other formats(gif,magick,map,pnm,sun,xpm)

Steps to Reproduce

$ ./magick convert ./poc output.gif
=================================================================
==9998==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fb53387e7f8 at pc 0x7fb531e81e44 bp 0x7ffe4dad29a0 sp 0x7ffe4dad2990
READ of size 8 at 0x7fb53387e7f8 thread T0
    #0 0x7fb531e81e43 in SetGrayscaleImage._omp_fn.4 MagickCore/quantize.c:3444
    #1 0x7fb52f99fcbe in GOMP_parallel (/usr/lib/x86_64-linux-gnu/libgomp.so.1+0xbcbe)
    #2 0x7fb531e7ed46 in SetGrayscaleImage MagickCore/quantize.c:3423
    #3 0x7fb531e7c403 in QuantizeImage MagickCore/quantize.c:2668
    #4 0x7fb531bbc11e in SetImageType MagickCore/attribute.c:1260
    #5 0x7fb53203eeeb in WriteGIFImage coders/gif.c:1610
    #6 0x7fb531c4c005 in WriteImage MagickCore/constitute.c:1124
    #7 0x7fb531c4cc0f in WriteImages MagickCore/constitute.c:1338
    #8 0x7fb5314b01c9 in ConvertImageCommand MagickWand/convert.c:3280
    #9 0x7fb5315a871a in MagickCommandGenesis MagickWand/mogrify.c:183
    #10 0x4017e1 in MagickMain utilities/magick.c:149
    #11 0x4019c2 in main utilities/magick.c:180
    #12 0x7fb530d1c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x4012f8 in _start (/home/zm/workspace/ImageMagick/utilities/.libs/lt-magick+0x4012f8)

0x7fb53387e7f8 is located 0 bytes to the right of 524280-byte region [0x7fb5337fe800,0x7fb53387e7f8)
allocated by thread T0 here:
    #0 0x7fb53284f602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x7fb531df9b26 in AcquireMagickMemory MagickCore/memory.c:468
    #2 0x7fb531df9b7a in AcquireQuantumMemory MagickCore/memory.c:541
    #3 0x7fb531e7e083 in SetGrayscaleImage MagickCore/quantize.c:3322
    #4 0x7fb531e7c403 in QuantizeImage MagickCore/quantize.c:2668
    #5 0x7fb531bbc11e in SetImageType MagickCore/attribute.c:1260
    #6 0x7fb53203eeeb in WriteGIFImage coders/gif.c:1610
    #7 0x7fb531c4c005 in WriteImage MagickCore/constitute.c:1124
    #8 0x7fb531c4cc0f in WriteImages MagickCore/constitute.c:1338
    #9 0x7fb5314b01c9 in ConvertImageCommand MagickWand/convert.c:3280
    #10 0x7fb5315a871a in MagickCommandGenesis MagickWand/mogrify.c:183
    #11 0x4017e1 in MagickMain utilities/magick.c:149
    #12 0x4019c2 in main utilities/magick.c:180
    #13 0x7fb530d1c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/quantize.c:3444 SetGrayscaleImage._omp_fn.4
Shadow bytes around the buggy address:
  0x0ff726707ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff726707cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff726707cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff726707cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff726707ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff726707cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
  0x0ff726707d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff726707d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff726707d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff726707d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff726707d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==9998==ABORTING

$ ./magick convert ./poc output.xpm
=================================================================
==10017==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fb4da8b67f8 at pc 0x7fb4d8eb9e44 bp 0x7ffdda66cc00 sp 0x7ffdda66cbf0
READ of size 8 at 0x7fb4da8b67f8 thread T0
    #0 0x7fb4d8eb9e43 in SetGrayscaleImage._omp_fn.4 MagickCore/quantize.c:3444
    #1 0x7fb4d69d7cbe in GOMP_parallel (/usr/lib/x86_64-linux-gnu/libgomp.so.1+0xbcbe)
    #2 0x7fb4d8eb6d46 in SetGrayscaleImage MagickCore/quantize.c:3423
    #3 0x7fb4d8eb4403 in QuantizeImage MagickCore/quantize.c:2668
    #4 0x7fb4d8bf411e in SetImageType MagickCore/attribute.c:1260
    #5 0x7fb4d91c1dee in WriteXPMImage coders/xpm.c:946
    #6 0x7fb4d8c84005 in WriteImage MagickCore/constitute.c:1124
    #7 0x7fb4d8c84c0f in WriteImages MagickCore/constitute.c:1338
    #8 0x7fb4d84e81c9 in ConvertImageCommand MagickWand/convert.c:3280
    #9 0x7fb4d85e071a in MagickCommandGenesis MagickWand/mogrify.c:183
    #10 0x4017e1 in MagickMain utilities/magick.c:149
    #11 0x4019c2 in main utilities/magick.c:180
    #12 0x7fb4d7d5482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x4012f8 in _start (/home/zm/workspace/ImageMagick/utilities/.libs/lt-magick+0x4012f8)

0x7fb4da8b67f8 is located 0 bytes to the right of 524280-byte region [0x7fb4da836800,0x7fb4da8b67f8)
allocated by thread T0 here:
    #0 0x7fb4d9887602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x7fb4d8e31b26 in AcquireMagickMemory MagickCore/memory.c:468
    #2 0x7fb4d8e31b7a in AcquireQuantumMemory MagickCore/memory.c:541
    #3 0x7fb4d8eb6083 in SetGrayscaleImage MagickCore/quantize.c:3322
    #4 0x7fb4d8eb4403 in QuantizeImage MagickCore/quantize.c:2668
    #5 0x7fb4d8bf411e in SetImageType MagickCore/attribute.c:1260
    #6 0x7fb4d91c1dee in WriteXPMImage coders/xpm.c:946
    #7 0x7fb4d8c84005 in WriteImage MagickCore/constitute.c:1124
    #8 0x7fb4d8c84c0f in WriteImages MagickCore/constitute.c:1338
    #9 0x7fb4d84e81c9 in ConvertImageCommand MagickWand/convert.c:3280
    #10 0x7fb4d85e071a in MagickCommandGenesis MagickWand/mogrify.c:183
    #11 0x4017e1 in MagickMain utilities/magick.c:149
    #12 0x4019c2 in main utilities/magick.c:180
    #13 0x7fb4d7d5482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/quantize.c:3444 SetGrayscaleImage._omp_fn.4
Shadow bytes around the buggy address:
  0x0ff71b50eca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff71b50ecb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff71b50ecc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff71b50ecd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff71b50ece0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff71b50ecf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
  0x0ff71b50ed00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff71b50ed10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff71b50ed20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff71b50ed30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff71b50ed40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==10017==ABORTING

POC

poc.zip

System Configuration

  • ImageMagick version: ImageMagick 7.0.7-37 Q16 x86_64
  • Environment (Operating system, version and so on):ubuntu 16.04
  • Additional information:
    Credit:
    Zongming Wang from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions