Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap-buffer-overflow in WritePNGImage of png.c #1561

Closed
3 tasks done
galycannon opened this issue Apr 29, 2019 · 3 comments
Closed
3 tasks done

heap-buffer-overflow in WritePNGImage of png.c #1561

galycannon opened this issue Apr 29, 2019 · 3 comments
Labels
bug
Milestone
7.0.8-43

Comments

@galycannon
Copy link

galycannon commented Apr 29, 2019
edited

Prerequisites

  • I have written a descriptive issue title
  • I have verified that I am using the latest version of ImageMagick
  • I have searched open and closed issues to ensure it has not already been reported

Description

There is a heap buffer overflow vulnerability in function WritePNGImage of png.c.

Steps to Reproduce

poc
magick convert $poc ./test.png
=================================================================
==41625==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000b251 at pc 0x7f57acd61145 bp 0x7fff0c9e88f0 sp 0x7fff0c9e8098
READ of size 1 at 0x60200000b251 thread T0
#0 0x7f57acd61144 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x4b144)
#1 0x435b4e in LocaleNCompare MagickCore/locale.c:1581
#2 0x76bab9 in Magick_png_write_raw_profile coders/png.c:8183
#3 0x77be6c in WriteOnePNGImage coders/png.c:11083
#4 0x783ffa in WritePNGImage coders/png.c:12744
#5 0x849036 in WriteImage MagickCore/constitute.c:1159
#6 0x849d5b in WriteImages MagickCore/constitute.c:1376
#7 0xbf16d0 in ConvertImageCommand MagickWand/convert.c:3305
#8 0xcdf180 in MagickCommandGenesis MagickWand/mogrify.c:185
#9 0x4100a1 in MagickMain utilities/magick.c:149
#10 0x410282 in main utilities/magick.c:180
#11 0x7f57a860f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#12 0x40fbb8 in _start (/home/ImageMagick/utilities/magick+0x40fbb8)
`0x60200000b251 is located 0 bytes to the right of 1-byte region [0x60200000b250,0x60200000b251)` `allocated by thread T0 here:` ` #0 0x7f57acdae602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)` ` #1 0x44096a in AcquireMagickMemory MagickCore/memory.c:478` ` #2 0x4409be in AcquireQuantumMemory MagickCore/memory.c:551` ` #3 0x4c4165 in ConstantString MagickCore/string.c:713` ` #4 0x49a6fb in CloneSplayTree MagickCore/splay-tree.c:372` ` #5 0x487eab in CloneImageProfiles MagickCore/profile.c:190` ` #6 0x418926 in CloneImage MagickCore/image.c:838` ` #7 0x76d056 in WriteOnePNGImage coders/png.c:8528` ` #8 0x783ffa in WritePNGImage coders/png.c:12744` ` #9 0x849036 in WriteImage MagickCore/constitute.c:1159` ` #10 0x849d5b in WriteImages MagickCore/constitute.c:1376` ` #11 0xbf16d0 in ConvertImageCommand MagickWand/convert.c:3305` ` #12 0xcdf180 in MagickCommandGenesis MagickWand/mogrify.c:185` ` #13 0x4100a1 in MagickMain utilities/magick.c:149` ` #14 0x410282 in main utilities/magick.c:180` ` #15 0x7f57a860f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)`
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
0x0c047fff95f0: fa fa 07 fa fa fa 00 01 fa fa 00 fa fa fa 04 fa
0x0c047fff9600: fa fa 00 03 fa fa 00 fa fa fa 00 02 fa fa 06 fa
0x0c047fff9610: fa fa 00 05 fa fa 05 fa fa fa 00 fa fa fa 01 fa
0x0c047fff9620: fa fa 00 02 fa fa 00 04 fa fa 00 04 fa fa 00 04
0x0c047fff9630: fa fa 03 fa fa fa 00 02 fa fa 07 fa fa fa 07 fa
=>0x0c047fff9640: fa fa 00 01 fa fa 04 fa fa fa[01]fa fa fa 00 04
0x0c047fff9650: fa fa 04 fa fa fa 04 fa fa fa 00 02 fa fa 06 fa
0x0c047fff9660: fa fa 04 fa fa fa 00 02 fa fa 06 fa fa fa 04 fa
0x0c047fff9670: fa fa 00 02 fa fa 06 fa fa fa 04 fa fa fa 00 02
0x0c047fff9680: fa fa 06 fa fa fa 04 fa fa fa 00 02 fa fa 00 03
0x0c047fff9690: fa fa 06 fa fa fa 04 fa fa fa 00 02 fa fa 05 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==41625==ABORTING

System Configuration

  • ImageMagick version:
    Version: ImageMagick 7.0.8-43 Q16 x86_64 2019-04-29 https://imagemagick.org
    Copyright: ? 1999-2019 ImageMagick Studio LLC
    License: https://imagemagick.org/script/license.php
    Features: Cipher DPC HDRI OpenMP(4.0)
    Delegates (built-in): bzlib djvu fftw fontconfig freetype jbig jng jpeg lcms lqr lzma openexr pangocairo png tiff wmf x xml zlib
  • Environment (Operating system, version and so on):
    Distributor ID: Ubuntu
    Description: Ubuntu 16.04.1 LTS
    Release: 16.04
    Codename: xenial
  • Additional information:
urban-warrior pushed a commit to ImageMagick/ImageMagick6 that referenced this issue Apr 29, 2019
https://github.com/ImageMagick/ImageMagick/issues/1561
34adc98
urban-warrior pushed a commit that referenced this issue Apr 29, 2019
https://github.com/ImageMagick/ImageMagick/issues/1561
d17c047
@urban-warrior
Copy link
Member

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://www.imagemagick.org/download/beta/ by sometime tomorrow.

@dlemstra dlemstra added the bug label Apr 29, 2019
@dlemstra dlemstra added this to the 7.0.8-43 milestone Apr 29, 2019
@NicoleG25
Copy link

Hi, It appears that MITRE is reporting 7.0.8-43 as vulnerable in their CVE :
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19949

where 7.0.8-43 is the fixed version you are reporting.
Is it a mistake from their end?
Thanks. :)

@galycannon
Copy link
Author

Hi, It appears that MITRE is reporting 7.0.8-43 as vulnerable in their CVE :
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19949

where 7.0.8-43 is the fixed version you are reporting.
Is it a mistake from their end?
Thanks. :)

For ImageMagick7
These versions bellow all be affected
7.0.7-23
7.0.7-24
7.0.7-25
7.0.7-26
7.0.7-27
7.0.7-28
7.0.7-29
7.0.7-30
7.0.7-31
7.0.7-32
7.0.7-33
7.0.7-34
7.0.7-35
7.0.7-36
7.0.7-37
7.0.7-38
7.0.7-39
7.0.8-0
7.0.8-1
7.0.8-2
7.0.8-3
7.0.8-4
7.0.8-5
7.0.8-6
7.0.8-7
7.0.8-8
7.0.8-9
7.0.8-10
7.0.8-11
7.0.8-12
7.0.8-13
7.0.8-14
7.0.8-15
7.0.8-16
7.0.8-17
7.0.8-18
7.0.8-19
7.0.8-20
7.0.8-21
7.0.8-22
7.0.8-23
7.0.8-24
7.0.8-25
7.0.8-26
7.0.8-27
7.0.8-28
7.0.8-29
7.0.8-30
7.0.8-31
7.0.8-32
7.0.8-33
7.0.8-34
7.0.8-35
7.0.8-36
7.0.8-37
7.0.8-38
7.0.8-39
7.0.8-40
7.0.8-41
7.0.8-42
and fixed in release version 7.0.8-43

For ImageMagick6
These versions bellow all be affected
6.9.9-33
6.9.9-34
6.9.9-35
6.9.9-36
6.9.9-37
6.9.9-38
6.9.9-39
6.9.9-40
6.9.9-41
6.9.9-42
6.9.9-43
6.9.9-44
6.9.9-45
6.9.9-46
6.9.9-47
6.9.9-48
6.9.9-49
6.9.9-50
6.9.9-51
6.9.10-0
6.9.10-1
6.9.10-2
6.9.10-3
6.9.10-4
6.9.10-5
6.9.10-6
6.9.10-7
6.9.10-8
6.9.10-9
6.9.10-10
6.9.10-11
6.9.10-12
6.9.10-13
6.9.10-14
6.9.10-15
6.9.10-16
6.9.10-17
6.9.10-18
6.9.10-19
6.9.10-20
6.9.10-21
6.9.10-22
6.9.10-23
6.9.10-24
6.9.10-25
6.9.10-26
6.9.10-27
6.9.10-28
6.9.10-29
6.9.10-30
6.9.10-31
6.9.10-32
6.9.10-33
6.9.10-34
6.9.10-35
6.9.10-36
6.9.10-37
6.9.10-38
6.9.10-39
6.9.10-40
6.9.10-41
6.9.10-42
and fixed in release version 6.9.10-43

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Milestone
7.0.8-43
Development

No branches or pull requests
4 participants
@dlemstra @urban-warrior @galycannon @NicoleG25