Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in WriteTIFFImage of coders/tiff.c #1532

Closed
galycannon opened this Issue Mar 28, 2019 · 5 comments

Comments

Projects
None yet
5 participants
@galycannon
Copy link

commented Mar 28, 2019

Prerequisites

  • [Y] I have written a descriptive issue title
  • [Y] I have verified that I am using the latest version of ImageMagick
  • [Y] I have searched open and closed issues to ensure it has not already been reported

Description

There is a heap buffer overflow vulnerability in function WriteTIFFImage of coders/tiff.c.

Steps to Reproduce

poc
magick convert $poc /dev/null
=================================================================
==18861==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000b6b8 at pc 0x7fef0e998935 bp 0x7ffec33e6c90 sp 0x7ffec33e6438
READ of size 512 at 0x60200000b6b8 thread T0
#0 0x7fef0e998934 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c934)
#1 0x7fef0dfa102b (/usr/lib/x86_64-linux-gnu/libtiff.so.5+0x1802b)
#2 0x7a392b in WriteTIFFImage coders/tiff.c:4309
#3 0x84807b in WriteImage MagickCore/constitute.c:1159
#4 0x848da0 in WriteImages MagickCore/constitute.c:1376
#5 0xbefa57 in ConvertImageCommand MagickWand/convert.c:3305
#6 0xcdbba8 in MagickCommandGenesis MagickWand/mogrify.c:184
#7 0x40fff1 in MagickMain utilities/magick.c:149
#8 0x4101d2 in main utilities/magick.c:180
#9 0x7fef0a20682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#10 0x40fb08 in _start (/home/ImageMagick_as/utilities/magick+0x40fb08)
`0x60200000b6b8 is located 0 bytes to the right of 8-byte region [0x60200000b6b0,0x60200000b6b8)` `allocated by thread T0 here:` ` #0 0x7fef0e9a4602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)` ` #1 0x7fef0df923d4 (/usr/lib/x86_64-linux-gnu/libtiff.so.5+0x93d4)`
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
0x0c047fff9680: fa fa fd fd fa fa 00 07 fa fa 00 04 fa fa 00 04
0x0c047fff9690: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
0x0c047fff96a0: fa fa fd fa fa fa 02 fa fa fa 00 03 fa fa 00 04
0x0c047fff96b0: fa fa 05 fa fa fa 00 04 fa fa 04 fa fa fa 00 fa
0x0c047fff96c0: fa fa fd fd fa fa fd fa fa fa fd fa fa fa 00 00
=>0x0c047fff96d0: fa fa 00 fa fa fa 00[fa]fa fa 00 fa fa fa 00 fa
0x0c047fff96e0: fa fa 00 fa fa fa 00 00 fa fa fd fa fa fa fd fa
0x0c047fff96f0: fa fa 00 00 fa fa 02 fa fa fa 00 03 fa fa 00 04
0x0c047fff9700: fa fa 05 fa fa fa 00 04 fa fa 04 fa fa fa 00 fa
0x0c047fff9710: fa fa 00 fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9720: fa fa fd fa fa fa fa fa fa fa fa fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==18861==ABORTING

System Configuration

  • ImageMagick version:
    Version: ImageMagick 7.0.8-36 Q16 x86_64 2019-03-28 https://imagemagick.org
    Copyright: ? 1999-2019 ImageMagick Studio LLC
    License: https://imagemagick.org/script/license.php
    Features: Cipher DPC HDRI OpenMP
    Delegates (built-in): bzlib djvu fftw fontconfig freetype jbig jng jpeg lcms lqr lzma openexr pangocairo png tiff wmf x xml zlib
  • Environment (Operating system, version and so on):
    Distributor ID: Ubuntu
    Description: Ubuntu 16.04.2 LTS
    Release: 16.04
    Codename: xenial
  • Additional information:

urban-warrior pushed a commit to ImageMagick/ImageMagick6 that referenced this issue Mar 29, 2019

Cristy

urban-warrior pushed a commit that referenced this issue Mar 29, 2019

Cristy
@urban-warrior

This comment has been minimized.

Copy link
Contributor

commented Mar 29, 2019

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

@Jan-E

This comment has been minimized.

Copy link

commented Mar 30, 2019

The commit ImageMagick/ImageMagick6@4800ae0 seems to break building the Version 6 branch for Windows:
https://ci.appveyor.com/project/dlemstra/imagemagick-windows/builds/23470073/job/bpnwdk6orcji3u9s#L7498

       "C:\ImageMagick\VisualMagick\VisualDynamicMT.sln" (Rebuild target) (1) ->
       "C:\ImageMagick\VisualMagick\coders\IM_MOD_tiff_DynamicMT.vcxproj" (Rebuild target) (131) ->
       (ClCompile target) -> 
         ..\..\ImageMagick\coders\tiff.c(3283): error C2065: 'exception' : undeclared identifier [C:\ImageMagick\VisualMagick\coders\IM_MOD_tiff_DynamicMT.vcxproj]
         ..\..\ImageMagick\coders\tiff.c(3283): error C2223: left of '->severity' must point to struct/union [C:\ImageMagick\VisualMagick\coders\IM_MOD_tiff_DynamicMT.vcxproj]

@Jan-E

This comment has been minimized.

Copy link

commented Mar 30, 2019

Travis fails as well for the version 6 branch:
https://travis-ci.org/ImageMagick/ImageMagick6/jobs/512785224#L2427

urban-warrior pushed a commit to ImageMagick/ImageMagick6 that referenced this issue Mar 30, 2019

Cristy
@urban-warrior

This comment has been minimized.

Copy link
Contributor

commented Mar 30, 2019

hanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

@dlemstra dlemstra added the bug label Mar 30, 2019

@dlemstra dlemstra added this to the 7.0.8-36 milestone Mar 30, 2019

@nohmask

This comment has been minimized.

Copy link

commented Apr 1, 2019

This was assigned CVE-2019-10650.

@dlemstra dlemstra closed this Apr 7, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.