Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in SVGStripString of svg.c #1336

Closed
3 tasks done
galycannon opened this issue Oct 5, 2018 · 2 comments
Closed
3 tasks done

heap-buffer-overflow in SVGStripString of svg.c #1336

galycannon opened this issue Oct 5, 2018 · 2 comments
Labels

Comments

@galycannon
Copy link

Prerequisites

  • I have written a descriptive issue title
  • I have verified that I am using the latest version of ImageMagick
  • I have searched open and closed issues to ensure it has not already been reported

Description

a heap buffer overflow in SVGStripString function of svg.c

Steps to Reproduce

poc
magick convert $poc /dev/null

test@test-virtual-machine:~/temp$ ./ImageMagick/utilities/magick convert ./heap_buffer_overflow_in_svg.c.svg /dev/null
=================================================================
==56291==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700000b2ec at pc 0x7fe5154fd72c bp 0x7ffededbc1f0 sp 0x7ffededbc1e0
READ of size 1 at 0x60700000b2ec thread T0
#0 0x7fe5154fd72b in SVGStripString coders/svg.c:572
#1 0x7fe51550abab in SVGCharacters coders/svg.c:2844
#2 0x7fe51017a3d6 in xmlParseCharData (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x433d6)
#3 0x7fe51018de17 (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x56e17)
#4 0x7fe51018e77a in xmlParseChunk (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x5777a)
#5 0x7fe51550d58b in ReadSVGImage coders/svg.c:3558
#6 0x7fe514fb188c in ReadImage MagickCore/constitute.c:547
#7 0x7fe514fb3b5b in ReadImages MagickCore/constitute.c:922
#8 0x7fe51475c410 in ConvertImageCommand MagickWand/convert.c:643
#9 0x7fe5148ebb34 in MagickCommandGenesis MagickWand/mogrify.c:184
#10 0x4017e1 in MagickMain utilities/magick.c:149
#11 0x4019c2 in main utilities/magick.c:180
#12 0x7fe51405e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#13 0x4012f8 in _start (/home/test/temp/ImageMagick/utilities/.libs/lt-magick+0x4012f8)

0x60700000b2ec is located 0 bytes to the right of 76-byte region [0x60700000b2a0,0x60700000b2ec)
allocated by thread T0 here:
#0 0x7fe515c92602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x7fe515168ec8 in AcquireMagickMemory MagickCore/memory.c:468
#2 0x7fe515168f1c in AcquireQuantumMemory MagickCore/memory.c:541
#3 0x7fe51550aab0 in SVGCharacters coders/svg.c:2837
#4 0x7fe51017a3d6 in xmlParseCharData (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x433d6)

SUMMARY: AddressSanitizer: heap-buffer-overflow coders/svg.c:572 SVGStripString
Shadow bytes around the buggy address:
0x0c0e7fff9600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff9610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff9620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff9630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff9640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0e7fff9650: fa fa fa fa 00 00 00 00 00 00 00 00 00[04]fa fa
0x0c0e7fff9660: fa fa 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
0x0c0e7fff9670: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 00 00
0x0c0e7fff9680: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
0x0c0e7fff9690: 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 00 00
0x0c0e7fff96a0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==56291==ABORTING

System Configuration

  • ImageMagick version:
    Version: ImageMagick 7.0.8-13 Q16 x86_64 2018-10-04 https://imagemagick.org
    Copyright: © 1999-2018 ImageMagick Studio LLC
    License: https://imagemagick.org/script/license.php
    Features: Cipher DPC HDRI OpenMP
    Delegates (built-in): bzlib djvu fftw fontconfig freetype jbig jng jpeg lcms lqr lzma openexr pangocairo png tiff wmf x xml zlib
  • Environment (Operating system, version and so on):
    Linux test-virtual-machine 4.4.0-31-generic (IM7) Fixed TR/TD placement in MVG docs #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
  • Additional information:
urban-warrior pushed a commit to ImageMagick/ImageMagick6 that referenced this issue Oct 6, 2018
@urban-warrior
Copy link
Contributor

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

@dlemstra dlemstra added the bug label Oct 7, 2018
@dlemstra dlemstra closed this as completed Oct 7, 2018
@nohmask
Copy link

nohmask commented Oct 9, 2018

This was assigned CVE-2018-18023.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

4 participants