test@test-virtual-machine:~/temp$ ./ImageMagick/utilities/magick convert ./heap_buffer_overflow_in_svg.c.svg /dev/null ================================================================= ==56291==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700000b2ec at pc 0x7fe5154fd72c bp 0x7ffededbc1f0 sp 0x7ffededbc1e0 READ of size 1 at 0x60700000b2ec thread T0 #0 0x7fe5154fd72b in SVGStripString coders/svg.c:572 #1 0x7fe51550abab in SVGCharacters coders/svg.c:2844 #2 0x7fe51017a3d6 in xmlParseCharData (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x433d6) #3 0x7fe51018de17 (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x56e17) #4 0x7fe51018e77a in xmlParseChunk (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x5777a) #5 0x7fe51550d58b in ReadSVGImage coders/svg.c:3558 #6 0x7fe514fb188c in ReadImage MagickCore/constitute.c:547 #7 0x7fe514fb3b5b in ReadImages MagickCore/constitute.c:922 #8 0x7fe51475c410 in ConvertImageCommand MagickWand/convert.c:643 #9 0x7fe5148ebb34 in MagickCommandGenesis MagickWand/mogrify.c:184 #10 0x4017e1 in MagickMain utilities/magick.c:149 #11 0x4019c2 in main utilities/magick.c:180 #12 0x7fe51405e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #13 0x4012f8 in _start (/home/test/temp/ImageMagick/utilities/.libs/lt-magick+0x4012f8)
0x60700000b2ec is located 0 bytes to the right of 76-byte region [0x60700000b2a0,0x60700000b2ec) allocated by thread T0 here: #0 0x7fe515c92602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x7fe515168ec8 in AcquireMagickMemory MagickCore/memory.c:468 #2 0x7fe515168f1c in AcquireQuantumMemory MagickCore/memory.c:541 #3 0x7fe51550aab0 in SVGCharacters coders/svg.c:2837 #4 0x7fe51017a3d6 in xmlParseCharData (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x433d6)
SUMMARY: AddressSanitizer: heap-buffer-overflow coders/svg.c:572 SVGStripString Shadow bytes around the buggy address: 0x0c0e7fff9600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff9610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff9620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff9630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff9640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c0e7fff9650: fa fa fa fa 00 00 00 00 00 00 00 00 00[04]fa fa 0x0c0e7fff9660: fa fa 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 0x0c0e7fff9670: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 0x0c0e7fff9680: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 0x0c0e7fff9690: 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 0x0c0e7fff96a0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==56291==ABORTING
Environment (Operating system, version and so on):
Linux test-virtual-machine 4.4.0-31-generic (IM7) Fixed TR/TD placement in MVG docs #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Additional information:
The text was updated successfully, but these errors were encountered:
Prerequisites
Description
a heap buffer overflow in SVGStripString function of svg.c
Steps to Reproduce
poc
magick convert $poc /dev/null
test@test-virtual-machine:~/temp$ ./ImageMagick/utilities/magick convert ./heap_buffer_overflow_in_svg.c.svg /dev/null===================================================================56291==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700000b2ec at pc 0x7fe5154fd72c bp 0x7ffededbc1f0 sp 0x7ffededbc1e0READ of size 1 at 0x60700000b2ec thread T0#0 0x7fe5154fd72b in SVGStripString coders/svg.c:572#1 0x7fe51550abab in SVGCharacters coders/svg.c:2844#2 0x7fe51017a3d6 in xmlParseCharData (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x433d6)#3 0x7fe51018de17 (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x56e17)#4 0x7fe51018e77a in xmlParseChunk (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x5777a)#5 0x7fe51550d58b in ReadSVGImage coders/svg.c:3558#6 0x7fe514fb188c in ReadImage MagickCore/constitute.c:547#7 0x7fe514fb3b5b in ReadImages MagickCore/constitute.c:922#8 0x7fe51475c410 in ConvertImageCommand MagickWand/convert.c:643#9 0x7fe5148ebb34 in MagickCommandGenesis MagickWand/mogrify.c:184#10 0x4017e1 in MagickMain utilities/magick.c:149#11 0x4019c2 in main utilities/magick.c:180#12 0x7fe51405e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)#13 0x4012f8 in _start (/home/test/temp/ImageMagick/utilities/.libs/lt-magick+0x4012f8)0x60700000b2ec is located 0 bytes to the right of 76-byte region [0x60700000b2a0,0x60700000b2ec)allocated by thread T0 here:#0 0x7fe515c92602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)#1 0x7fe515168ec8 in AcquireMagickMemory MagickCore/memory.c:468#2 0x7fe515168f1c in AcquireQuantumMemory MagickCore/memory.c:541#3 0x7fe51550aab0 in SVGCharacters coders/svg.c:2837#4 0x7fe51017a3d6 in xmlParseCharData (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x433d6)SUMMARY: AddressSanitizer: heap-buffer-overflow coders/svg.c:572 SVGStripStringShadow bytes around the buggy address:0x0c0e7fff9600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c0e7fff9610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c0e7fff9620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c0e7fff9630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c0e7fff9640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa=>0x0c0e7fff9650: fa fa fa fa 00 00 00 00 00 00 00 00 00[04]fa fa0x0c0e7fff9660: fa fa 00 00 00 00 00 00 00 00 00 00 fa fa fa fa0x0c0e7fff9670: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 00 000x0c0e7fff9680: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 000x0c0e7fff9690: 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 00 000x0c0e7fff96a0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00Shadow byte legend (one shadow byte represents 8 application bytes):Addressable: 00Partially addressable: 01 02 03 04 05 06 07Heap left redzone: faHeap right redzone: fbFreed heap region: fdStack left redzone: f1Stack mid redzone: f2Stack right redzone: f3Stack partial redzone: f4Stack after return: f5Stack use after scope: f8Global redzone: f9Global init order: f6Poisoned by user: f7Container overflow: fcArray cookie: acIntra object redzone: bbASan internal: fe==56291==ABORTINGSystem Configuration
Version: ImageMagick 7.0.8-13 Q16 x86_64 2018-10-04 https://imagemagick.org
Copyright: © 1999-2018 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP
Delegates (built-in): bzlib djvu fftw fontconfig freetype jbig jng jpeg lcms lqr lzma openexr pangocairo png tiff wmf x xml zlib
Linux test-virtual-machine 4.4.0-31-generic (IM7) Fixed TR/TD placement in MVG docs #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
The text was updated successfully, but these errors were encountered: