New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap-buffer-overflow in EncodeImage of pict.c #1335
Comments
|
Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow. |
|
Will this be assigned a CVE id? |
|
We have a small development team. We rely on our users that discover a flaw to request a CVE and post it here. Thanks, |
|
This was assigned CVE-2018-18025. |
|
Hi @urban-warrior, Thank you |
|
Any comit for imagemagick 6 |
|
IM7: 1a22fc0 |
Prerequisites
Description
a heap buffer overflow in EncodeImage function of pict.c
Steps to Reproduce
poc
magick convert $poc ./test.pict
test@test-virtual-machine:~/temp$ ./ImageMagick/utilities/magick convert ./heap_buffer_overflow_in_pict.c.svg ./output.pict===================================================================56156==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900002d6eb at pc 0x7fd34107765b bp 0x7fff1955c350 sp 0x7fff1955c340READ of size 1 at 0x61900002d6eb thread T0#0 0x7fd34107765a in EncodeImage coders/pict.c:616#1 0x7fd34107fdf5 in WritePICTImage coders/pict.c:2081#2 0x7fd340ba39d2 in WriteImage MagickCore/constitute.c:1164#3 0x7fd340ba4612 in WriteImages MagickCore/constitute.c:1381#4 0x7fd3403e2321 in ConvertImageCommand MagickWand/convert.c:3293#5 0x7fd3404dab34 in MagickCommandGenesis MagickWand/mogrify.c:184#6 0x4017e1 in MagickMain utilities/magick.c:149#7 0x4019c2 in main utilities/magick.c:180#8 0x7fd33fc4d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)#9 0x4012f8 in _start (/home/test/temp/ImageMagick/utilities/.libs/lt-magick+0x4012f8)AddressSanitizer can not describe address in more detail (wild memory access suspected).SUMMARY: AddressSanitizer: heap-buffer-overflow coders/pict.c:616 EncodeImageShadow bytes around the buggy address:0x0c327fffda80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c327fffda90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c327fffdaa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c327fffdab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c327fffdac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa=>0x0c327fffdad0: fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa0x0c327fffdae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c327fffdaf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c327fffdb00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c327fffdb10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c327fffdb20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa faShadow byte legend (one shadow byte represents 8 application bytes):Addressable: 00Partially addressable: 01 02 03 04 05 06 07Heap left redzone: faHeap right redzone: fbFreed heap region: fdStack left redzone: f1Stack mid redzone: f2Stack right redzone: f3Stack partial redzone: f4Stack after return: f5Stack use after scope: f8Global redzone: f9Global init order: f6Poisoned by user: f7Container overflow: fcArray cookie: acIntra object redzone: bbASan internal: fe==56156==ABORTINGSystem Configuration
Version: ImageMagick 7.0.8-13 Q16 x86_64 2018-10-04 https://imagemagick.org
Copyright: © 1999-2018 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP
Delegates (built-in): bzlib djvu fftw fontconfig freetype jbig jng jpeg lcms lqr lzma openexr pangocairo png tiff wmf x xml zlib
Linux test-virtual-machine 4.4.0-31-generic (IM7) Fixed TR/TD placement in MVG docs #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
The text was updated successfully, but these errors were encountered: