Closed
Description
Prerequisites
- I have written a descriptive issue title
- I have verified that I am using the latest version of ImageMagick
- I have searched open and closed issues to ensure it has not already been reported
Description
Version: ImageMagick 7.0.7-37 Q16 x86_64 2018-05-30
It will cause heap overflow when convert the POC to other formats(gif,magick,map,pnm,sun,xpm)
Steps to Reproduce
$ ./magick convert ./poc output.gif
=================================================================
==9998==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fb53387e7f8 at pc 0x7fb531e81e44 bp 0x7ffe4dad29a0 sp 0x7ffe4dad2990
READ of size 8 at 0x7fb53387e7f8 thread T0
#0 0x7fb531e81e43 in SetGrayscaleImage._omp_fn.4 MagickCore/quantize.c:3444
#1 0x7fb52f99fcbe in GOMP_parallel (/usr/lib/x86_64-linux-gnu/libgomp.so.1+0xbcbe)
#2 0x7fb531e7ed46 in SetGrayscaleImage MagickCore/quantize.c:3423
#3 0x7fb531e7c403 in QuantizeImage MagickCore/quantize.c:2668
#4 0x7fb531bbc11e in SetImageType MagickCore/attribute.c:1260
#5 0x7fb53203eeeb in WriteGIFImage coders/gif.c:1610
#6 0x7fb531c4c005 in WriteImage MagickCore/constitute.c:1124
#7 0x7fb531c4cc0f in WriteImages MagickCore/constitute.c:1338
#8 0x7fb5314b01c9 in ConvertImageCommand MagickWand/convert.c:3280
#9 0x7fb5315a871a in MagickCommandGenesis MagickWand/mogrify.c:183
#10 0x4017e1 in MagickMain utilities/magick.c:149
#11 0x4019c2 in main utilities/magick.c:180
#12 0x7fb530d1c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#13 0x4012f8 in _start (/home/zm/workspace/ImageMagick/utilities/.libs/lt-magick+0x4012f8)
0x7fb53387e7f8 is located 0 bytes to the right of 524280-byte region [0x7fb5337fe800,0x7fb53387e7f8)
allocated by thread T0 here:
#0 0x7fb53284f602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x7fb531df9b26 in AcquireMagickMemory MagickCore/memory.c:468
#2 0x7fb531df9b7a in AcquireQuantumMemory MagickCore/memory.c:541
#3 0x7fb531e7e083 in SetGrayscaleImage MagickCore/quantize.c:3322
#4 0x7fb531e7c403 in QuantizeImage MagickCore/quantize.c:2668
#5 0x7fb531bbc11e in SetImageType MagickCore/attribute.c:1260
#6 0x7fb53203eeeb in WriteGIFImage coders/gif.c:1610
#7 0x7fb531c4c005 in WriteImage MagickCore/constitute.c:1124
#8 0x7fb531c4cc0f in WriteImages MagickCore/constitute.c:1338
#9 0x7fb5314b01c9 in ConvertImageCommand MagickWand/convert.c:3280
#10 0x7fb5315a871a in MagickCommandGenesis MagickWand/mogrify.c:183
#11 0x4017e1 in MagickMain utilities/magick.c:149
#12 0x4019c2 in main utilities/magick.c:180
#13 0x7fb530d1c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/quantize.c:3444 SetGrayscaleImage._omp_fn.4
Shadow bytes around the buggy address:
0x0ff726707ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff726707cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff726707cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff726707cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff726707ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff726707cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
0x0ff726707d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff726707d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff726707d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff726707d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff726707d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==9998==ABORTING
$ ./magick convert ./poc output.xpm
=================================================================
==10017==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fb4da8b67f8 at pc 0x7fb4d8eb9e44 bp 0x7ffdda66cc00 sp 0x7ffdda66cbf0
READ of size 8 at 0x7fb4da8b67f8 thread T0
#0 0x7fb4d8eb9e43 in SetGrayscaleImage._omp_fn.4 MagickCore/quantize.c:3444
#1 0x7fb4d69d7cbe in GOMP_parallel (/usr/lib/x86_64-linux-gnu/libgomp.so.1+0xbcbe)
#2 0x7fb4d8eb6d46 in SetGrayscaleImage MagickCore/quantize.c:3423
#3 0x7fb4d8eb4403 in QuantizeImage MagickCore/quantize.c:2668
#4 0x7fb4d8bf411e in SetImageType MagickCore/attribute.c:1260
#5 0x7fb4d91c1dee in WriteXPMImage coders/xpm.c:946
#6 0x7fb4d8c84005 in WriteImage MagickCore/constitute.c:1124
#7 0x7fb4d8c84c0f in WriteImages MagickCore/constitute.c:1338
#8 0x7fb4d84e81c9 in ConvertImageCommand MagickWand/convert.c:3280
#9 0x7fb4d85e071a in MagickCommandGenesis MagickWand/mogrify.c:183
#10 0x4017e1 in MagickMain utilities/magick.c:149
#11 0x4019c2 in main utilities/magick.c:180
#12 0x7fb4d7d5482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#13 0x4012f8 in _start (/home/zm/workspace/ImageMagick/utilities/.libs/lt-magick+0x4012f8)
0x7fb4da8b67f8 is located 0 bytes to the right of 524280-byte region [0x7fb4da836800,0x7fb4da8b67f8)
allocated by thread T0 here:
#0 0x7fb4d9887602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x7fb4d8e31b26 in AcquireMagickMemory MagickCore/memory.c:468
#2 0x7fb4d8e31b7a in AcquireQuantumMemory MagickCore/memory.c:541
#3 0x7fb4d8eb6083 in SetGrayscaleImage MagickCore/quantize.c:3322
#4 0x7fb4d8eb4403 in QuantizeImage MagickCore/quantize.c:2668
#5 0x7fb4d8bf411e in SetImageType MagickCore/attribute.c:1260
#6 0x7fb4d91c1dee in WriteXPMImage coders/xpm.c:946
#7 0x7fb4d8c84005 in WriteImage MagickCore/constitute.c:1124
#8 0x7fb4d8c84c0f in WriteImages MagickCore/constitute.c:1338
#9 0x7fb4d84e81c9 in ConvertImageCommand MagickWand/convert.c:3280
#10 0x7fb4d85e071a in MagickCommandGenesis MagickWand/mogrify.c:183
#11 0x4017e1 in MagickMain utilities/magick.c:149
#12 0x4019c2 in main utilities/magick.c:180
#13 0x7fb4d7d5482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/quantize.c:3444 SetGrayscaleImage._omp_fn.4
Shadow bytes around the buggy address:
0x0ff71b50eca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff71b50ecb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff71b50ecc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff71b50ecd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff71b50ece0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff71b50ecf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
0x0ff71b50ed00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff71b50ed10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff71b50ed20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff71b50ed30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff71b50ed40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==10017==ABORTING
POC
System Configuration
- ImageMagick version: ImageMagick 7.0.7-37 Q16 x86_64
- Environment (Operating system, version and so on):ubuntu 16.04
- Additional information:
Credit:
Zongming Wang from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd.