Description
Prerequisites
- [Y] I have written a descriptive issue title
- [Y] I have verified that I am using the latest version of ImageMagick
- [Y] I have searched open and closed issues to ensure it has not already been reported
Description
There is a stack buffer overflow vulnerability in PopHexPixel of ps.c which could lead to code execution.
Steps to Reproduce
poc
magick convert $poc ./test.ps
root@ubuntu:/home/test# ./ImageMagick_as/utilities/magick convert ./stack-buffer-overflow-in-ps ./test.ps
=================================================================
==80022==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc0dc5d3c0 at pc 0x00000067e3f4 bp 0x7ffc0dc5c7d0 sp 0x7ffc0dc5c7c0
WRITE of size 1 at 0x7ffc0dc5d3c0 thread T0
#0 0x67e3f3 in PopHexPixel coders/ps.c:1184
#1 0x682bf3 in WritePSImage coders/ps.c:2232
#2 0x84b8e7 in WriteImage MagickCore/constitute.c:1159
#3 0x84c60c in WriteImages MagickCore/constitute.c:1376
#4 0xbf328d in ConvertImageCommand MagickWand/convert.c:3305
#5 0xcdf3de in MagickCommandGenesis MagickWand/mogrify.c:184
#6 0x4103f1 in MagickMain utilities/magick.c:149
#7 0x4105d2 in main utilities/magick.c:180
#8 0x7fb06d32b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#9 0x40ff08 in _start (/home/.test/test/ImageMagick_as/utilities/magick+0x40ff08)
`Address 0x7ffc0dc5d3c0 is located in stack of thread T0 at offset 2752 in frame` ` #0 0x67e48e in WritePSImage coders/ps.c:1191`
This frame has 13 object(s):
[32, 48) 'delta'
[96, 112) 'resolution'
[160, 176) 'scale'
[224, 256) 'geometry'
[288, 320) 'media_info'
[352, 384) 'page_info'
[416, 448) 'bounds'
[480, 520) 'geometry_info'
[576, 664) 'pixel'
[704, 2752) 'pixels' <== Memory access at offset 2752 overflows this variable
[2784, 6880) 'buffer'
[6912, 11008) 'date'
[11040, 15136) 'page_geometry'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow coders/ps.c:1184 PopHexPixel
Shadow bytes around the buggy address:
0x100001b83a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100001b83a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100001b83a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100001b83a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100001b83a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100001b83a70: 00 00 00 00 00 00 00 00[f2]f2 f2 f2 00 00 00 00
0x100001b83a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100001b83a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100001b83aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100001b83ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100001b83ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==80022==ABORTING
System Configuration
- ImageMagick version:
Version: ImageMagick 7.0.8-35 Q16 x86_64 2019-03-22 https://imagemagick.org
Copyright: ? 1999-2019 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP
Delegates (built-in): bzlib djvu fftw fontconfig freetype jbig jng jpeg lcms lqr lzma openexr pangocairo png tiff webp wmf x xml zlib - Environment (Operating system, version and so on):
Distributor ID: Ubuntu
Description: Ubuntu 16.04.2 LTS
Release: 16.04
Codename: xenial - Additional information: