out of bounds write in dib.c

[zer0min9]

Prerequisites

• I have written a descriptive issue title
• I have verified that I am using the latest version of ImageMagick
• I have searched open and closed issues to ensure it has not already been reported

Description

$ ./magick -version
Version: ImageMagick 7.0.8-3 Q16 x86_64 2018-06-19 https://www.imagemagick.org
Copyright: ? 1999-2018 ImageMagick Studio LLC
License: https://www.imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP 
Delegates (built-in): bzlib djvu fftw fontconfig fpx freetype heic jbig jng jp2 jpeg lcms lqr lzma pangocairo png raw tiff webp wmf x xml zlib

Similar to #1177, the dib_info.image_size in coders/dib.c may cause an out of bounds write bug

Steps to Reproduce

• In coders/dib.c

1178   /*
1179     Convert MIFF to DIB raster pixels.
1180   */
1181   pixels=(unsigned char *) AcquireQuantumMemory(dib_info.image_size,
1182     sizeof(*pixels));
1183   if (pixels == (unsigned char *) NULL)
1184     ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
1185   (void) memset(pixels,0,dib_info.image_size);
                                       .
                                       .
                                       .
1301         q=pixels+(image->rows-y-1)*bytes_per_line;
1302         for (x=0; x < (ssize_t) image->columns; x++)
1303         {
1304           *q++=ScaleQuantumToChar(GetPixelBlue(image,p));

(image->rows-y-1)*bytes_per_line may be much larger than dib_info.image_size,it will cause an out of bounds write bug in line 1304 of coders/dib.c

To reproduce this problem:

$ ./magick convert ./poc output.dib
ASAN:DEADLYSIGNAL
=================================================================
==67068==ERROR: AddressSanitizer: SEGV on unknown address 0x7f8b1c500000 (pc 0x7f8a2b95b4d7 bp 0x7ffd6d84e630 sp 0x7ffd6d84e4c0 T0)
==67068==The signal is caused by a WRITE memory access.
    #0 0x7f8a2b95b4d6 in WriteDIBImage coders/dib.c:1304
    #1 0x7f8a2b4f6a40 in WriteImage MagickCore/constitute.c:1124
    #2 0x7f8a2b4f771f in WriteImages MagickCore/constitute.c:1338
    #3 0x7f8a2ad15ba9 in ConvertImageCommand MagickWand/convert.c:3280
    #4 0x7f8a2ae1a1db in MagickCommandGenesis MagickWand/mogrify.c:183
    #5 0x557166df5ec0 in MagickMain utilities/magick.c:149
    #6 0x557166df6146 in main utilities/magick.c:180
    #7 0x7f8a2a578b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #8 0x557166df5939 in _start (/home/zm/workspace/ImageMagick/utilities/.libs/magick+0x1939)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV coders/dib.c:1304 in WriteDIBImage
==67068==ABORTING

Debugging information：

Breakpoint 1, WriteDIBImage (image_info=0x627000042900, image=0x627000026900, 
    exception=0x60600000ddc0) at coders/dib.c:1301
1301	        q=pixels+(image->rows-y-1)*bytes_per_line;
(gdb) p dib_info.image_size
$1 = 433805204
(gdb) p (image->rows-y-1)*bytes_per_line
$2 = 4728576000
(gdb) 

POC

poc.zip

System Configuration

• ImageMagick version:ImageMagick 7.0.8-3 Q16 x86_64
• Environment (Operating system, version and so on):ubuntu 18
• Additional information:
  Credit:
  Zongming Wang from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd.

[urban-warrior]

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

[nohmask]

This was assigned CVE-2018-12600.