Description
Prerequisites
- I have written a descriptive issue title
- I have verified that I am using the latest version of ImageMagick
- I have searched open and closed issues to ensure it has not already been reported
Description
There is a heap buffer overflow vulnerability in function WritePNGImage of png.c.
Steps to Reproduce
poc
magick convert $poc ./test.png
=================================================================
==41625==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000b251 at pc 0x7f57acd61145 bp 0x7fff0c9e88f0 sp 0x7fff0c9e8098
READ of size 1 at 0x60200000b251 thread T0
#0 0x7f57acd61144 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x4b144)
#1 0x435b4e in LocaleNCompare MagickCore/locale.c:1581
#2 0x76bab9 in Magick_png_write_raw_profile coders/png.c:8183
#3 0x77be6c in WriteOnePNGImage coders/png.c:11083
#4 0x783ffa in WritePNGImage coders/png.c:12744
#5 0x849036 in WriteImage MagickCore/constitute.c:1159
#6 0x849d5b in WriteImages MagickCore/constitute.c:1376
#7 0xbf16d0 in ConvertImageCommand MagickWand/convert.c:3305
#8 0xcdf180 in MagickCommandGenesis MagickWand/mogrify.c:185
#9 0x4100a1 in MagickMain utilities/magick.c:149
#10 0x410282 in main utilities/magick.c:180
#11 0x7f57a860f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#12 0x40fbb8 in _start (/home/ImageMagick/utilities/magick+0x40fbb8)
`0x60200000b251 is located 0 bytes to the right of 1-byte region [0x60200000b250,0x60200000b251)` `allocated by thread T0 here:` ` #0 0x7f57acdae602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)` ` #1 0x44096a in AcquireMagickMemory MagickCore/memory.c:478` ` #2 0x4409be in AcquireQuantumMemory MagickCore/memory.c:551` ` #3 0x4c4165 in ConstantString MagickCore/string.c:713` ` #4 0x49a6fb in CloneSplayTree MagickCore/splay-tree.c:372` ` #5 0x487eab in CloneImageProfiles MagickCore/profile.c:190` ` #6 0x418926 in CloneImage MagickCore/image.c:838` ` #7 0x76d056 in WriteOnePNGImage coders/png.c:8528` ` #8 0x783ffa in WritePNGImage coders/png.c:12744` ` #9 0x849036 in WriteImage MagickCore/constitute.c:1159` ` #10 0x849d5b in WriteImages MagickCore/constitute.c:1376` ` #11 0xbf16d0 in ConvertImageCommand MagickWand/convert.c:3305` ` #12 0xcdf180 in MagickCommandGenesis MagickWand/mogrify.c:185` ` #13 0x4100a1 in MagickMain utilities/magick.c:149` ` #14 0x410282 in main utilities/magick.c:180` ` #15 0x7f57a860f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)`
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
0x0c047fff95f0: fa fa 07 fa fa fa 00 01 fa fa 00 fa fa fa 04 fa
0x0c047fff9600: fa fa 00 03 fa fa 00 fa fa fa 00 02 fa fa 06 fa
0x0c047fff9610: fa fa 00 05 fa fa 05 fa fa fa 00 fa fa fa 01 fa
0x0c047fff9620: fa fa 00 02 fa fa 00 04 fa fa 00 04 fa fa 00 04
0x0c047fff9630: fa fa 03 fa fa fa 00 02 fa fa 07 fa fa fa 07 fa
=>0x0c047fff9640: fa fa 00 01 fa fa 04 fa fa fa[01]fa fa fa 00 04
0x0c047fff9650: fa fa 04 fa fa fa 04 fa fa fa 00 02 fa fa 06 fa
0x0c047fff9660: fa fa 04 fa fa fa 00 02 fa fa 06 fa fa fa 04 fa
0x0c047fff9670: fa fa 00 02 fa fa 06 fa fa fa 04 fa fa fa 00 02
0x0c047fff9680: fa fa 06 fa fa fa 04 fa fa fa 00 02 fa fa 00 03
0x0c047fff9690: fa fa 06 fa fa fa 04 fa fa fa 00 02 fa fa 05 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==41625==ABORTING
System Configuration
- ImageMagick version:
Version: ImageMagick 7.0.8-43 Q16 x86_64 2019-04-29 https://imagemagick.org
Copyright: ? 1999-2019 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP(4.0)
Delegates (built-in): bzlib djvu fftw fontconfig freetype jbig jng jpeg lcms lqr lzma openexr pangocairo png tiff wmf x xml zlib - Environment (Operating system, version and so on):
Distributor ID: Ubuntu
Description: Ubuntu 16.04.1 LTS
Release: 16.04
Codename: xenial - Additional information: