Closed
Description
Prerequisites
- I have written a descriptive issue title
- I have verified that I am using the latest version of ImageMagick
- I have searched open and closed issues to ensure it has not already been reported
Description
$ ./magick -version
Version: ImageMagick 7.0.8-3 Q16 x86_64 2018-06-19 https://www.imagemagick.org
Copyright: ? 1999-2018 ImageMagick Studio LLC
License: https://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP
Delegates (built-in): bzlib djvu fftw fontconfig fpx freetype heic jbig jng jp2 jpeg lcms lqr lzma pangocairo png raw tiff webp wmf x xml zlib
Steps to Reproduce
- In coders/bmp.c
1845 pixel_info=AcquireVirtualMemory((size_t) bmp_info.image_size,
1846 sizeof(*pixels));
1847 if (pixel_info == (MemoryInfo *) NULL)
1848 ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
1849 pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);
1850 (void) memset(pixels,0,(size_t) bmp_info.image_size);
.
.
.
2058 q=pixels+(image->rows-y-1)*bytes_per_line;
2059 for (x=0; x < (ssize_t) image->columns; x++)
2060 {
2061 *q++=ScaleQuantumToChar(GetPixelBlue(image,p));
(image->rows-y-1)*bytes_per_line may be much larger than bmp_info.image_size,it will cause an out of bounds write bug in line 2061 of coders/bmp.c
To reproduce this problem:
$ ./magick convert ./poc output.bmp
ASAN:DEADLYSIGNAL
=================================================================
==67082==ERROR: AddressSanitizer: SEGV on unknown address 0x7f6c2daff800 (pc 0x7f6b3cfcc33b bp 0x7ffd57579e40 sp 0x7ffd57579c20 T0)
==67082==The signal is caused by a WRITE memory access.
#0 0x7f6b3cfcc33a in WriteBMPImage coders/bmp.c:2061
#1 0x7f6b3cbb2a40 in WriteImage MagickCore/constitute.c:1124
#2 0x7f6b3cbb371f in WriteImages MagickCore/constitute.c:1338
#3 0x7f6b3c3d1ba9 in ConvertImageCommand MagickWand/convert.c:3280
#4 0x7f6b3c4d61db in MagickCommandGenesis MagickWand/mogrify.c:183
#5 0x5610a1e0cec0 in MagickMain utilities/magick.c:149
#6 0x5610a1e0d146 in main utilities/magick.c:180
#7 0x7f6b3bc34b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#8 0x5610a1e0c939 in _start (/home/zm/workspace/ImageMagick/utilities/.libs/magick+0x1939)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV coders/bmp.c:2061 in WriteBMPImage
==67082==ABORTING
Debugging information:
Breakpoint 1, WriteBMPImage (image_info=0x627000042900, image=0x627000026900,
exception=0x60600000ddc0) at coders/bmp.c:2058
2058 q=pixels+(image->rows-y-1)*bytes_per_line;
(gdb) p bmp_info.image_size
$1 = 433805204
(gdb) p (image->rows-y-1)*bytes_per_line
$2 = 4728576000
(gdb)
POC
System Configuration
- ImageMagick version:ImageMagick 7.0.8-3 Q16 x86_64
- Environment (Operating system, version and so on):ubuntu 18
- Additional information:
Credit:
Zongming Wang from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd.