Skip to content

heap-buffer-overflow in EncodeImage of pict.c #1335

Closed
@galycannon

Description

@galycannon

Prerequisites

  • I have written a descriptive issue title
  • I have verified that I am using the latest version of ImageMagick
  • I have searched open and closed issues to ensure it has not already been reported

Description

a heap buffer overflow in EncodeImage function of pict.c

Steps to Reproduce

poc
magick convert $poc ./test.pict

test@test-virtual-machine:~/temp$ ./ImageMagick/utilities/magick convert ./heap_buffer_overflow_in_pict.c.svg ./output.pict
=================================================================
==56156==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900002d6eb at pc 0x7fd34107765b bp 0x7fff1955c350 sp 0x7fff1955c340
READ of size 1 at 0x61900002d6eb thread T0
#0 0x7fd34107765a in EncodeImage coders/pict.c:616
#1 0x7fd34107fdf5 in WritePICTImage coders/pict.c:2081
#2 0x7fd340ba39d2 in WriteImage MagickCore/constitute.c:1164
#3 0x7fd340ba4612 in WriteImages MagickCore/constitute.c:1381
#4 0x7fd3403e2321 in ConvertImageCommand MagickWand/convert.c:3293
#5 0x7fd3404dab34 in MagickCommandGenesis MagickWand/mogrify.c:184
#6 0x4017e1 in MagickMain utilities/magick.c:149
#7 0x4019c2 in main utilities/magick.c:180
#8 0x7fd33fc4d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#9 0x4012f8 in _start (/home/test/temp/ImageMagick/utilities/.libs/lt-magick+0x4012f8)
AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow coders/pict.c:616 EncodeImage
Shadow bytes around the buggy address:
0x0c327fffda80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fffda90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fffdaa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fffdab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fffdac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c327fffdad0: fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa
0x0c327fffdae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fffdaf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fffdb00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fffdb10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fffdb20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==56156==ABORTING

System Configuration

  • ImageMagick version:
    Version: ImageMagick 7.0.8-13 Q16 x86_64 2018-10-04 https://imagemagick.org
    Copyright: © 1999-2018 ImageMagick Studio LLC
    License: https://imagemagick.org/script/license.php
    Features: Cipher DPC HDRI OpenMP
    Delegates (built-in): bzlib djvu fftw fontconfig freetype jbig jng jpeg lcms lqr lzma openexr pangocairo png tiff wmf x xml zlib
  • Environment (Operating system, version and so on):
    Linux test-virtual-machine 4.4.0-31-generic (IM7) Fixed TR/TD placement in MVG docs #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
  • Additional information:

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions