Skip to content

out of bounds write in dib.c #1178

Closed
Closed
@zer0min9

Description

@zer0min9

Prerequisites

  • I have written a descriptive issue title
  • I have verified that I am using the latest version of ImageMagick
  • I have searched open and closed issues to ensure it has not already been reported

Description

$ ./magick -version
Version: ImageMagick 7.0.8-3 Q16 x86_64 2018-06-19 https://www.imagemagick.org
Copyright: ? 1999-2018 ImageMagick Studio LLC
License: https://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP 
Delegates (built-in): bzlib djvu fftw fontconfig fpx freetype heic jbig jng jp2 jpeg lcms lqr lzma pangocairo png raw tiff webp wmf x xml zlib

Similar to #1177, the dib_info.image_size in coders/dib.c may cause an out of bounds write bug

Steps to Reproduce

  • In coders/dib.c
1178   /*
1179     Convert MIFF to DIB raster pixels.
1180   */
1181   pixels=(unsigned char *) AcquireQuantumMemory(dib_info.image_size,
1182     sizeof(*pixels));
1183   if (pixels == (unsigned char *) NULL)
1184     ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
1185   (void) memset(pixels,0,dib_info.image_size);
                                       .
                                       .
                                       .
1301         q=pixels+(image->rows-y-1)*bytes_per_line;
1302         for (x=0; x < (ssize_t) image->columns; x++)
1303         {
1304           *q++=ScaleQuantumToChar(GetPixelBlue(image,p));

(image->rows-y-1)*bytes_per_line may be much larger than dib_info.image_size,it will cause an out of bounds write bug in line 1304 of coders/dib.c

To reproduce this problem:

$ ./magick convert ./poc output.dib
ASAN:DEADLYSIGNAL
=================================================================
==67068==ERROR: AddressSanitizer: SEGV on unknown address 0x7f8b1c500000 (pc 0x7f8a2b95b4d7 bp 0x7ffd6d84e630 sp 0x7ffd6d84e4c0 T0)
==67068==The signal is caused by a WRITE memory access.
    #0 0x7f8a2b95b4d6 in WriteDIBImage coders/dib.c:1304
    #1 0x7f8a2b4f6a40 in WriteImage MagickCore/constitute.c:1124
    #2 0x7f8a2b4f771f in WriteImages MagickCore/constitute.c:1338
    #3 0x7f8a2ad15ba9 in ConvertImageCommand MagickWand/convert.c:3280
    #4 0x7f8a2ae1a1db in MagickCommandGenesis MagickWand/mogrify.c:183
    #5 0x557166df5ec0 in MagickMain utilities/magick.c:149
    #6 0x557166df6146 in main utilities/magick.c:180
    #7 0x7f8a2a578b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #8 0x557166df5939 in _start (/home/zm/workspace/ImageMagick/utilities/.libs/magick+0x1939)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV coders/dib.c:1304 in WriteDIBImage
==67068==ABORTING

Debugging information:

Breakpoint 1, WriteDIBImage (image_info=0x627000042900, image=0x627000026900, 
    exception=0x60600000ddc0) at coders/dib.c:1301
1301	        q=pixels+(image->rows-y-1)*bytes_per_line;
(gdb) p dib_info.image_size
$1 = 433805204
(gdb) p (image->rows-y-1)*bytes_per_line
$2 = 4728576000
(gdb) 

POC

poc.zip

System Configuration

  • ImageMagick version:ImageMagick 7.0.8-3 Q16 x86_64
  • Environment (Operating system, version and so on):ubuntu 18
  • Additional information:
    Credit:
    Zongming Wang from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions