Skip to content

heap-buffer-overflow bug in MagickCore/quantum-private.h: #1249

Closed
@Yan-1-20

Description

@Yan-1-20

Prerequisites

  • I have written a descriptive issue title
  • I have verified that I am using the latest version of ImageMagick
  • I have searched open and closed issues to ensure it has not already been reported

Description

I used fuzz technology to fuzz the imagemagick and found a heap overflow bug.

Steps to Reproduce

  • download_the_poc
  • use the command ./magick convert $POC /dev/null
  • Address Sanitizer reports the message like:
==9317==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5303595 at pc 0x80507ad bp 0xbfb13c58 sp 0xbfb13c4c
READ of size 1 at 0xb5303595 thread T0
    #0 0x80507ac in PushShortPixel MagickCore/quantum-private.h:276
    #1 0x80507ac in ParseImageResourceBlocks coders/psd.c:818
    #2 0x855f506 in ReadPSDImage coders/psd.c:2268
    #3 0x8793939 in ReadImage MagickCore/constitute.c:542
    #4 0x87971d5 in ReadImages MagickCore/constitute.c:911
    #5 0x8d67732 in ConvertImageCommand MagickWand/convert.c:643
    #6 0x8e6a5a0 in MagickCommandGenesis MagickWand/mogrify.c:184
    #7 0x8079d1b in MagickMain utilities/magick.c:149
    #8 0x805a8fa in main utilities/magick.c:180
    #9 0xb6ff0af2 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19af2)
    #10 0x8079382 (/home/afl/ImageMagick/utilities/magick+0x8079382)

0xb5303595 is located 0 bytes to the right of 21-byte region [0xb5303580,0xb5303595)
allocated by thread T0 here:
    #0 0xb728788a in __interceptor_malloc (/usr/lib/i386-linux-gnu/libasan.so.1+0x4e88a)
    #1 0x855e7a8 in ReadPSDImage coders/psd.c:2257

SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/quantum-private.h:276 PushShortPixel
Shadow bytes around the buggy address:
  0x36a60660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a60670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a60680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a60690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a606a0: fa fa fa fa 00 00 01 fa fa fa 00 00 04 fa fa fa
=>0x36a606b0: 00 00[05]fa fa fa fd fd fd fd fa fa fd fd fd fd
  0x36a606c0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x36a606d0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x36a606e0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x36a606f0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x36a60700: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==9317==ABORTING

System Configuration

Ubuntu 14.04 LTS x86 arch

$ uname -a
Linux ubuntu 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 i686 i686 GNU/Linux

  • Additional information:
    May I know whether this can be assigned with a CVE ID?

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions