I have verified that I am using the latest version of ImageMagick
I have searched open and closed issues to ensure it has not already been reported
Description
ImageMagick (f06925a) still suffers from heap-buffer-overflow error after patching #1555 .
Steps to Reproduce
Run convert $FILE /dev/null
When linked with prebuilt libtiff.so from Ubuntu 18.04 LTS x86_64, AddressSanitizer reports:
==18301==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000045d4 at pc 0x000000473b42 bp 0x7ffe98d84b40 sp 0x7ffe98d842f0
READ of size 131072 at 0x6020000045d4 thread T0
#0 0x473b41 in __interceptor_memcpy.part.43 (/home/hongxu/work/imagemagick/ImageMagick-asan/install/bin/magick+0x473b41)
#1 0x7f07f4677d60 (/usr/lib/x86_64-linux-gnu/libtiff.so.5+0x18d60)
#2 0x7f07f4678c9c in TIFFRewriteDirectory (/usr/lib/x86_64-linux-gnu/libtiff.so.5+0x19c9c)
#3 0x7f07f4680596 in TIFFFlush (/usr/lib/x86_64-linux-gnu/libtiff.so.5+0x21596)
#4 0x7f07f46675f4 in TIFFCleanup (/usr/lib/x86_64-linux-gnu/libtiff.so.5+0x85f4)
#5 0x7f07f4667618 in TIFFClose (/usr/lib/x86_64-linux-gnu/libtiff.so.5+0x8618)
#6 0x7f07f638dcac in WriteTIFFImage /home/hongxu/work/imagemagick/ImageMagick-asan/coders/tiff.c:4324:3
#7 0x7f07f5978dc2 in WriteImage /home/hongxu/work/imagemagick/ImageMagick-asan/MagickCore/constitute.c:1159:16
#8 0x7f07f5979e4b in WriteImages /home/hongxu/work/imagemagick/ImageMagick-asan/MagickCore/constitute.c:1376:13
#9 0x7f07f4fe0a72 in ConvertImageCommand /home/hongxu/work/imagemagick/ImageMagick-asan/MagickWand/convert.c:3305:11
#10 0x7f07f5132021 in MagickCommandGenesis /home/hongxu/work/imagemagick/ImageMagick-asan/MagickWand/mogrify.c:185:14
#11 0x50c8a7 in MagickMain /home/hongxu/work/imagemagick/ImageMagick-asan/utilities/magick.c:149:10
#12 0x50c301 in main /home/hongxu/work/imagemagick/ImageMagick-asan/utilities/magick.c:180:10
#13 0x7f07edda3b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#14 0x41ce19 in _start (/home/hongxu/work/imagemagick/ImageMagick-asan/install/bin/magick+0x41ce19)
0x6020000045d4 is located 0 bytes to the right of 4-byte region [0x6020000045d0,0x6020000045d4)
allocated by thread T0 here:
#0 0x4d2470 in __interceptor_malloc (/home/hongxu/work/imagemagick/ImageMagick-asan/install/bin/magick+0x4d2470)
#1 0x7f07f4668737 (/usr/lib/x86_64-linux-gnu/libtiff.so.5+0x9737)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/hongxu/work/imagemagick/ImageMagick-asan/install/bin/magick+0x473b41) in __interceptor_memcpy.part.43
Shadow bytes around the buggy address:
0x0c047fff8860: fa fa fd fa fa fa 00 00 fa fa fd fa fa fa fd fd
0x0c047fff8870: fa fa 00 05 fa fa 00 04 fa fa 04 fa fa fa 00 03
0x0c047fff8880: fa fa 00 04 fa fa 00 07 fa fa 00 04 fa fa 00 04
0x0c047fff8890: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
0x0c047fff88a0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
=>0x0c047fff88b0: fa fa fd fa fa fa 00 fa fa fa[04]fa fa fa 04 fa
0x0c047fff88c0: fa fa 04 fa fa fa 00 fa fa fa 00 fa fa fa fd fa
0x0c047fff88d0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa 00 00
0x0c047fff88e0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fa fa
0x0c047fff88f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==18301==ABORTING
==4531==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000045d4 at pc 0x0000004bd4c1 bp 0x7fff58a5ee00 sp 0x7fff58a5e5b0
READ of size 131072 at 0x6020000045d4 thread T0
#0 0x4bd4c0 in __asan_memcpy (/home/hongxu/work/imagemagick/ImageMagick-asan/install/bin/magick+0x4bd4c0)
#1 0x7f2cce3ec1f4 in _TIFFmemcpy /home/hongxu/work/imagemagick/libtiff-asan/libtiff/tif_unix.c:346:2
#2 0x7f2cce2ec909 in TIFFWriteDirectoryTagColormap /home/hongxu/work/imagemagick/libtiff-asan/libtiff/tif_dirwrite.c:1853:2
#3 0x7f2cce2e2591 in TIFFWriteDirectorySec /home/hongxu/work/imagemagick/libtiff-asan/libtiff/tif_dirwrite.c:566:10
#4 0x7f2cce2e01af in TIFFWriteDirectory /home/hongxu/work/imagemagick/libtiff-asan/libtiff/tif_dirwrite.c:181:9
#5 0x7f2cce2e7a60 in TIFFRewriteDirectory /home/hongxu/work/imagemagick/libtiff-asan/libtiff/tif_dirwrite.c:221:10
#6 0x7f2cce3148f6 in TIFFFlush /home/hongxu/work/imagemagick/libtiff-asan/libtiff/tif_flush.c:81:13
#7 0x7f2cce2803eb in TIFFCleanup /home/hongxu/work/imagemagick/libtiff-asan/libtiff/tif_close.c:51:3
#8 0x7f2cce280db2 in TIFFClose /home/hongxu/work/imagemagick/libtiff-asan/libtiff/tif_close.c:126:2
#9 0x7f2cd010ecac in WriteTIFFImage /home/hongxu/work/imagemagick/ImageMagick-asan/coders/tiff.c:4324:3
#10 0x7f2ccf6f9dc2 in WriteImage /home/hongxu/work/imagemagick/ImageMagick-asan/MagickCore/constitute.c:1159:16
#11 0x7f2ccf6fae4b in WriteImages /home/hongxu/work/imagemagick/ImageMagick-asan/MagickCore/constitute.c:1376:13
#12 0x7f2cced61a72 in ConvertImageCommand /home/hongxu/work/imagemagick/ImageMagick-asan/MagickWand/convert.c:3305:11
#13 0x7f2cceeb3021 in MagickCommandGenesis /home/hongxu/work/imagemagick/ImageMagick-asan/MagickWand/mogrify.c:185:14
#14 0x50c8a7 in MagickMain /home/hongxu/work/imagemagick/ImageMagick-asan/utilities/magick.c:149:10
#15 0x50c301 in main /home/hongxu/work/imagemagick/ImageMagick-asan/utilities/magick.c:180:10
#16 0x7f2cc7986b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#17 0x41ce19 in _start (/home/hongxu/work/imagemagick/ImageMagick-asan/install/bin/magick+0x41ce19)
0x6020000045d4 is located 0 bytes to the right of 4-byte region [0x6020000045d0,0x6020000045d4)
allocated by thread T0 here:
#0 0x4d2470 in __interceptor_malloc (/home/hongxu/work/imagemagick/ImageMagick-asan/install/bin/magick+0x4d2470)
#1 0x7f2cce3ec0dc in _TIFFmalloc /home/hongxu/work/imagemagick/libtiff-asan/libtiff/tif_unix.c:314:10
#2 0x7f2cce287a2d in setByteArray /home/hongxu/work/imagemagick/libtiff-asan/libtiff/tif_dir.c:51:19
#3 0x7f2cce287b76 in _TIFFsetShortArray /home/hongxu/work/imagemagick/libtiff-asan/libtiff/tif_dir.c:63:7
#4 0x7f2cce2908e5 in _TIFFVSetField /home/hongxu/work/imagemagick/libtiff-asan/libtiff/tif_dir.c:375:3
#5 0x7f2cce287f46 in TIFFVSetField /home/hongxu/work/imagemagick/libtiff-asan/libtiff/tif_dir.c:868:6
#6 0x7f2cce287e6b in TIFFSetField /home/hongxu/work/imagemagick/libtiff-asan/libtiff/tif_dir.c:812:11
#7 0x7f2cd010e808 in WriteTIFFImage /home/hongxu/work/imagemagick/ImageMagick-asan/coders/tiff.c:4262:16
#8 0x7f2ccf6f9dc2 in WriteImage /home/hongxu/work/imagemagick/ImageMagick-asan/MagickCore/constitute.c:1159:16
#9 0x7f2ccf6fae4b in WriteImages /home/hongxu/work/imagemagick/ImageMagick-asan/MagickCore/constitute.c:1376:13
#10 0x7f2cced61a72 in ConvertImageCommand /home/hongxu/work/imagemagick/ImageMagick-asan/MagickWand/convert.c:3305:11
#11 0x7f2cceeb3021 in MagickCommandGenesis /home/hongxu/work/imagemagick/ImageMagick-asan/MagickWand/mogrify.c:185:14
#12 0x50c8a7 in MagickMain /home/hongxu/work/imagemagick/ImageMagick-asan/utilities/magick.c:149:10
#13 0x50c301 in main /home/hongxu/work/imagemagick/ImageMagick-asan/utilities/magick.c:180:10
#14 0x7f2cc7986b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/hongxu/work/imagemagick/ImageMagick-asan/install/bin/magick+0x4bd4c0) in __asan_memcpy
Shadow bytes around the buggy address:
0x0c047fff8860: fa fa fd fa fa fa 00 00 fa fa fd fa fa fa fd fd
0x0c047fff8870: fa fa 00 05 fa fa 00 04 fa fa 04 fa fa fa 00 03
0x0c047fff8880: fa fa 00 04 fa fa 00 07 fa fa 00 04 fa fa 00 04
0x0c047fff8890: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
0x0c047fff88a0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
=>0x0c047fff88b0: fa fa fd fa fa fa 00 fa fa fa[04]fa fa fa 04 fa
0x0c047fff88c0: fa fa 04 fa fa fa 00 fa fa fa 00 fa fa fa fd fa
0x0c047fff88d0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa 00 00
0x0c047fff88e0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fa fa
0x0c047fff88f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4531==ABORTING
Prerequisites
Description
ImageMagick (f06925a) still suffers from heap-buffer-overflow error after patching #1555 .
Steps to Reproduce
convert $FILE /dev/nullSystem Configuration
The text was updated successfully, but these errors were encountered: