heap-buffer-overflow bug in ParseImageResourceBlocks coders/psd.c:831

[Yan-1-20]

Prerequisites

• I have written a descriptive issue title
• I have verified that I am using the latest version of ImageMagick
• I have searched open and closed issues to ensure it has not already been reported

Description

I used fuzz technology to fuzz the imagemagick and found a heap overflow bug.

Steps to Reproduce

• download_the_poc
• use the command ./magick convert $POC /dev/null
• Address Sanitizer reports the message like:

=================================================================
==9924==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb530359e at pc 0x82a3833 bp 0xbf9a4108 sp 0xbf9a40fc
READ of size 1 at 0xb530359e thread T0
    #0 0x82a3832 in ParseImageResourceBlocks coders/psd.c:831
    #1 0x82abdd7 in ReadPSDImage coders/psd.c:2268
    #2 0x83dc706 in ReadImage MagickCore/constitute.c:542
    #3 0x83ded61 in ReadImages MagickCore/constitute.c:911
    #4 0x868c38a in ConvertImageCommand MagickWand/convert.c:643
    #5 0x875c181 in MagickCommandGenesis MagickWand/mogrify.c:184
    #6 0x804b69f in MagickMain utilities/magick.c:149
    #7 0x804b8d5 in main utilities/magick.c:180
    #8 0xb702baf2 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19af2)
    #9 0x804b130 (/home/afl/ImageMagick/utilities/magick+0x804b130)

0xb530359e is located 2 bytes to the right of 28-byte region [0xb5303580,0xb530359c)
allocated by thread T0 here:
    #0 0xb72c288a in __interceptor_malloc (/usr/lib/i386-linux-gnu/libasan.so.1+0x4e88a)
    #1 0x8082e98 in AcquireMagickMemory MagickCore/memory.c:468
    #2 0x8082edb in AcquireQuantumMemory MagickCore/memory.c:541
    #3 0x82abc2e in ReadPSDImage coders/psd.c:2257
    #4 0x83dc706 in ReadImage MagickCore/constitute.c:542
    #5 0x83ded61 in ReadImages MagickCore/constitute.c:911
    #6 0x868c38a in ConvertImageCommand MagickWand/convert.c:643
    #7 0x875c181 in MagickCommandGenesis MagickWand/mogrify.c:184
    #8 0x804b69f in MagickMain utilities/magick.c:149
    #9 0x804b8d5 in main utilities/magick.c:180
    #10 0xb702baf2 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19af2)

SUMMARY: AddressSanitizer: heap-buffer-overflow coders/psd.c:831 ParseImageResourceBlocks
Shadow bytes around the buggy address:
  0x36a60660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a60670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a60680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a60690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a606a0: fa fa fa fa fa fa fa fa fa fa 00 00 04 fa fa fa
=>0x36a606b0: 00 00 00[04]fa fa fd fd fd fd fa fa fd fd fd fd
  0x36a606c0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x36a606d0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x36a606e0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x36a606f0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x36a60700: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==9924==ABORTING

System Configuration

• ImageMagick version:
  Version: ImageMagick 7.0.8-11 Q16 i686 2018-08-16 https://www.imagemagick.org
  Copyright: © 1999-2018 ImageMagick Studio LLC
  License: https://www.imagemagick.org/script/license.php
  Features: Cipher DPC HDRI OpenMP
  Delegates (built-in):

• Environment (Operating system, version and so on):

Ubuntu 16.04 LTS x86 arch

abc@ubuntu:/Desktop/ImageMagick$ uname -a
Linux ubuntu 4.13.0-36-generic #4016.04.1-Ubuntu SMP Fri Feb 16 23:26:51 UTC 2018 i686 i686 i686 GNU/Linux

• Additional information:

May I know whether this can be assigned with a CVE ID?

[urban-warrior]

Did you try the POC against the latest Github trunk? We did and could not reproduce the heap overflow.

[Yan-1-20]

okay,Thanks

[nohmask]

This was assigned CVE-2018-16412.

[dlemstra]

@nohmask Why is something that we cannot reproduce assigned with a CVE?

[nohmask]

@dlemstra I’m afraid I don’t know. This issue is stated in CVE References.

[dlemstra]

@nohmask I always thought that you requested the CVE's and reported that here.

[nohmask]

@dlemstra I am only checking Imagemagick CVE. The request is done by another person.

[ret2libc]

I cannot reproduce either. Tried on 32bit and 64bit machines.

[ret2libc]

I was actually able to reproduce on version 7.0.8-10 and not 7.0.8-11.

[rcsanchez97]

I was also able to confirm that 7.0.8-10 exhibits the behavior while 7.0.8-11 does not. This was done on Debian unstable. I was able to confirm that the specific commit which fixes the problem is 17a1a6f (for IM6 it is ImageMagick/ImageMagick6@4745eb1).

Here is the ASAN output for 9d750c2 (the first ancestor of 17a1a6f):

root@debian:~/github-imagemagick.git# LD_LIBRARY_PATH=/opt/im-9d750c2ab/lib PATH=${PATH}:/opt/im-9d750c2ab/bin /opt/im-9d750c2ab/bin/magick convert heap-buffer-overflow-READ-0x8050968_output_dev_null_1534391183.62 /dev/null
=================================================================
==30947==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf0602f3e at pc 0xf72571a7 bp 0xff7fbcc8 sp 0xff7fbcbc
READ of size 1 at 0xf0602f3e thread T0
    #0 0xf72571a6 in ParseImageResourceBlocks (/opt/im-9d750c2ab/lib/libMagickCore-7.Q16HDRI.so.6+0x84b1a6)
    #1 0xf7262976 in ReadPSDImage (/opt/im-9d750c2ab/lib/libMagickCore-7.Q16HDRI.so.6+0x856976)
    #2 0xf6ba7fb4 in ReadImage (/opt/im-9d750c2ab/lib/libMagickCore-7.Q16HDRI.so.6+0x19bfb4)
    #3 0xf6bab957 in ReadImages (/opt/im-9d750c2ab/lib/libMagickCore-7.Q16HDRI.so.6+0x19f957)
    #4 0xf661fb2b in ConvertImageCommand (/opt/im-9d750c2ab/lib/libMagickWand-7.Q16HDRI.so.6+0x109b2b)
    #5 0xf67cc603 in MagickCommandGenesis (/opt/im-9d750c2ab/lib/libMagickWand-7.Q16HDRI.so.6+0x2b6603)
    #6 0x566e795f in MagickMain (/opt/im-9d750c2ab/bin/magick+0x11c95f)
    #7 0x566e7cbf in main (/opt/im-9d750c2ab/bin/magick+0x11ccbf)
    #8 0xf505e9a0 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x199a0)
    #9 0x565d3587  (/opt/im-9d750c2ab/bin/magick+0x8587)

0xf0602f3e is located 2 bytes to the right of 28-byte region [0xf0602f20,0xf0602f3c)
allocated by thread T0 here:
    #0 0x566a48b4 in __interceptor_malloc (/opt/im-9d750c2ab/bin/magick+0xd98b4)
    #1 0xf6de9cc6 in AcquireMagickMemory (/opt/im-9d750c2ab/lib/libMagickCore-7.Q16HDRI.so.6+0x3ddcc6)
    #2 0xf6de9d15 in AcquireQuantumMemory (/opt/im-9d750c2ab/lib/libMagickCore-7.Q16HDRI.so.6+0x3ddd15)
    #3 0xf7262617 in ReadPSDImage (/opt/im-9d750c2ab/lib/libMagickCore-7.Q16HDRI.so.6+0x856617)
    #4 0xf6ba7fb4 in ReadImage (/opt/im-9d750c2ab/lib/libMagickCore-7.Q16HDRI.so.6+0x19bfb4)
    #5 0xf6bab957 in ReadImages (/opt/im-9d750c2ab/lib/libMagickCore-7.Q16HDRI.so.6+0x19f957)
    #6 0xf661fb2b in ConvertImageCommand (/opt/im-9d750c2ab/lib/libMagickWand-7.Q16HDRI.so.6+0x109b2b)
    #7 0xf67cc603 in MagickCommandGenesis (/opt/im-9d750c2ab/lib/libMagickWand-7.Q16HDRI.so.6+0x2b6603)
    #8 0x566e795f in MagickMain (/opt/im-9d750c2ab/bin/magick+0x11c95f)
    #9 0x566e7cbf in main (/opt/im-9d750c2ab/bin/magick+0x11ccbf)
    #10 0xf505e9a0 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x199a0)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/opt/im-9d750c2ab/lib/libMagickCore-7.Q16HDRI.so.6+0x84b1a6) in ParseImageResourceBlocks
Shadow bytes around the buggy address:
  0x3e0c0590: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa
  0x3e0c05a0: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa fd fd
  0x3e0c05b0: fd fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
  0x3e0c05c0: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa
  0x3e0c05d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 00
=>0x3e0c05e0: 04 fa fa fa 00 00 00[04]fa fa fd fd fd fd fa fa
  0x3e0c05f0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x3e0c0600: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x3e0c0610: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x3e0c0620: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x3e0c0630: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==30947==ABORTING

Here is the output of ASAN for 17a1a6f:

root@debian:~/github-imagemagick.git# LD_LIBRARY_PATH=/opt/im-17a1a6f97fd088a71931bdc422f4e96bb6ffc549/lib PATH=${PATH}:/opt/im-17a1a6f97fd088a71931bdc422f4e96bb6ffc549/bin /opt/im-17a1a6f97fd088a71931bdc422f4e96bb6ffc549/bin/magick convert heap-buffer-overflow-READ-0x8050968_output_dev_null_1534391183.62 /dev/null
convert: NoSuchImageChannel `heap-buffer-overflow-READ-0x8050968_output_dev_null_1534391183.62' @ error/psd.c/ReadPSDLayersInternal/1714.
convert: no images defined `/dev/null' @ error/convert.c/ConvertImageCommand/3288.

[rcsanchez97]

As an additional note, this only happens on 32-bit x86. The first time I tried to reproduce following the OP's report I missed the "i686" in the IM version banner and I tried to reproduce in a 64-bit environment.

[b1nch3f]

PoC not found under Steps to Reproduce