heap-buffer-overflow bug in PushShortPixel MagickCore/quantum-private.h:276

[Yan-1-20]

Prerequisites

• I have written a descriptive issue title
• I have verified that I am using the latest version of ImageMagick
• I have searched open and closed issues to ensure it has not already been reported

Description

I used fuzz technology to fuzz the imagemagick and found a heap overflow bug.

Steps to Reproduce

• download_the_poc
• use the command ./magick convert $POC /dev/null
• Address Sanitizer reports the message like:

=================================================================
==9914==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5203595 at pc 0x829fe4b bp 0xbff59328 sp 0xbff5931c
READ of size 1 at 0xb5203595 thread T0
    #0 0x829fe4a in PushShortPixel MagickCore/quantum-private.h:276
    #1 0x82a3622 in ParseImageResourceBlocks coders/psd.c:818
    #2 0x82abdd7 in ReadPSDImage coders/psd.c:2268
    #3 0x83dc706 in ReadImage MagickCore/constitute.c:542
    #4 0x83ded61 in ReadImages MagickCore/constitute.c:911
    #5 0x868c38a in ConvertImageCommand MagickWand/convert.c:643
    #6 0x875c181 in MagickCommandGenesis MagickWand/mogrify.c:184
    #7 0x804b69f in MagickMain utilities/magick.c:149
    #8 0x804b8d5 in main utilities/magick.c:180
    #9 0xb6f86af2 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19af2)
    #10 0x804b130 (/home/afl/ImageMagick/utilities/magick+0x804b130)

0xb5203595 is located 0 bytes to the right of 21-byte region [0xb5203580,0xb5203595)
allocated by thread T0 here:
    #0 0xb721d88a in __interceptor_malloc (/usr/lib/i386-linux-gnu/libasan.so.1+0x4e88a)
    #1 0x8082e98 in AcquireMagickMemory MagickCore/memory.c:468
    #2 0x8082edb in AcquireQuantumMemory MagickCore/memory.c:541
    #3 0x82abc2e in ReadPSDImage coders/psd.c:2257
    #4 0x83dc706 in ReadImage MagickCore/constitute.c:542
    #5 0x83ded61 in ReadImages MagickCore/constitute.c:911
    #6 0x868c38a in ConvertImageCommand MagickWand/convert.c:643
    #7 0x875c181 in MagickCommandGenesis MagickWand/mogrify.c:184
    #8 0x804b69f in MagickMain utilities/magick.c:149
    #9 0x804b8d5 in main utilities/magick.c:180
    #10 0xb6f86af2 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19af2)

SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/quantum-private.h:276 PushShortPixel
Shadow bytes around the buggy address:
  0x36a40660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a40670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a40680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a40690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a406a0: fa fa fa fa 00 00 01 fa fa fa 00 00 04 fa fa fa
=>0x36a406b0: 00 00[05]fa fa fa fd fd fd fd fa fa fd fd fd fd
  0x36a406c0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x36a406d0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x36a406e0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x36a406f0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x36a40700: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==9914==ABORTING

System Configuration

• ImageMagick version:
  Version: ImageMagick 7.0.8-11 Q16 i686 2018-08-16 https://www.imagemagick.org
  Copyright: © 1999-2018 ImageMagick Studio LLC
  License: https://www.imagemagick.org/script/license.php
  Features: Cipher DPC HDRI OpenMP
  Delegates (built-in):

• Environment (Operating system, version and so on):

Ubuntu 16.04 LTS x86 arch

abc@ubuntu:/Desktop/ImageMagick$ uname -a
Linux ubuntu 4.13.0-36-generic #4016.04.1-Ubuntu SMP Fri Feb 16 23:26:51 UTC 2018 i686 i686 i686 GNU/Linux

• Additional information:

May I know whether this can be assigned with a CVE ID?

[dlemstra]

I have updated your post because you are linking unrelated issues. Please put the trace in a code block (```) next time.

[urban-warrior]

Did you try the POC against the latest Github trunk? We did and could not reproduce the heap overflow.

[Yan-1-20]

okay,Thanks

[nohmask]

This was assigned CVE-2018-16413.

[rcsanchez97]

Additional info: #1250 (comment)

[b1nch3f]

PoC not found under Steps to Reproduce