Skip to content

heap-buffer-overflow bug in ParseImageResourceBlocks coders/psd.c:831 #1250

Closed
@Yan-1-20

Description

@Yan-1-20

Prerequisites

  • I have written a descriptive issue title
  • I have verified that I am using the latest version of ImageMagick
  • I have searched open and closed issues to ensure it has not already been reported

Description

I used fuzz technology to fuzz the imagemagick and found a heap overflow bug.

Steps to Reproduce

  • download_the_poc
  • use the command ./magick convert $POC /dev/null
  • Address Sanitizer reports the message like:
=================================================================
==9924==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb530359e at pc 0x82a3833 bp 0xbf9a4108 sp 0xbf9a40fc
READ of size 1 at 0xb530359e thread T0
    #0 0x82a3832 in ParseImageResourceBlocks coders/psd.c:831
    #1 0x82abdd7 in ReadPSDImage coders/psd.c:2268
    #2 0x83dc706 in ReadImage MagickCore/constitute.c:542
    #3 0x83ded61 in ReadImages MagickCore/constitute.c:911
    #4 0x868c38a in ConvertImageCommand MagickWand/convert.c:643
    #5 0x875c181 in MagickCommandGenesis MagickWand/mogrify.c:184
    #6 0x804b69f in MagickMain utilities/magick.c:149
    #7 0x804b8d5 in main utilities/magick.c:180
    #8 0xb702baf2 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19af2)
    #9 0x804b130 (/home/afl/ImageMagick/utilities/magick+0x804b130)

0xb530359e is located 2 bytes to the right of 28-byte region [0xb5303580,0xb530359c)
allocated by thread T0 here:
    #0 0xb72c288a in __interceptor_malloc (/usr/lib/i386-linux-gnu/libasan.so.1+0x4e88a)
    #1 0x8082e98 in AcquireMagickMemory MagickCore/memory.c:468
    #2 0x8082edb in AcquireQuantumMemory MagickCore/memory.c:541
    #3 0x82abc2e in ReadPSDImage coders/psd.c:2257
    #4 0x83dc706 in ReadImage MagickCore/constitute.c:542
    #5 0x83ded61 in ReadImages MagickCore/constitute.c:911
    #6 0x868c38a in ConvertImageCommand MagickWand/convert.c:643
    #7 0x875c181 in MagickCommandGenesis MagickWand/mogrify.c:184
    #8 0x804b69f in MagickMain utilities/magick.c:149
    #9 0x804b8d5 in main utilities/magick.c:180
    #10 0xb702baf2 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19af2)

SUMMARY: AddressSanitizer: heap-buffer-overflow coders/psd.c:831 ParseImageResourceBlocks
Shadow bytes around the buggy address:
  0x36a60660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a60670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a60680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a60690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a606a0: fa fa fa fa fa fa fa fa fa fa 00 00 04 fa fa fa
=>0x36a606b0: 00 00 00[04]fa fa fd fd fd fd fa fa fd fd fd fd
  0x36a606c0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x36a606d0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x36a606e0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x36a606f0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x36a60700: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==9924==ABORTING

System Configuration

Ubuntu 16.04 LTS x86 arch

abc@ubuntu:/Desktop/ImageMagick$ uname -a
Linux ubuntu 4.13.0-36-generic #4016.04.1-Ubuntu SMP Fri Feb 16 23:26:51 UTC 2018 i686 i686 i686 GNU/Linux

  • Additional information:

May I know whether this can be assigned with a CVE ID?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions