Skip to content

out of bounds write in bmp.c #1177

Closed
Closed
@zer0min9

Description

@zer0min9

Prerequisites

  • I have written a descriptive issue title
  • I have verified that I am using the latest version of ImageMagick
  • I have searched open and closed issues to ensure it has not already been reported

Description

$ ./magick -version
Version: ImageMagick 7.0.8-3 Q16 x86_64 2018-06-19 https://www.imagemagick.org
Copyright: ? 1999-2018 ImageMagick Studio LLC
License: https://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP 
Delegates (built-in): bzlib djvu fftw fontconfig fpx freetype heic jbig jng jp2 jpeg lcms lqr lzma pangocairo png raw tiff webp wmf x xml zlib

Steps to Reproduce

  • In coders/bmp.c
1845     pixel_info=AcquireVirtualMemory((size_t) bmp_info.image_size,
1846       sizeof(*pixels));
1847     if (pixel_info == (MemoryInfo *) NULL)
1848       ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
1849     pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);
1850     (void) memset(pixels,0,(size_t) bmp_info.image_size);
                                       .
                                       .
                                       .
2058           q=pixels+(image->rows-y-1)*bytes_per_line;
2059           for (x=0; x < (ssize_t) image->columns; x++)
2060           {
2061             *q++=ScaleQuantumToChar(GetPixelBlue(image,p));

(image->rows-y-1)*bytes_per_line may be much larger than bmp_info.image_size,it will cause an out of bounds write bug in line 2061 of coders/bmp.c

To reproduce this problem:

$ ./magick convert ./poc output.bmp
ASAN:DEADLYSIGNAL
=================================================================
==67082==ERROR: AddressSanitizer: SEGV on unknown address 0x7f6c2daff800 (pc 0x7f6b3cfcc33b bp 0x7ffd57579e40 sp 0x7ffd57579c20 T0)
==67082==The signal is caused by a WRITE memory access.
    #0 0x7f6b3cfcc33a in WriteBMPImage coders/bmp.c:2061
    #1 0x7f6b3cbb2a40 in WriteImage MagickCore/constitute.c:1124
    #2 0x7f6b3cbb371f in WriteImages MagickCore/constitute.c:1338
    #3 0x7f6b3c3d1ba9 in ConvertImageCommand MagickWand/convert.c:3280
    #4 0x7f6b3c4d61db in MagickCommandGenesis MagickWand/mogrify.c:183
    #5 0x5610a1e0cec0 in MagickMain utilities/magick.c:149
    #6 0x5610a1e0d146 in main utilities/magick.c:180
    #7 0x7f6b3bc34b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #8 0x5610a1e0c939 in _start (/home/zm/workspace/ImageMagick/utilities/.libs/magick+0x1939)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV coders/bmp.c:2061 in WriteBMPImage
==67082==ABORTING

Debugging information:

Breakpoint 1, WriteBMPImage (image_info=0x627000042900, image=0x627000026900, 
    exception=0x60600000ddc0) at coders/bmp.c:2058
2058	          q=pixels+(image->rows-y-1)*bytes_per_line;
(gdb) p bmp_info.image_size
$1 = 433805204
(gdb) p (image->rows-y-1)*bytes_per_line
$2 = 4728576000
(gdb)

POC

poc.zip

System Configuration

  • ImageMagick version:ImageMagick 7.0.8-3 Q16 x86_64
  • Environment (Operating system, version and so on):ubuntu 18
  • Additional information:
    Credit:
    Zongming Wang from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions