Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Out-of-boundary in function LocaleLowercase of MagickCore/locale.c #1495

Closed
Dk0n9 opened this issue Mar 4, 2019 · 2 comments
Closed

Out-of-boundary in function LocaleLowercase of MagickCore/locale.c #1495

Dk0n9 opened this issue Mar 4, 2019 · 2 comments

Comments

@Dk0n9
Copy link

Dk0n9 commented Mar 4, 2019

Prerequisites

  • [ Y ] I have written a descriptive issue title
  • [ Y ] I have verified that I am using the latest version of ImageMagick
  • [ Y ] I have searched open and closed issues to ensure it has not already been reported

Description

1522 MagickExport int LocaleLowercase(const int c)
1523 {
1524 #if defined(MAGICKCORE_LOCALE_SUPPORT)
1525   if (c_locale != (locale_t) NULL)
1526     return(tolower_l(c,c_locale));
1527 #endif
1528   return(tolower(c));
1529 }

The parameter c missing check in function LocaleLowercase, which may lead to out-of-boundary vulnerability.

Steps to Reproduce

https://github.com/Dk0n9/MyFuzzy/blob/master/oob_LocaleLowercase_crash

magick convert oob_LocaleLowercase_crash /dev/null

In the gdb:

Stopped reason: SIGSEGV
0x00007ffff6ddd857 in __tolower_l (c=0x14f3cf, l=0x7ffff7197960 <_nl_C_locobj>)
    at ctype_l.c:42
42	in ctype_l.c
2: c_locale = (volatile locale_t) 0x7ffff7197960 <_nl_C_locobj>
gdb-peda$ bt
#0  0x00007ffff6ddd857 in __tolower_l (c=0x14f3cf, l=0x7ffff7197960 <_nl_C_locobj>)
    at ctype_l.c:42
#1  0x00007ffff777f8ac in LocaleLowercase (c=0x14f3cf) at MagickCore/locale.c:1526
#2  0x00007ffff782a575 in GlobExpression (
    expression=0x7ffffffedf82 "\365\217\217\217\217MMa\\-d-\n", 
    pattern=0x7ffff7a8bb98 "EPSF-*", case_insensitive=MagickTrue)
    at MagickCore/token.c:544
#3  0x00007ffff782a0af in GlobExpression (
    expression=0x7ffffffedf82 "\365\217\217\217\217MMa\\-d-\n", 
    pattern=0x7ffff7a8bb98 "EPSF-*", case_insensitive=MagickTrue)
    at MagickCore/token.c:411
#4  0x00007ffff795385e in ReadPSImage (image_info=0x555555775d60, 
    exception=0x55555576ab10) at coders/ps.c:617
#5  0x00007ffff769f8fa in ReadImage (image_info=0x555555772a70, 
    exception=0x55555576ab10) at MagickCore/constitute.c:547
#6  0x00007ffff76a0fe3 in ReadImages (image_info=0x55555576f780, 
    filename=0x555555769bb0 "./crash", exception=0x55555576ab10)
    at MagickCore/constitute.c:917
#7  0x00007ffff72163a1 in ConvertImageCommand (image_info=0x55555576f780, argc=0x3, 
    argv=0x55555576a190, metadata=0x7fffffffbc10, exception=0x55555576ab10)
    at MagickWand/convert.c:644
#8  0x00007ffff72e9d0f in MagickCommandGenesis (image_info=0x55555576c490, 
    command=0x7ffff72150f2 <ConvertImageCommand>, argc=0x3, argv=0x7fffffffdf90, 
    metadata=0x0, exception=0x55555576ab10) at MagickWand/mogrify.c:184
#9  0x0000555555555347 in MagickMain (argc=0x3, argv=0x7fffffffdf90)
    at utilities/magick.c:149
#10 0x0000555555555484 in main (argc=0x4, argv=0x7fffffffdf88)
    at utilities/magick.c:180
#11 0x00007ffff6dceb97 in __libc_start_main (main=0x555555555464 <main>, argc=0x4, 
    argv=0x7fffffffdf88, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffdf78) at ../csu/libc-start.c:310
#12 0x000055555555504a in _start ()

System Configuration

  • ImageMagick version: ImageMagick 7.0.8-30 Q16 x86_64
  • Environment (Operating system, version and so on): Ubuntu 18.04
  • Additional information:

Credit: dk from Chaitin Tech

urban-warrior pushed a commit to ImageMagick/ImageMagick6 that referenced this issue Mar 5, 2019
@urban-warrior
Copy link
Contributor

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

The IMv7 patch is 07eebcd.

netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Mar 20, 2019
2019-03-11  7.0.8-34 Cristy  <quetzlzacatenango@image...>
  * Associate one lock with each resource.
  * Report exception if opening TIFF did not work out.
  * Fixed numerous use of uninitialized values, integer overflow, memory
    exceeded, and timeouts (credit to OSS Fuzz).

2019-03-10  7.0.8-33 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.8-33, GIT revision 15401:c805e3205:20190310

2019-03-06  7.0.8-33 Cristy  <quetzlzacatenango@image...>
  * Fix SVG conversion infinite loop (reference
    https://imagemagick.org/discourse-server/viewtopic.php?f=3&t=35591).
  * Initialize primitive drawing structure after resizing.

2019-03-05  7.0.8-32 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.8-32, GIT revision 15386:58d9c4692:20190305

2019-03-05  7.0.8-32 Cristy  <quetzlzacatenango@image...>
  * Fix out-of-boundary LocaleLowerCase() @
    ImageMagick/ImageMagick#1495

2019-03-04  7.0.8-31 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.8-31, GIT revision 15381:3122a669d:20190304

2019-03-04  7.0.8-31 Cristy  <quetzlzacatenango@image...>
  * -trim is no longer sensitive to the image virtual canvas.

2019-03-03  7.0.8-30 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 7.0.8-30, GIT revision 15376:16d2b4e6a:20190303

2019-03-03  7.0.8-30 Cristy  <quetzlzacatenango@image...>
  * Support define to remove additional background from an image during a
    trim, e.g. -fuzz 5% -define trim:percent-background=0% -trim.
@nohmask
Copy link

nohmask commented Apr 3, 2019

This was assigned CVE-2019-10714.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

3 participants