Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

stack-buffer-overflow in PopHexPixel of ps.c #1523

Closed
galycannon opened this issue Mar 22, 2019 · 5 comments

Comments

Projects
None yet
5 participants
@galycannon
Copy link

commented Mar 22, 2019

Prerequisites

  • [Y] I have written a descriptive issue title
  • [Y] I have verified that I am using the latest version of ImageMagick
  • [Y] I have searched open and closed issues to ensure it has not already been reported

Description

There is a stack buffer overflow vulnerability in PopHexPixel of ps.c which could lead to code execution.

Steps to Reproduce

poc
magick convert $poc ./test.ps

root@ubuntu:/home/test# ./ImageMagick_as/utilities/magick convert ./stack-buffer-overflow-in-ps ./test.ps
=================================================================
==80022==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc0dc5d3c0 at pc 0x00000067e3f4 bp 0x7ffc0dc5c7d0 sp 0x7ffc0dc5c7c0
WRITE of size 1 at 0x7ffc0dc5d3c0 thread T0
#0 0x67e3f3 in PopHexPixel coders/ps.c:1184
#1 0x682bf3 in WritePSImage coders/ps.c:2232
#2 0x84b8e7 in WriteImage MagickCore/constitute.c:1159
#3 0x84c60c in WriteImages MagickCore/constitute.c:1376
#4 0xbf328d in ConvertImageCommand MagickWand/convert.c:3305
#5 0xcdf3de in MagickCommandGenesis MagickWand/mogrify.c:184
#6 0x4103f1 in MagickMain utilities/magick.c:149
#7 0x4105d2 in main utilities/magick.c:180
#8 0x7fb06d32b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#9 0x40ff08 in _start (/home/.test/test/ImageMagick_as/utilities/magick+0x40ff08)
`Address 0x7ffc0dc5d3c0 is located in stack of thread T0 at offset 2752 in frame` ` #0 0x67e48e in WritePSImage coders/ps.c:1191`
This frame has 13 object(s):
[32, 48) 'delta'
[96, 112) 'resolution'
[160, 176) 'scale'
[224, 256) 'geometry'
[288, 320) 'media_info'
[352, 384) 'page_info'
[416, 448) 'bounds'
[480, 520) 'geometry_info'
[576, 664) 'pixel'
[704, 2752) 'pixels' <== Memory access at offset 2752 overflows this variable
[2784, 6880) 'buffer'
[6912, 11008) 'date'
[11040, 15136) 'page_geometry'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow coders/ps.c:1184 PopHexPixel
Shadow bytes around the buggy address:
0x100001b83a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100001b83a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100001b83a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100001b83a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100001b83a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100001b83a70: 00 00 00 00 00 00 00 00[f2]f2 f2 f2 00 00 00 00
0x100001b83a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100001b83a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100001b83aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100001b83ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100001b83ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==80022==ABORTING

System Configuration

  • ImageMagick version:
    Version: ImageMagick 7.0.8-35 Q16 x86_64 2019-03-22 https://imagemagick.org
    Copyright: ? 1999-2019 ImageMagick Studio LLC
    License: https://imagemagick.org/script/license.php
    Features: Cipher DPC HDRI OpenMP
    Delegates (built-in): bzlib djvu fftw fontconfig freetype jbig jng jpeg lcms lqr lzma openexr pangocairo png tiff webp wmf x xml zlib
  • Environment (Operating system, version and so on):
    Distributor ID: Ubuntu
    Description: Ubuntu 16.04.2 LTS
    Release: 16.04
    Codename: xenial
  • Additional information:

urban-warrior pushed a commit that referenced this issue Mar 22, 2019

Cristy

urban-warrior pushed a commit to ImageMagick/ImageMagick6 that referenced this issue Mar 22, 2019

@urban-warrior

This comment has been minimized.

Copy link
Contributor

commented Mar 23, 2019

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

@dlemstra dlemstra added the bug label Mar 23, 2019

@dlemstra dlemstra added this to the 7.0.8-35 milestone Mar 23, 2019

@nohmask

This comment has been minimized.

Copy link

commented Mar 25, 2019

This was assigned CVE-2019-9956.

@y4m4p

This comment has been minimized.

Copy link

commented Mar 25, 2019

@urban-warrior
Hi, 2 quick question.
Does this vulnerability take place in v6 of imageMagick, or just v7.0.8 precisely?
Also if any, I would like to know where these kind of informations are gathered.

Thank you in advance.

@dlemstra

This comment has been minimized.

Copy link
Member

commented Mar 25, 2019

The version number mentioned in that CVE is incorrect. The version number that is being mentioned is the one that actually going to fix it.

@y4m4p There are two commits in this issue, one is for IM7 and the other one is for IM6.

@y4m4p

This comment has been minimized.

Copy link

commented Mar 25, 2019

@dlemstra
Thank you for the quick reply.
So this was an issue for all of them. Understood.

Just for clarification, do you have any estimate on when 6.9.10-35 will be available out of beta?
Not that I'm concerned or anything, but just out of curiosity.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.