heap-buffer-overflow bug in MagickCore/quantum-private.h:

[Yan-1-20]

Prerequisites

• I have written a descriptive issue title
• I have verified that I am using the latest version of ImageMagick
• I have searched open and closed issues to ensure it has not already been reported

Description

I used fuzz technology to fuzz the imagemagick and found a heap overflow bug.

Steps to Reproduce

• download_the_poc
• use the command ./magick convert $POC /dev/null
• Address Sanitizer reports the message like:

==9317==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5303595 at pc 0x80507ad bp 0xbfb13c58 sp 0xbfb13c4c
READ of size 1 at 0xb5303595 thread T0
    #0 0x80507ac in PushShortPixel MagickCore/quantum-private.h:276
    #1 0x80507ac in ParseImageResourceBlocks coders/psd.c:818
    #2 0x855f506 in ReadPSDImage coders/psd.c:2268
    #3 0x8793939 in ReadImage MagickCore/constitute.c:542
    #4 0x87971d5 in ReadImages MagickCore/constitute.c:911
    #5 0x8d67732 in ConvertImageCommand MagickWand/convert.c:643
    #6 0x8e6a5a0 in MagickCommandGenesis MagickWand/mogrify.c:184
    #7 0x8079d1b in MagickMain utilities/magick.c:149
    #8 0x805a8fa in main utilities/magick.c:180
    #9 0xb6ff0af2 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19af2)
    #10 0x8079382 (/home/afl/ImageMagick/utilities/magick+0x8079382)

0xb5303595 is located 0 bytes to the right of 21-byte region [0xb5303580,0xb5303595)
allocated by thread T0 here:
    #0 0xb728788a in __interceptor_malloc (/usr/lib/i386-linux-gnu/libasan.so.1+0x4e88a)
    #1 0x855e7a8 in ReadPSDImage coders/psd.c:2257

SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/quantum-private.h:276 PushShortPixel
Shadow bytes around the buggy address:
  0x36a60660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a60670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a60680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a60690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a606a0: fa fa fa fa 00 00 01 fa fa fa 00 00 04 fa fa fa
=>0x36a606b0: 00 00[05]fa fa fa fd fd fd fd fa fa fd fd fd fd
  0x36a606c0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x36a606d0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x36a606e0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x36a606f0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x36a60700: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==9317==ABORTING

System Configuration

• ImageMagick version:
  Version: ImageMagick 7.0.8-11 Q16 i686 2018-08-16 https://www.imagemagick.org
  Copyright: © 1999-2018 ImageMagick Studio LLC
  License: https://www.imagemagick.org/script/license.php
  Features: Cipher DPC HDRI OpenMP
  Delegates (built-in):

• Environment (Operating system, version and so on):

Ubuntu 14.04 LTS x86 arch

$ uname -a
Linux ubuntu 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 i686 i686 GNU/Linux

• Additional information:
  May I know whether this can be assigned with a CVE ID?

[urban-warrior]

Unfortunately we cannot reproduce this problem. We use valgrind and it does not return any memory corruption. The corrupt resource block requests a huge block of data but we have a check to see it exceeds the buffer extent and we gracefully exit. We're using the latest ImageMagick Github repo under Ubuntu 18.04.1.

[Yan-1-20]

I have tried using asan on 64-bit machines and can't reproduce this problem, but using asan on 32-bit machines has this problem. You can try what happens on 32-bit.

[urban-warrior]

Unfortunately we do not have access to any 32-bit machines. We'll see if we can find a free service somewhere where we can utilize a 32-bit OS and try to reproduce the problem.

[Yan-1-20]

Thank you, please try to use ubuntu 14.04 32-bit machine to reproduce, I will try to test on ubuntu16.04 32-bit machine. And I have two other heap overflow samples that have not been submitted, I hope you can try to run on 32-bit.

[Yan-1-20]

Oh, I can successfully reproduce this problem on the ubuntu 16.04 32-bit machine. I hope you can give it a try.

abc@ubuntu:~/Desktop/ImageMagick$ ./utilities/magick convert ~/Desktop/the_crash/heap-buffer-overflow-READ-0x805076c_output_dev_null_1534391141.75 /dev/null
=================================================================
==18558==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5204540 at pc 0xb76375de bp 0xbf909078 sp 0xbf909068
READ of size 1 at 0xb5204540 thread T0
    #0 0xb76375dd in PushShortPixel MagickCore/quantum-private.h:275
    #1 0xb763b189 in ParseImageResourceBlocks coders/psd.c:816
    #2 0xb76444fc in ReadPSDImage coders/psd.c:2268
    #3 0xb7172270 in ReadImage MagickCore/constitute.c:542
    #4 0xb7174b37 in ReadImages MagickCore/constitute.c:912
    #5 0xb6c9e7a0 in ConvertImageCommand MagickWand/convert.c:641
    #6 0xb6de285c in MagickCommandGenesis MagickWand/mogrify.c:184
    #7 0x8049361 in MagickMain utilities/magick.c:149
    #8 0x80495a2 in main utilities/magick.c:180
    #9 0xb6a22636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #10 0x8048dd0  (/home/mips/Desktop/ImageMagick/utilities/.libs/lt-magick+0x8048dd0)

0xb5204540 is located 0 bytes to the right of 16-byte region [0xb5204530,0xb5204540)
allocated by thread T0 here:
    #0 0xb7a18dee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
    #1 0xb7318148 in AcquireMagickMemory MagickCore/memory.c:468
    #2 0xb7318197 in AcquireQuantumMemory MagickCore/memory.c:541
    #3 0xb764432b in ReadPSDImage coders/psd.c:2257
    #4 0xb7172270 in ReadImage MagickCore/constitute.c:542
    #5 0xb7174b37 in ReadImages MagickCore/constitute.c:912
    #6 0xb6c9e7a0 in ConvertImageCommand MagickWand/convert.c:641
    #7 0xb6de285c in MagickCommandGenesis MagickWand/mogrify.c:184
    #8 0x8049361 in MagickMain utilities/magick.c:149
    #9 0x80495a2 in main utilities/magick.c:180
    #10 0xb6a22636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)

SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/quantum-private.h:275 PushShortPixel
Shadow bytes around the buggy address:
  0x36a40850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a40860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a40870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a40880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a40890: fa fa fa fa fa fa fa fa fa fa 00 00 fa fa 06 fa
=>0x36a408a0: fa fa 05 fa fa fa 00 00[fa]fa 00 00 fa fa 00 01
  0x36a408b0: fa fa fd fd fa fa fd fd fa fa 00 00 fa fa 04 fa
  0x36a408c0: fa fa 04 fa fa fa 00 00 fa fa 04 fa fa fa 04 fa
  0x36a408d0: fa fa 00 fa fa fa fd fd fa fa fd fd fa fa 00 fa
  0x36a408e0: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
  0x36a408f0: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==18558==ABORTING
abc@ubuntu:~/Desktop/ImageMagick$ uname -a
Linux ubuntu 4.13.0-36-generic #40~16.04.1-Ubuntu SMP Fri Feb 16 23:26:51 UTC 2018 i686 i686 i686 GNU/Linux

[urban-warrior]

Using Ubuntu 16.04.5 (32bit), the source from the Github trunk, and valgrind, once again we cannot reproduce the problem. Valgrind is not reporting any memory corruption, we do get an "improper header" exception as expected. Post your configure command-line and any env variables you set. We'll try reproducing your IM build and see if that tickles the bug.

[Yan-1-20]

I did not set an extra ENV, just simply use gcc asan
./configure --disable-shared CFLAGS="-g -fsanitize=address"

[Yan-1-20]

==============================================================================
ImageMagick is configured as follows. Please verify that this configuration
matches your expectations.

  Host system type: i686-pc-linux-gnu
  Build system type: i686-pc-linux-gnu

                 Option                        Value
  ------------------------------------------------------------------------------
  Shared libraries  --enable-shared=yes		yes
  Static libraries  --enable-static=yes		yes
  Build utilities   --with-utilities=yes        yes
  Module support    --with-modules=no		no
  GNU ld            --with-gnu-ld=yes		yes
  Quantum depth     --with-quantum-depth=16	16
  High Dynamic Range Imagery
                    --enable-hdri=yes		yes

  Install documentation:			yes

  Delegate Library Configuration:
  BZLIB             --with-bzlib=yes		no
  Autotrace         --with-autotrace=no		no
  DJVU              --with-djvu=yes		no
  DPS               --with-dps=yes		no
  FFTW              --with-fftw=yes		no
  FLIF              --with-flif=yes		no
  FlashPIX          --with-fpx=yes		no
  FontConfig        --with-fontconfig=yes	no
  FreeType          --with-freetype=yes		no
  Ghostscript lib   --with-gslib=no		no
  Graphviz          --with-gvc=yes		no
  HEIC              --with-heic=yes             no
  JBIG              --with-jbig=yes		no
  JPEG v1           --with-jpeg=yes		no
  LCMS              --with-lcms=yes		no
  LQR               --with-lqr=yes		no
  LTDL              --with-ltdl=yes		no
  LZMA              --with-lzma=yes		no
  Magick++          --with-magick-plus-plus=yes	yes
  OpenEXR           --with-openexr=yes		no
  OpenJP2           --with-openjp2=yes		no
  PANGO             --with-pango=yes		no
  PERL              --with-perl=no		no
  PNG               --with-png=yes		no
  RAQM              --with-raqm=yes		no
  RAW               --with-raw=yes 	   no
  RSVG              --with-rsvg=no		no
  TIFF              --with-tiff=yes		no
  WEBP              --with-webp=yes		no
  WMF               --with-wmf=yes		no
  X11               --with-x=			no
  XML               --with-xml=yes		no
  ZLIB              --with-zlib=yes		no

  Delegate Program Configuration:
  GhostPCL          None				pcl6 (unknown)
  GhostXPS          None				gxps (unknown)
  Ghostscript       None				gs (9.18)

  Font Configuration:
  Apple fonts       --with-apple-font-dir=default	
  Dejavu fonts      --with-dejavu-font-dir=default	none
  Ghostscript fonts --with-gs-font-dir=default	/usr/share/fonts/type1/gsfonts/
  URW-base35 fonts  --with-urw-base35-font-dir=default  none
  Windows fonts     --with-windows-font-dir=default	none

  X11 Configuration:
        X_CFLAGS        = 
        X_PRE_LIBS      = 
        X_LIBS          = 
        X_EXTRA_LIBS    = 

  Options used to compile and link:
    PREFIX          = /usr/local
    EXEC-PREFIX     = /usr/local
    VERSION         = 7.0.8
    CC              = gcc
    CFLAGS          =  -fopenmp -g -fsanitize=address -Wall -mtune=ivybridge -fexceptions -pthread -DMAGICKCORE_HDRI_ENABLE=1 -DMAGICKCORE_QUANTUM_DEPTH=16
    CPPFLAGS        =   -DMAGICKCORE_HDRI_ENABLE=1 -DMAGICKCORE_QUANTUM_DEPTH=16
    PCFLAGS         = 
    DEFS            = -DHAVE_CONFIG_H
    LDFLAGS         = 
    LIBS            = 
    CXX             = g++
    CXXFLAGS        = -g -O2 -pthread
    FEATURES        = DPC HDRI Cipher OpenMP
    DELEGATES       = mpeg ps
==============================================================================

[urban-warrior]

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

[Yan-1-20]

Good friend, I will submit two other heap overflow samples, sorry because my three holes are all tested in the same environment. If you want to reproduce the problem, please test it in the current environment.

[nohmask]

This was assigned CVE-2018-16413.

[bastien-roucaries]

Any IM6 fix ?

[dlemstra]

The link to the IM6 commit is below the first message of the issue.

[b1nch3f]

PoC not found under Steps to Reproduce