New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap-buffer-overflow in WritePNMImage of coders/pnm.c #1540
Comments
|
Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow. |
|
CVE-2019-11598 was assigned to this issue. |
|
@urban-warrior : I think there are a few weaknesses in this patch. Shouldn't Also, the memset call initializes Thanks for your work! |
|
Your analysis is correct. We'll add a patch to correct the allocation and initialization of colormap_index. |
thanks! One question though: what is the exact purpose of the I am currently backporting this patch to older versions of ImageMagick and would like to know what belongs to the security patch and what not. |
|
SyncAuthenticPixels() ensures the pixel cache backing store is sync with any pixels in the staging buffer. In most cases the staging buffer and the pixel cache point to the same memory location, but not always. See https://imagemagick.org/script/architecture.php#cache for the pixel cache rules of engagement. |
Prerequisites
Description
There is a heap buffer overflow vulnerability in function WritePNMImage of coders/pnm.c.
Steps to Reproduce
poc
magick convert $poc ./test.pnm
===================================================================16178==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000b6f0 at pc 0x0000009f987d bp 0x7fff206e34b0 sp 0x7fff206e34a0READ of size 8 at 0x60200000b6f0 thread T0==16178==AddressSanitizer: while reporting a bug found another one. Ignoring.#0 0x9f987c in SetGrayscaleImage._omp_fn.4 MagickCore/quantize.c:3453#1 0x7f12195becbe in GOMP_parallel (/usr/lib/x86_64-linux-gnu/libgomp.so.1+0xbcbe)#2 0x9f676d in SetGrayscaleImage MagickCore/quantize.c:3432#3 0x9f3ee7 in QuantizeImage MagickCore/quantize.c:2677#4 0x7cf518 in SetImageType MagickCore/attribute.c:1364#5 0x6766a7 in WritePNMImage coders/pnm.c:1938#6 0x8485ba in WriteImage MagickCore/constitute.c:1159#7 0x8492df in WriteImages MagickCore/constitute.c:1376#8 0xbf05a1 in ConvertImageCommand MagickWand/convert.c:3305#9 0xcdc6f2 in MagickCommandGenesis MagickWand/mogrify.c:184#10 0x410091 in MagickMain utilities/magick.c:149#11 0x410272 in main utilities/magick.c:180#12 0x7f1218cea82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)#13 0x40fba8 in _start (/home/ImageMagick/utilities/magick+0x40fba8)`0x60200000b6f4 is located 0 bytes to the right of 4-byte region [0x60200000b6f0,0x60200000b6f4)` `allocated by thread T0 here:` ` #0 0x7f121d489602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)` ` #1 0x4408a5 in AcquireMagickMemory MagickCore/memory.c:478` ` #2 0x4408f9 in AcquireQuantumMemory MagickCore/memory.c:551` ` #3 0x4c3f69 in ConstantString MagickCore/string.c:713` ` #4 0x43d3e0 in AcquireMagickInfo MagickCore/magick.c:193` ` #5 0x6747aa in RegisterPNMImage coders/pnm.c:1456` ` #6 0x49fc1d in RegisterStaticModule MagickCore/static.c:257` ` #7 0x43df66 in GetMagickInfo MagickCore/magick.c:642` ` #8 0x42164a in SetImageInfo MagickCore/image.c:2855` ` #9 0x849087 in WriteImages MagickCore/constitute.c:1336` ` #10 0xbf05a1 in ConvertImageCommand MagickWand/convert.c:3305` ` #11 0xcdc6f2 in MagickCommandGenesis MagickWand/mogrify.c:184` ` #12 0x410091 in MagickMain utilities/magick.c:149` ` #13 0x410272 in main utilities/magick.c:180` ` #14 0x7f1218cea82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)`SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/quantize.c:3453 SetGrayscaleImage._omp_fn.4Shadow bytes around the buggy address:0x0c047fff9680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c047fff9690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c047fff96a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c047fff96b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c047fff96c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa=>0x0c047fff96d0: fa fa fa fa fa fa 00 00 fa fa 04 fa fa fa[04]fa0x0c047fff96e0: fa fa 00 00 fa fa 04 fa fa fa 04 fa fa fa 04 fa0x0c047fff96f0: fa fa 04 fa fa fa 04 fa fa fa 04 fa fa fa 04 fa0x0c047fff9700: fa fa 04 fa fa fa 04 fa fa fa 04 fa fa fa 00 040x0c047fff9710: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 040x0c047fff9720: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04Shadow byte legend (one shadow byte represents 8 application bytes):Addressable: 00Partially addressable: 01 02 03 04 05 06 07Heap left redzone: faHeap right redzone: fbFreed heap region: fdStack left redzone: f1Stack mid redzone: f2Stack right redzone: f3Stack partial redzone: f4Stack after return: f5Stack use after scope: f8Global redzone: f9Global init order: f6Poisoned by user: f7Container overflow: fcArray cookie: acIntra object redzone: bbASan internal: fe==16178==ABORTINGSystem Configuration
The text was updated successfully, but these errors were encountered: