Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in EncodeImage of pict.c #1335

Closed
galycannon opened this issue Oct 5, 2018 · 7 comments

Comments

Projects
None yet
6 participants
@galycannon
Copy link

commented Oct 5, 2018

Prerequisites

  • I have written a descriptive issue title
  • I have verified that I am using the latest version of ImageMagick
  • I have searched open and closed issues to ensure it has not already been reported

Description

a heap buffer overflow in EncodeImage function of pict.c

Steps to Reproduce

poc
magick convert $poc ./test.pict

test@test-virtual-machine:~/temp$ ./ImageMagick/utilities/magick convert ./heap_buffer_overflow_in_pict.c.svg ./output.pict
=================================================================
==56156==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900002d6eb at pc 0x7fd34107765b bp 0x7fff1955c350 sp 0x7fff1955c340
READ of size 1 at 0x61900002d6eb thread T0
#0 0x7fd34107765a in EncodeImage coders/pict.c:616
#1 0x7fd34107fdf5 in WritePICTImage coders/pict.c:2081
#2 0x7fd340ba39d2 in WriteImage MagickCore/constitute.c:1164
#3 0x7fd340ba4612 in WriteImages MagickCore/constitute.c:1381
#4 0x7fd3403e2321 in ConvertImageCommand MagickWand/convert.c:3293
#5 0x7fd3404dab34 in MagickCommandGenesis MagickWand/mogrify.c:184
#6 0x4017e1 in MagickMain utilities/magick.c:149
#7 0x4019c2 in main utilities/magick.c:180
#8 0x7fd33fc4d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#9 0x4012f8 in _start (/home/test/temp/ImageMagick/utilities/.libs/lt-magick+0x4012f8)
AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow coders/pict.c:616 EncodeImage
Shadow bytes around the buggy address:
0x0c327fffda80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fffda90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fffdaa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fffdab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fffdac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c327fffdad0: fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa
0x0c327fffdae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fffdaf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fffdb00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fffdb10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fffdb20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==56156==ABORTING

System Configuration

  • ImageMagick version:
    Version: ImageMagick 7.0.8-13 Q16 x86_64 2018-10-04 https://imagemagick.org
    Copyright: © 1999-2018 ImageMagick Studio LLC
    License: https://imagemagick.org/script/license.php
    Features: Cipher DPC HDRI OpenMP
    Delegates (built-in): bzlib djvu fftw fontconfig freetype jbig jng jpeg lcms lqr lzma openexr pangocairo png tiff wmf x xml zlib
  • Environment (Operating system, version and so on):
    Linux test-virtual-machine 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
  • Additional information:

@galycannon galycannon changed the title heap-buffer-overflow in DecodeImage of pict.c heap-buffer-overflow in EncodeImage of pict.c Oct 5, 2018

@urban-warrior

This comment has been minimized.

Copy link
Contributor

commented Oct 6, 2018

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

@galycannon

This comment has been minimized.

Copy link
Author

commented Oct 7, 2018

Will this be assigned a CVE id?

@urban-warrior

This comment has been minimized.

Copy link
Contributor

commented Oct 7, 2018

We have a small development team. We rely on our users that discover a flaw to request a CVE and post it here. Thanks,

@dlemstra dlemstra added the bug label Oct 7, 2018

@nohmask

This comment has been minimized.

Copy link

commented Oct 9, 2018

This was assigned CVE-2018-18025.

@octes

This comment has been minimized.

Copy link

commented Oct 11, 2018

Hi @urban-warrior,
I wanted to verify that 1a22fc0 is the complete fix for this issue. Can you confirm that this is correct and nothing else is in the pipeline?

Thank you

@bastien-roucaries

This comment has been minimized.

Copy link

commented Oct 29, 2018

Any comit for imagemagick 6

@dlemstra

This comment has been minimized.

Copy link
Member

commented Oct 29, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.