Skip to content

heap-buffer-overflow bug in PushShortPixel MagickCore/quantum-private.h:276 #1251

Closed
@Yan-1-20

Description

@Yan-1-20

Prerequisites

  • I have written a descriptive issue title
  • I have verified that I am using the latest version of ImageMagick
  • I have searched open and closed issues to ensure it has not already been reported

Description

I used fuzz technology to fuzz the imagemagick and found a heap overflow bug.

Steps to Reproduce

  • download_the_poc
  • use the command ./magick convert $POC /dev/null
  • Address Sanitizer reports the message like:
=================================================================
==9914==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5203595 at pc 0x829fe4b bp 0xbff59328 sp 0xbff5931c
READ of size 1 at 0xb5203595 thread T0
    #0 0x829fe4a in PushShortPixel MagickCore/quantum-private.h:276
    #1 0x82a3622 in ParseImageResourceBlocks coders/psd.c:818
    #2 0x82abdd7 in ReadPSDImage coders/psd.c:2268
    #3 0x83dc706 in ReadImage MagickCore/constitute.c:542
    #4 0x83ded61 in ReadImages MagickCore/constitute.c:911
    #5 0x868c38a in ConvertImageCommand MagickWand/convert.c:643
    #6 0x875c181 in MagickCommandGenesis MagickWand/mogrify.c:184
    #7 0x804b69f in MagickMain utilities/magick.c:149
    #8 0x804b8d5 in main utilities/magick.c:180
    #9 0xb6f86af2 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19af2)
    #10 0x804b130 (/home/afl/ImageMagick/utilities/magick+0x804b130)

0xb5203595 is located 0 bytes to the right of 21-byte region [0xb5203580,0xb5203595)
allocated by thread T0 here:
    #0 0xb721d88a in __interceptor_malloc (/usr/lib/i386-linux-gnu/libasan.so.1+0x4e88a)
    #1 0x8082e98 in AcquireMagickMemory MagickCore/memory.c:468
    #2 0x8082edb in AcquireQuantumMemory MagickCore/memory.c:541
    #3 0x82abc2e in ReadPSDImage coders/psd.c:2257
    #4 0x83dc706 in ReadImage MagickCore/constitute.c:542
    #5 0x83ded61 in ReadImages MagickCore/constitute.c:911
    #6 0x868c38a in ConvertImageCommand MagickWand/convert.c:643
    #7 0x875c181 in MagickCommandGenesis MagickWand/mogrify.c:184
    #8 0x804b69f in MagickMain utilities/magick.c:149
    #9 0x804b8d5 in main utilities/magick.c:180
    #10 0xb6f86af2 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19af2)

SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/quantum-private.h:276 PushShortPixel
Shadow bytes around the buggy address:
  0x36a40660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a40670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a40680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a40690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a406a0: fa fa fa fa 00 00 01 fa fa fa 00 00 04 fa fa fa
=>0x36a406b0: 00 00[05]fa fa fa fd fd fd fd fa fa fd fd fd fd
  0x36a406c0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x36a406d0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x36a406e0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x36a406f0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x36a40700: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==9914==ABORTING

System Configuration

Ubuntu 16.04 LTS x86 arch

abc@ubuntu:/Desktop/ImageMagick$ uname -a
Linux ubuntu 4.13.0-36-generic #4016.04.1-Ubuntu SMP Fri Feb 16 23:26:51 UTC 2018 i686 i686 i686 GNU/Linux

  • Additional information:

May I know whether this can be assigned with a CVE ID?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions